What Happens When a Data Principal Files a Complaint Against You? A Step-by-Step Simulation
You have never thought about it from the other side. A user, somewhere in India, believes your organisation mishandled their personal data. They know their rights under the DPDPA. They file a complaint. What happens next?
Most Indian organisations have absolutely no idea. They have not mapped the complaint process. They have not designated a contact person for data rights requests. They have not documented their processing activities. And they have not run a single simulation of what a regulatory complaint would look like from the inside. This blog walks through exactly what happens, step by step, so that when it does happen to your organisation, you are not discovering the process for the first time under pressure.
Step One: The Data Principal Exercises a Right
Under the DPDPA, a data principal has several rights they can exercise before filing a formal complaint. These include the right to access information about what personal data an organisation holds about them, the right to correct inaccurate data, the right to erase their data in certain circumstances, and the right to know who their data has been shared with.
In our simulation, let us say the data principal, a customer named Priya, received a marketing email from your organisation for a product she never signed up for. She believes your organisation obtained her email address without her consent and used it for marketing purposes. She sends a request to your organisation asking for information about what data you hold about her, where you obtained it, and on what basis you are using it for marketing.
At this point, the clock has started. The DPDPA requires that organisations respond to data principal requests. Priya has exercised a right. Your organisation must respond. If you have a data rights request process, this is where it kicks in. If you do not have one, this is where your problem begins.
Step Two: The Organisation Fails to Respond
In our simulation, Priya’s request goes to your general customer service inbox. The customer service team does not know what a data principal request is or who is responsible for handling it. The email is marked as read and forgotten. Three weeks pass with no response.
This is not an unusual scenario. Most Indian organisations do not have a designated data rights contact person or a documented process for handling rights requests. Customer service teams handle product queries. Legal teams handle contracts. Nobody owns data principal requests.
Under the DPDPA, failing to respond to a data principal’s request is a violation of the Act. The data principal has the right to escalate. Priya, having received no response after a reasonable period, decides to file a formal complaint with the Data Protection Board of India.
Step Three: The Complaint Is Filed with the Data Protection Board
The DPDPA establishes the Data Protection Board of India as the adjudicatory body for complaints under the Act. A data principal who believes their rights have been violated can file a complaint with the Board after first attempting to resolve the matter with the Data Fiduciary.
Priya files her complaint online, describing the unsolicited marketing email, her request to your organisation for information, and the absence of any response. The Board acknowledges receipt of the complaint and notifies your organisation that a complaint has been received and that a response is required within a specified timeframe.
Your organisation receives this notice. Now the pressure is real. You have a regulatory body asking for a formal response to a specific complaint. The questions you must now answer, under regulatory scrutiny, are exactly the questions you should have been able to answer when Priya first contacted you three weeks ago.
Step Four: The Organisation Scrambles to Respond
To respond to the Board’s notice, your organisation needs to answer several specific questions. Where did you obtain Priya’s email address? What was the lawful basis for using it for marketing? Did you obtain her consent? If so, when, how, and what exactly did she consent to? If not, what other lawful basis applies? What personal data does your organisation hold about her? Who has had access to it? Has it been shared with any third parties?
In organisations with good data governance, these questions are answerable in hours because the data is mapped, the consent records are documented, and the processing activities are logged. In organisations without good data governance, these questions trigger a panicked search through multiple databases, vendor contracts, and email archives that may take days and may not produce complete answers.
The quality of your response to the Board at this stage significantly affects how the complaint proceeds. A clear, documented, and complete response that demonstrates your organisation understands its obligations and has records to support its processing activities puts you in a far stronger position than a vague, incomplete response that raises more questions than it answers.
Step Five: The Board Investigates
Based on your response, the Board determines whether the complaint has merit and whether a formal investigation is warranted. If the Board finds that your response is inadequate, contradictory, or reveals clear violations of the DPDPA, it can initiate a formal investigation.
A formal investigation by the Board involves a much more comprehensive examination of your organisation’s data practices. The Board can require you to produce documentation of your data processing activities, your consent records, your privacy notices, your data sharing agreements with third parties, and your internal data protection policies.
This is the stage where the full picture of your organisation’s compliance posture becomes visible to a regulator. Organisations that have done the work, documented their processes, and built genuine compliance frameworks have a defensible position. Organisations that have not built this infrastructure find themselves exposed on multiple fronts simultaneously.
Step Six: The Penalty Decision
If the Board finds violations, it has the power to impose financial penalties under the DPDPA’s penalty framework. Penalties can range from relatively modest amounts for minor technical violations to Rs 250 crore for significant non-compliance that caused harm to data principals.
In our simulation, the Board finds that your organisation used Priya’s email address without a valid lawful basis, failed to respond to her data rights request, and did not have a compliant privacy notice. Each of these is a separate violation. The penalties are not purely additive in every case, but the compounding of multiple violations in a single investigation significantly increases the financial exposure.
Beyond the financial penalty, the Board’s decision becomes part of the public record. Regulatory actions under data protection laws are reputationally damaging in ways that financial penalties alone do not capture. The story of how your organisation mishandled a customer’s data, ignored her request, and was found to be non-compliant by the regulator is not a story you want attached to your brand.
Why ComplyPlanet
ComplyPlanet helps organizations build the internal infrastructure they need to handle data principal requests correctly, respond to regulatory inquiries effectively, and avoid the compliance failures that lead to formal complaints in the first place.
We help you design and implement a data rights request process, designate and train the people responsible for handling requests, build the documentation and record-keeping systems that allow you to answer regulatory questions quickly and completely, and conduct compliance readiness assessments that identify your exposure before a regulator does.
We also help you conduct internal complaint simulations, walking your team through exactly the scenario described in this blog, so that when a real complaint arrives, your organisation responds with confidence rather than panic.
Conclusion
A complaint from a data principal is not the worst thing that can happen under the DPDPA. The worst thing is being completely unprepared for it when it arrives. Build your data rights process, document your processing activities, and train your team now. The simulation above is not hypothetical. For many Indian organizations, it is coming.
ComplyPlanet can help you prepare. Reach out before the complaint does.
ComplyPlanet – Your Compliance Backbone