HR collects, stores and processes the most sensitive personal data inside a company.
Under the DPDP Act, 2023, employees and candidates now get enforceable rights over their data.
These rights aren’t optional.
They change how HR must store, track, use and delete employee data across the lifecycle.
This guide explains the three biggest DPDP rights HR teams must operationalise:
- Right to Access
- Right to Correction
- Right to Erasure/Deletion
Why HR Must Care Now
- Employees can raise legal complaints
- DPDP requires proof of compliance, not intent
- Poor handling = penalties + reputational damage
- Employees expect transparency & control
1. Right to Access
(Employee asks: “What data do you have about me?”)
An employee/candidate can request details about their personal data.
Micro-checklist (HR must provide):
✔ what personal data was collected
✔ why it was collected (purpose)
✔ who it was shared with
✔ where it is stored
✔ how long it will be retained
✔ status: active / archived / flagged for deletion
HR cannot deny access unless an exemption applies (national security, investigation, fraud, etc.).
Mini Case: Access Request Mishandled
A candidate requested their BGV + stored ID copies.
HR replied that data “cannot be shared for company policy reasons.”
❌ WRONG.
The organisation breached DPDP because:
- refused access
- gave no lawful basis
- had no documented process
Result: candidate escalated → legal notice + DPDP complaint filed.
2. Right to Correction
(Employee asks: “Please fix my personal data.”)
Employees can request corrections if data is:
- Outdated
- Inaccurate
- incomplete
HR Micro-checklist:
✔ verify identity
✔ verify correct data
✔ record correction request
✔ update in all systems, not just HRMS
✔ notify third parties who received wrong data
✔ provide acknowledgment to employee
A common violation:
✔ correction made in HRMS
❌ not corrected in payroll vendor database
3. Right to Erasure / Deletion
Employees can ask for deletion of personal data when:
- purpose is complete
- consent withdrawn
- retention period expired
But deletion rights are not absolute. If data must be kept for legal/statutory reasons → HR must refuse deletion.
HR Micro-checklist:
✔ Is there a legal retention requirement?
✔ maintain deletion logs
✔ ensure deletion across all backup systems
✔ remove access permissions
✔ provide confirmation to employee
Timelines HR Must Follow (Best Practice)
| Request Type | Recommended Response Time |
| Acknowledge request | within 48 hrs |
| Provide access/correction path | within 5–7 working days |
| Complete deletion post-verification | within 7–14 working days |
| Confirm deletion in writing | same day deletion happens |
These timelines prevent compliance disputes later.
What HR Must Do for Each Right
| DPDP Right | What employee requests | HR obligation | When HR can refuse |
| Access | View data + processing purpose | Provide full copy + retention details | Legal exemptions |
| Correction | Fix inaccurate/outdated info | Correct everywhere + confirm | If request unverified |
| Deletion | Remove personal data | Delete + document | Legal retention required |
How HR Should Respond (Copy-Paste Scripts)
📌 Request for access
“Hi ___, we acknowledge your request for access to personal data we hold.
We will share a record of your information, purpose of use and retention timeline within 7 working days.”
📌 Request for correction
“Hi ___, thank you for notifying us.
We will verify supporting documents and correct your information within 5 working days.”
📌 Request for deletion
“Hi ___, since the purpose for storing your data has ended, we will delete your records within 7–14 working days and share confirmation once completed.”
🔗 Linking Rights to Consent + Purpose + Retention
Rights don’t exist in isolation.
They connect across lifecycle:
- Purpose defines why data is collected
- Retention defines until when
- Consent defines whether data can be processed
- Rights define when employees can intervene
Golden rule:
If purpose ends → retention ends → deletion must follow.
Template: Acknowledgement Email
Subject: Acknowledgment of Your DPDP Data Rights Request
Dear <Name>,
We acknowledge receipt of your request under the Digital Personal Data Protection Act, 2023 regarding:
• Access / Correction / Deletion (select as applicable)
We will process this request and respond within the applicable timelines.
If needed, we may contact you to verify your identity or request clarifications.
Regards,
HR Data Protection Team
Action Plan for HR Teams (Next 30 Days)
Most HR leaders understand the rights, but struggle with “What should we actually do now?”
Here’s a practical, step-by-step plan to operationalize Access, Correction & Deletion rights inside HR workflows.
Step 1 – Set up one inbox/form for rights requests
Make it easy for employees to submit requests and avoid chaos.
- one request email ID: ex. [email protected]
- or a simple internal form linked from intranet
Step 2 – Create a response workflow
This helps HR avoid delays and accidental violations.
Basic workflow:
- log request
- verify identity
- assign owner (HR + legal + IT)
- respond to employee
- complete correction/deletion
Step 3 – Map where employee/candidate data exists
Most HR teams forget this step. Without mapping, you cannot fulfill requests.
Examples of places to map:
- HRMS
- payroll vendors
- ATS
- background verification partner
- emails + shared folders
- backup systems
Step 4 – Document timelines + responsibilities
Make internal SLAs clear so nothing slips.
Example SLA commitments:
- acknowledge request: 48 hrs
- provide access/correction plan: 5–7 working days
- complete deletion: 7–14 working days
Step 5 – Prepare pre-approved responses
These prevent errors and inconsistent responses.
Create short templates for:
- access request acknowledgement
- correction request response
- deletion confirmation
- deletion refusal (legal reason)
Step 6 – Build a deletion checklist
So that deletion doesn’t only happen inside HRMS.
Checklist should include:
- archives and folders
- email attachments
- vendor systems
- shared drives
- backups (log removal if deletion impossible)
Step 7 – Train HR & Recruiters
Training topics:
- what qualifies as personal data
- when employees can request rights
- which requests HR can refuse
- correct response wording
- timelines
Step 8 – Maintain audit logs
DPDP compliance requires proof, not intent.
Record:
- who requested
- which right
- what action HR took
- Timelines
- completion confirmation
Step 9 – Tie rights requests to retention rules
Create a trigger rule:
When purpose ends → start retention countdown → schedule deletion
Step 10 – Publish an internal DPDP notice on HR portal
This builds transparency + reduces uncertainty.
Include:
- employee rights
- how to request them
- Timelines
- escalation email
Final Message for HRs
DPDP rights are not theory. Employees will start asking:
- what data do you have?
- why was it collected?
- when will it be deleted?
If your answer depends on “checking with IT/legal,” you’re already exposed. Rights + consent + retention together form the DPDP compliance triangle.
Build it now and avoid panic later.
