DPDPA Grievance Redressal Mechanism: What Every Indian Startup Founder Must Build

You built a product. Users signed up. Data started flowing.

Now one of those users wants to know what you did with their phone number. Or they want you to delete their account. Or they believe you shared their data with a third party without permission.

What do you do? If you do not have a formal, documented, accessible grievance redressal mechanism, the answer is: you are non-compliant under Indian law.

The Digital Personal Data Protection Act, 2023 (DPDPA) is live. Rules are in force. And the Data Protection Board of India (DPBI) is being constituted to adjudicate complaints. If your startup collects data from Indian users, even as a free app, you are in scope.

This guide breaks down exactly what the law requires, why it matters, and how to build a system that protects your users and your startup.

What Is the DPDPA Grievance Redressal Mechanism?

At its core, a grievance redressal mechanism under the DPDPA is a formal, accessible channel through which users (called Data Principals under the Act) can raise complaints about how their personal data is being processed.

Think of it as your startup’s internal court of first instance for data disputes. Before a user can escalate a complaint to the DPBI, they must first attempt resolution with you. It keeps the regulator from being flooded with minor complaints and gives businesses a chance to self-correct.

The law draws from global best practices. The GDPR mandates a similar escalation path in Europe. India’s DPDPA formalizes this for the first time in Indian law, and unlike previous IT Act guidelines that were largely ignored, this one has real penalties attached.

Which Laws Require You to Build This?

The Digital Personal Data Protection Act, 2023 (DPDPA)
This is the primary legislation. Key sections to know:

Section 11: Right of Data Principals to access information about their data

Section 12: Right to correction and erasure

Section 13: Right to grievance redressal – every Data Fiduciary must provide a mechanism to address grievances within a reasonable timeframe

Section 14: Right to nominate a representative for handling data rights

Section 19: Establishment and powers of the Data Protection Board of India

Section 33: Penalty framework -up to ₹250 crore for violations related to Data Principal rights

The DPDP Rules, 2025
The Rules operationalize the Act. They require Data Fiduciaries to publish the name and contact details of their Data Protection Officer (DPO) or Grievance Officer in their privacy notice.

Significant Data Fiduciaries (SDFs)
Startups that process large volumes of sensitive data or data that could impact national security may be notified as SDFs. SDFs face stricter obligations including mandatory DPO appointments, independent data audits, and Data Protection Impact Assessments (DPIAs).

IT Act, 2000 + IT (Reasonable Security Practices) Rules, 2011
These older rules still apply to sensitive personal data (financial information, passwords, and health data) and require grievance officers to resolve complaints within one month. Until the DPDPA fully supersedes these rules, startups must track both frameworks.

Who Needs to Comply?

The DPDPA applies to any entity that:

Processes digital personal data of individuals in India

Processes data of Indian users, even if the processing happens outside India

There is no revenue threshold, no employee headcount minimum, and no sector exemption for startups. If you collect a name and email from an Indian user, you are a Data Fiduciary under the Act.

The only limited exemption is for purely personal or domestic processing, a freelancer’s personal contact list, for instance. The moment data processing is for a business purpose; you are in scope.

For a deeper breakdown of your compliance obligations, read our foundational guide on DPDPA compliance for startups.

What Complaints Can Users Actually Raise?

Under Sections 11–14 of the DPDPA, Data Principals can raise complaints across five broad categories:

Right	What the User Can Demand	Startup Obligation
Right to Access (Section 11)	Summary of data processed and list of third parties it was shared with	Provide clear, structured response
Right to Correction (Section 12)	Fix inaccurate or outdated personal data	Correct data and confirm action
Right to Erasure (Section 12 )	Delete personal data when processing purpose is fulfilled	Delete and confirm, subject to legal retention
Right to Grievance (Section 13)	Raise a complaint about any data practice	Acknowledge and resolve within stated timeframe
Right to Nominate (Section 14)	Appoint someone to exercise rights on their behalf	Accept and act on nominations

For a step-by-step walkthrough of the erasure workflow specifically, read our guide on handling Right to Erasure requests under DPDPA

What Happens If You Ignore a Complaint?

Here is what that means for your startup:

Investigation Powers: The DPBI can summon you, demand documents, inspect your data processing practices, and question your officers. This is not a polite request; it is a statutory power under the Act.

Penalties: Section 33 allows the Board to impose monetary penalties. For violations related to Data Principal rights or breach of security safeguards, penalties can go up to ₹250 crore. For smaller procedural lapses, the fines are lower but still material enough to wipe out a seed-stage runway.

Corrective Actions: Beyond fines, the Board can issue cease-and-desist orders, mandate data deletion, or direct you to overhaul your systems entirely.

Public Orders: DPBI decisions are typically public. A regulatory order against your startup becomes permanent reputational baggage visible to investors, customers, and competitors.

Appeal to TDSAT: Under Section 31, you can appeal to the Telecom Disputes Settlement and Appellate Tribunal. But appeals cost time, money, and management bandwidth that early-stage startups rarely have to spare.

How to Build a Compliant Grievance System

A 5 Step process

The DPDP Rules give flexibility on response timelines, but those timelines must be reasonable and publicly stated.

Step 1: Appoint & Publish a Point of Contact

Name, designation, and email of your Grievance Officer or DPO. This must appear in your privacy policy, website footer, app settings, and any user-facing documentation. Under the DPDP Rules 2025, this is non-negotiable.

Step 2: Create a Dedicated Intake Channel
A specific email (e.g., privacy@yourstartup.in) or an in-app form. Do not route data privacy complaints through generic customer support where they get lost in refund and shipping queries.

Step 3: Set & Publish a Response Timeline
Define your turnaround time internally and state it in your privacy notice. While the DPDPA does not mandate a strict 30-day deadline like GDPR, 30 days is the global benchmark and what Indian regulators will likely expect as “reasonable.”

Step 4: Build an Internal Resolution Workflow
Document SOPs that define:

Who reviews the complaint?

Who has the authority to correct or delete data?

How is the outcome communicated to the user?

When do you escalate to legal counsel?

Step 5: Maintain an Audit Trail
Log every complaint received, actioned, and resolved. If the DPBI ever comes knocking, this trail is your primary defense. It proves you took the complaint seriously and responded in good faith.

The Data Protection Board of India (DPBI)

The DPBI operates on a fully digital model:

Complaints are filed online through a government portal

Proceedings are conducted digitally, hearings, evidence submission, and orders

Decisions are issued electronically and enforced as statutory orders

This is fundamentally different from India’s slow civil court system. A complaint that reaches the Board will not languish for years. For a startup without a dedicated legal team, an unresolved user grievance can become a full regulatory inquiry within months.

Learn more about India’s evolving data governance infrastructure and what it means for your startup here.

FAQ's

Do I need a lawyer to handle every complaint?

No. Routine complaints (data access, correction, deletion) can be handled by a trained operations or customer success lead. However, legal counsel should review any complaint involving a data breach, a minor’s data, or a potential penalty.

Can my customer support team double as the grievance cell?

They can, but only if they are trained on DPDPA rights and have a separate ticketing category for data privacy. The key is ensuring these complaints do not get treated like general bugs or refund requests.

What if the complaint is frivolous?

You must still acknowledge it and explain why the request cannot be fulfilled (e.g., legal retention requirements under the Income Tax Act). A documented, reasoned refusal is compliant. Silence is not.

How is this different from consumer courts?

Consumer courts handle defective products and service deficiencies. The DPBI handles violations of data protection rights. A user can approach both, but the DPBI has specific technical expertise in data governance.

Do I need to respond to anonymous complaints?

No. You must verify the identity of the Data Principal before acting on a request, especially for erasure or correction. This prevents fraudulent data manipulation.

Conclusion

Build the system. Train your team. Publish the contact. That is the minimum.

The real competitive moat is building a culture where every data decision starts with a simple question: Would our users be comfortable if they could see exactly what we are doing with their data? Need help with building a grievance redressal SOP? Call us today