DPDP Playbook · Data Principal Rights · India HR & IT Teams

How to Handle Employee DPDP Data Requests in India (2026)

An employee has formally asked to see — or erase — the monitoring data you hold on them. This is the India-specific workflow: what Sections 11–14 of the DPDP Act 2023 actually grant, the 7-step response process, what to disclose and what to withhold, and a copy-paste response letter. Verify with counsel.

How do you handle an employee DPDP data access request? Log the request in writing, verify the requester’s identity against the credentials used at consent, and acknowledge receipt. Then confirm your legal basis: Section 11 access rights and Section 12 correction/erasure rights attach to consent-based processing, so check whether your monitoring runs on consent or the Section 7(i) employment ground. Compile a summary of every monitoring category processed — activity logs, screenshots, productivity scores and AI inferences — plus the processors it is shared with. Erase what the employee asks to erase unless a legal retention ground applies, and record that ground. Respond within the timeline your organisation has published under the DPDP Rules 2025 framework (most India employers adopt 30 days or less), route disputes to your Grievance Officer under Section 13, and keep an auditable trail of every step. Verify timelines and grounds with counsel.

By Ashok Sachdev, Founder gStride AI Published 12 June 2026 11 min read

What rights can an employee invoke under Sections 11–14?

Four distinct rights sit in Chapter III of the DPDP Act 2023, and a monitoring-data request usually invokes the first two:

  1. Section 11 — right to access. A summary of the personal data being processed, the processing activities applied to it, and the identities of all other Data Fiduciaries and Data Processors with whom it has been shared, with a description of what was shared.
  2. Section 12 — correction and erasure. Correction of inaccurate data, completion of incomplete data, updating, and erasure of data no longer necessary for the specified purpose — unless retention is required by law.
  3. Section 13 — grievance redressal. A readily available means of grievance redressal that the employee must exhaust before approaching the Data Protection Board of India.
  4. Section 14 — nomination. The right to nominate another individual to exercise these rights in case of death or incapacity — rare in employment contexts, but it exists.

One nuance decides the whole workflow: on the text of the Act, Sections 11 and 12 attach to processing based on consent or on voluntary provision under Section 7(a). If your monitoring runs purely on the Section 7(i) employment legitimate-use ground, the access right may not formally apply — but Section 13 grievances still do, and most advisers recommend honouring access requests on any basis because a refusal invites Board scrutiny of your entire posture. Verify your legal basis with counsel.

The 7-step response workflow

  1. Log and timestamp. Capture the request verbatim, the channel it arrived on, and the date. The clock for your published response timeline starts here.
  2. Verify identity. Authenticate against the same identifiers used when consent was collected — corporate email, employee ID, or your consent-manager record. Never disclose monitoring data on an unverified request; a wrong-person disclosure is itself a breach.
  3. Classify the request and confirm legal basis. Is it access (Section 11), correction/erasure (Section 12), or a grievance (Section 13)? Then check which legal basis covers the data in scope — consent or Section 7(i) — because that determines which rights formally attach.
  4. Pull the data map. List every system that captures the employee’s personal data: attendance, monitoring agent, productivity scoring, project tools, and any processor the data flows to. If you do not have a current data map, this step is where most responses stall.
  5. Compile the disclosure summary. For each category: what is collected, what processing is applied (including AI scoring), retention period, and who it is shared with. Redact third-party personal data from any shared artefacts.
  6. Resolve erasure vs retention. Erase what is no longer necessary; where a legal ground forces retention (payroll, tax, ongoing proceedings), record the specific ground and a review date instead of a blanket refusal.
  7. Respond in writing and close the loop. Send the response letter (template below) within your published timeline, offer the Grievance Officer escalation path, and archive the full trail — request, verification, disclosure, grounds, response — in an auditable record.

What monitoring data must be disclosed?

Section 11 entitles the employee to a summary of personal data and processing activities — not necessarily a raw export of every log line. The defensible posture is a structured summary per category, with copies of artefacts where practical:

Data categoryDisclose?Notes
Attendance, login/logout recordsYesSummary plus period covered; straightforward personal data.
App & website activity logsYesSummarise categories and processing applied; raw logs optional but defensible to include.
Screenshots / screen recordingsYes, redactedThe employee’s own captures; redact other individuals’ data visible in frame.
Productivity scores & AI inferencesYesDerived data about the employee is still their personal data; include how the score is produced.
Manager notes referencing monitoring dataCase-by-casePersonal data of the employee, but may intersect ongoing proceedings — take legal advice before withholding.
Security/audit logs containing third partiesRedacted extractDisclose the employee’s entries; redact colleagues’ identifiers.

The disclosure must also name the fiduciaries and processors the data has been shared with — for monitoring data that typically means your monitoring vendor, cloud host and any analytics processor. If your vendor cannot tell you where employee data sits, that is a finding in itself. Verify scope with counsel.

Erasure vs retention: when you can refuse

Section 12 lets the employee demand erasure of personal data that is no longer necessary for the specified purpose. You may retain it only where retention is necessary for that purpose or required for compliance with law. In an employment context the common legitimate retention grounds are:

  • Payroll, tax and statutory records — attendance data feeding PF/ESI/TDS filings carries its own statutory retention periods.
  • Ongoing disciplinary or legal proceedings — monitoring artefacts that are evidence in a live matter can be preserved under legal hold.
  • Mandated security audit logs — sectoral or contractual log-retention obligations (common in BPO and GCC environments).

What you cannot defensibly do is keep everything because some of it might be needed. The clean pattern: erase by default, retain by exception, record the specific ground for each exception, and set a review date so retention does not silently become permanent. Verify each ground with counsel.

Deadlines under the DPDP Rules 2025

Unlike the GDPR’s one-month DSAR clock, the DPDP Act does not hardcode a single statutory deadline for responding to access requests. The DPDP Rules 2025 framework instead requires Data Fiduciaries to publish the time period within which they will respond to rights requests and grievances — and then honour it. Practical implications for HR/IT:

  • Your privacy notice and grievance policy must state a concrete response window. Most India employers we see adopt 30 days or less so the commitment is credible and defensible.
  • The published window is enforceable posture: blowing your own deadline is exactly the kind of fact the Data Protection Board weighs in a complaint.
  • Separate clocks exist for other obligations — breach notification runs on its own, much shorter timeline — so do not conflate them in your SOP.

For the file: serious DPDP violations carry penalties prescribed in Schedule 1 of the Act — reported as up to INR 250 crore for the gravest categories. The final notified text of the DPDP Rules 2025 and any phased enforcement dates control your actual obligations — verify current timelines and penalty exposure with counsel before relying on them.

Copy-paste response letter template

Adapt the bracketed fields; have counsel approve the version you standardise on.

Subject: Response to your data principal request dated [date]

Dear [Employee name],

We acknowledge your request dated [date] under Section [11 / 12] of the Digital Personal Data Protection Act, 2023, received via [channel] and identity-verified on [date].

1. Summary of personal data processed. In connection with workplace systems we process the following categories of your personal data: [attendance and login records; application and website activity logs; productivity metrics and AI-generated scores; screenshots, if applicable]. Processing activities applied: [collection, storage, classification/scoring, reporting]. Retention periods: [per category].

2. Sharing. This data has been shared with the following Data Processors / Data Fiduciaries: [vendor name — purpose; cloud host — purpose].

3. Correction / erasure. [We have corrected/erased the following data: …] OR [We are unable to erase [category] because retention is required for [specific legal ground, e.g. statutory payroll records / ongoing proceedings]. This ground will be reviewed on [date], after which the data will be erased.]

4. Grievance. If you are dissatisfied with this response, you may write to our Grievance Officer at [email]. If your grievance is not resolved within our published period of [X days], you may approach the Data Protection Board of India.

[Name], [Designation], [Company]

Frequently asked questions

Does an employee have a right to see their monitoring data under DPDP?

Where monitoring data is processed on the basis of consent, Section 11 of the DPDP Act 2023 entitles the employee to a summary of the personal data being processed, the processing activities applied to it, and the identities of fiduciaries and processors it has been shared with. If you rely instead on the legitimate-use ground for employment purposes under Section 7(i), the access and correction rights in Sections 11–12 may not formally attach — but most India employers honour requests anyway as the lower-risk posture. Verify your legal basis with counsel.

How long do we have to respond to a DPDP data access request?

The DPDP Act does not hardcode a GDPR-style 30-day clock for access requests. The DPDP Rules 2025 framework instead requires Data Fiduciaries to publish the period within which they will respond to grievances and rights requests, and to honour it. Many India employers adopt an internal SLA of 30 days or less so the published commitment is defensible. Confirm the final notified rules and your published timeline with counsel.

Can we refuse to erase an employee’s monitoring data?

Yes, in defined cases. Under Section 12, erasure can be declined where retention is necessary for the specified purpose or for compliance with law — for example payroll and tax records, data relevant to ongoing disciplinary or legal proceedings, and security audit logs with mandated retention. Record the specific ground in writing, erase everything outside it, and diarise a review date. Verify each ground with counsel.

Do Sections 11–12 apply if we rely on Section 7(i) employment purposes instead of consent?

On the text of the Act, the access and correction/erasure rights in Sections 11 and 12 attach to processing based on consent or on voluntary provision under Section 7(a) — not to every legitimate use. Monitoring run purely under the Section 7(i) employment ground sits in a grey zone. Because the grievance right in Section 13 still applies and the Data Protection Board can examine your posture, most advisers recommend honouring access requests regardless of basis. Verify with counsel.

What if disclosure would expose another employee’s personal data?

Redact. The request entitles the employee to their own personal data, not to colleagues’ data captured in the same logs, screenshots or reports. Standard practice is to redact third-party identifiers from shared artefacts before disclosure, and to note in the response letter that redactions were applied to protect other data principals. Verify the approach with counsel.

What happens if the employee is not satisfied with our response?

Section 13 requires you to provide a grievance redressal mechanism, and the employee must exhaust it before complaining to the Data Protection Board of India. Route escalations to your designated Grievance Officer (or Data Protection Officer if you are a Significant Data Fiduciary), respond within your published timeline, and keep the full trail — the Board can ask for it. Verify escalation obligations with counsel.

Make the next request a 30-minute job, not a 30-day scramble

gStride keeps the capture surface small — outcome signals, no keystroke logging, screenshots off by default — so the disclosure summary is short and the data map already exists. See how a privacy-first stack changes the DSAR workload.

Book a 15-min demo Run the DPDP Vendor Risk Assessment

Related reading

Disclaimer: This article is general information, not legal advice. The DPDP Act 2023 and DPDP Rules 2025 are summarised as publicly understood in June 2026; final notified rules, enforcement phasing and penalty exposure are fact-specific. Verify legal bases, timelines, retention grounds and penalties with qualified counsel before acting.