Nomination Rights Under DPDP: A Forgotten but Critical Obligation

The Digital Personal Data Protection Act (DPDP), 2023 has brought several user-centric reforms to India’s data privacy landscape. While much attention is given to consent, breach notifications, and cross-border data transfers, one crucial right often goes unnoticed the right to nominate.

This blog unpacks what Nomination Rights mean under DPDP, why they matter for compliance, and how businesses should prepare to honour this new and powerful user entitlement.

‍

What Is the Nomination Right Under DPDP?

Under Section 12(5) of the DPDP Act, Data Principals (users) have the right to nominate another individual who can act on their behalf in case of incapacity or death. This means:

• The nominee can access, correct, erase, or manage the user's personal data

• The nominee can also withdraw consent or raise grievances

This right empowers users to ensure continuity of their data rights even if they are no longer able to act themselves.

‍

Why Is This Right Critical?

1. Legal Continuity
   After a Data Principal’s death, businesses cannot process or withhold personal data without considering the nominee’s rights.

2. Compliance Risk
   Ignoring or denying nomination requests can result in violation of user rights under Section 12, inviting penalties under Section 33 of the Act.

3. User Trust
   Proactively enabling nomination builds transparency and demonstrates a business’s commitment to user autonomy and privacy.

4. Sensitive Sectors
   For sectors like healthcare, fintech, insurance, and edtech, nomination is particularly crucial where records may need to be accessed by family or legal representatives.

What the DPDP Rules Say

While the DPDP Rules, 2025 are yet to fully detail the implementation of nomination rights, the following are expected:

• Secure authentication of both the nominator (user) and nominee

• Revocable nomination (users can change their nominee anytime)

• Records of nomination maintained by the Data Fiduciary

• Integration of nomination in onboarding flows or account settings

Until further guidelines are issued, businesses must be technically and operationally ready.

What Businesses Should Do to Stay Compliant

‍

1. Add Nomination Options to Onboarding & Settings

Allow users to easily nominate someone through profile settings or while signing up.

‍2. Maintain Nomination Logs

Store and secure nominee data separately, with audit logs for consent and changes.

3. Build Verification Workflows

Verify nominee identity (e.g., Aadhaar-based, KYC-level verification) to avoid misuse.

4. Create Internal SOPs

Train teams on how to handle data access and requests made by nominees, especially in sensitive events (death or disability).

5. Update Privacy Policy & Notices

Mention the right to nominate, and how users can exercise this right, in your DPDP-compliant privacy notices.

‍

What Happens if You Ignore Nomination Rights?

Failing to implement nomination rights could be considered:

• A denial of user rights (Section 12)

• A grievance failure (Rule 21)

• A compliance violation leading to fines under Section 33(i)

The DPDP Act authorises the Data Protection Board of India to levy penalties of up to ₹250 crore per breach, depending on severity.

‍

Don’t Ignore the “Forgotten Right”

Nomination may seem like a minor detail but it’s not. It’s a critical safeguard that empowers users and prepares businesses for future-proof privacy management.

Start small:
1. Include a nominee option in your account dashboard

2.Train your privacy and support teams

3. Build flows to verify, revoke, and record nominee details

‍

Blutic helps businesses implement DPDP-compliant user rights including consent management, grievance flows, erasure requests, and nomination options seamlessly and securely.

‍