What the 90-day Rule 14 deadline means.

Rule 14 of the Digital Personal Data Protection Rules, 2025 sets the most important number in the entire DPDP regime: ninety days. It is the number we organise our entire workflow around.

What the Rule says.

Rule 14 requires a Data Fiduciary to act on a Data Principal's request, including requests for access, correction, or erasure, within ninety days from the date of receipt. The Rule further requires the Fiduciary to provide a written explanation if the request is refused, including the option to approach the Grievance Officer and, thereafter, the Data Protection Board under Section 27 of the Act.

Three details deserve attention.

First, ninety days is a maximum, not a target. The Rule expects companies to act as soon as practicable. We have seen consent-based platforms act within seven days on routine requests. We have also seen large companies wait until day eighty-nine, run an internal review, and act on day ninety. Both are legally fine. We do not pre-judge.

Second, the clock starts at receipt, not at acknowledgement. If a company sits on your email for two weeks before processing it, those two weeks count. This is why we send via channels with verifiable timestamps.

Third, "act" means complete the operation, not start it. A company that emails you on day ninety to say "we have begun reviewing" is in technical default. In practice, the Board has signalled that minor delays of a few days will be treated leniently if the company shows good-faith effort, but anything beyond two weeks past ninety is escalation territory.

The math of the clock.

We run a per-notice timer for every Section 12 letter we send. The math is straightforward but the implications are not.

If we send on day zero, we follow up politely on day thirty if there has been no acknowledgement. The follow-up is brief: "Re: our Section 12 notice dated [X]. Confirming receipt. Reminder that Rule 14 requires action within ninety days from receipt."

On day sixty, if there is still no movement, we send a formal escalation referring the matter to the company's Grievance Officer. The escalation cites Section 13 of the Act and notes that the Grievance Officer must respond within thirty days under Rule 13.

On day ninety-one, if the request is still unfulfilled, the case moves into the DPB escalation queue. Our system has already drafted the filing packet, complete with chain-of-custody evidence, original notice, follow-ups, and any company responses. You approve and we submit, either via the Board's e-filing portal as it becomes available or by Speed Post with acknowledgement to the Board secretariat in the interim.

Why companies act on day eighty-nine.

About forty percent of our removals at large Indian platforms close in the last week of the ninety-day window. The reason is operational, not malicious. Most large fiduciaries have a quarterly review cycle for privacy requests. They batch them. A request that lands in week one of a quarter gets actioned at the end of the quarter, which is typically eleven to twelve weeks later. They aim for the deadline because it is operationally efficient.

This is annoying but predictable. We design around it. The Vault.in dashboard shows you which removals are in the "near deadline" bucket; we know not to expect them to close earlier.

Why companies escalate to day ninety-one and beyond.

A smaller minority, around eight to twelve percent of our notices, miss the deadline. The reasons fall into three buckets.

First, the company has no functioning privacy operation. The email address bounces, the form returns errors, the Grievance Officer is unstaffed. These are typically smaller listings sites or directory aggregators that built fast and have not kept up with compliance.

Second, the company has reviewed the request and disagrees. This is rare but legitimate. The Rule allows refusal with a written explanation; we have seen this happen on disputed identity (the company is unsure the requester is the data subject), on statutory retention (the data is needed for a regulatory obligation), or on journalistic exemption claims (rare, usually unsuccessful on review).

Third, the company has gone silent for political reasons. They received the request, they read it, they have nothing to say, they are hoping you will go away. These are the ones we escalate to the Board.

What the DPB does with an escalation.

Once filed, the Board acknowledges receipt within seven working days. It then has discretion on whether to hear the matter formally or to attempt mediation first. In our experience to date, the Board has favoured mediation on individual erasure requests, sending the company a written demand to act within a defined timeline (typically fourteen to thirty days) and reserving formal proceedings for systemic non-compliance.

Companies almost always respond to a Board-mediated demand. The reason is that ignoring it tips the matter into formal proceedings, where Section 33 penalties become a live option. Section 33 caps penalties at Rs 250 crore. Even a small fraction of that, levied against a single non-compliant fiduciary, is enough to ruin a board meeting.

This is why escalation works. It is not because most companies are forced to comply. It is because the cost of being forced to comply is so high that they prefer to comply voluntarily before it gets there.

The honest exceptions.

Some companies will not be moved even by Board intervention. Defunct entities whose registrations have lapsed cannot respond. Foreign companies outside Indian jurisdiction, particularly Russian search engines and dark-web markets, are practically immune. Some statutory public records are designed by law to be unremovable.

We tell you, on the day we find them, which exposures fall into these buckets. They are roughly twenty-two percent of typical exposures we discover. The honest number matters.

What this looks like on a dashboard.

When you log into Vault.in, your removals page shows a kanban: Drafted, Submitted, Acknowledged, Completed, Escalated to DPB. Every card shows the Rule 14 day count. Cards approaching day eighty-nine glow softly. Cards past day ninety-one move to the Escalated column automatically and a draft DPB packet appears for your review. You do not have to remember dates; the workflow remembers for you.

If you would like to see what your queue would look like, run a free scan first.