Your right to erasure under Section 12.

Section 12 of the Digital Personal Data Protection Act, 2023 is short, plainly worded, and the most useful tool you have in the entire statute. It deserves to be understood properly because companies will rely on you not understanding it.

What Section 12 actually says.

The operative language reads, in essence:

A Data Principal shall have the right to correction, completion, updating, and erasure of her personal data for the processing of which she has previously given her consent.

The Act then specifies that on receiving such a request, the Data Fiduciary shall correct, complete, update, or erase the data, as the case may be, unless retention is necessary for a specified purpose or for compliance with any law for the time being in force.

Two things are doing a lot of work in that sentence.

First, the right attaches to data for which you gave consent. If a company processed your data on the basis of consent (which most consumer companies in India do, including any company that asked you to tick a checkbox at signup), and you now want it removed, they have to remove it.

Second, the exception is narrow. "Necessary for a specified purpose" means the purpose that was disclosed to you when consent was taken, which typically expires when the service ends. "Compliance with any law" means specific retention rules like the seven-year retention for tax records, or specific anti-money-laundering obligations. It does not mean "we want to keep it for analytics" or "we might need it for marketing later".

What Rule 14 adds.

Rule 14 of the Digital Personal Data Protection Rules, 2025 attaches the procedural muscle. It says that a Data Fiduciary must respond to an erasure request within ninety days. Not acknowledge: act. The Rule also requires the Fiduciary to give you a written reason if the request is refused, and to explain how you can complain to the Grievance Officer and then to the Board.

The ninety-day clock starts from the day the request is received. We send Section 12 notices via channels that produce a verifiable timestamp (registered email, postal Speed Post with acknowledgement, or via the company's published grievance portal with a screenshot). The clock cannot be reset because the company "lost the email"; if you sent it through a verifiable channel, day one is day one.

How to write a request that works.

A working Section 12 request has six elements. Most refusals we see in the wild are because one of these elements was missing.

1. Identification of the Data Principal.

Enough detail to verify that the data is yours. Name, primary email or phone associated with the account, and any account number or profile URL the company can use to look you up. Avoid sending PAN copies or full Aadhaar; the Act lets you minimise.

2. Specific identification of the data.

A URL is best. A profile ID is next best. A description ("the listing for a 2BHK in Powai posted in March 2023") is a distant third. Companies often refuse vague requests as "unidentifiable".

3. Invocation of the right.

Use the precise phrase: "Acting under Section 12 of the Digital Personal Data Protection Act, 2023, read with Rule 14 of the DPDP Rules, 2025, I hereby request the erasure of the following personal data."

4. Withdrawal of consent.

Under Section 6(4), you have the right to withdraw consent. Combine the two: "I withdraw any prior consent under Section 6(4) and request erasure under Section 12." This closes the "necessary for specified purpose" exception, because the purpose no longer has consent.

5. Reference to Rule 14.

State explicitly: "Please confirm completion of erasure within ninety days as required by Rule 14." This is your hook for escalation; without it, a company can later argue you did not impose a deadline.

6. Notice of escalation.

End with: "If you do not act within ninety days, I reserve my right under Section 27 to approach the Data Protection Board of India, and to seek penalties under Section 33." Most reputable companies move when they read that paragraph.

When Section 12 does not work.

It is honest to be clear about this.

• Government records: MCA director filings, Udyam, RERA, eCourts, voter rolls. Section 17 carries narrow exemptions for State processing. Removal usually needs a writ petition or a specific statutory route.
• Statutorily mandated retention: KYC records that banks must keep, tax filings, regulated medical records. The retention period overrides the right to erasure for the duration mandated.
• News and journalism: Courts have so far been reluctant to order erasure of news content for the original publication; mirror copies and aggregators are more removable.
• Court records: A separate right-to-be-forgotten jurisprudence is developing in Indian High Courts. The Delhi HC has granted relief in narrow cases; case-by-case treatment is the rule.

When Section 12 absolutely works.

• Data brokers and people-search sites: Truecaller, Justdial, Sulekha, Tofler, Zauba Corp, KnowYourGST and similar. Their entire business model is consent-based aggregation. Section 12 is dispositive.
• Classifieds and real estate: 99acres, MagicBricks, NoBroker, OLX. Often acknowledge within 14 days.
• Matrimony: Shaadi, Jeevansathi, BharatMatrimony. Highest success rates on Section 12 we have seen, often under 21 days.
• Job boards: Naukri, Foundit, Apna. Typically clean within 14 days.
• Global brokers under EU jurisdiction: Apollo, Lusha, ZoomInfo, FullContact. The DPDP applies in parallel with GDPR; combining the two notices accelerates things.

What we do for you.

Vault.in drafts a Section 12 notice tailored to each Data Fiduciary, sends it through a channel that produces a verifiable timestamp, tracks the ninety-day clock per notice, and if the clock runs out, drafts the DPB filing packet automatically. You can review and edit drafts before they go out; we keep a clean version history. The legal review is updated each calendar quarter by a privacy lawyer of Indian standing.

Run a free scan to see how many Section 12 notices you would want to send on your own behalf right now. Most users find the number is in the high thirties.