The DPDP Act is live. Fines reach ₹250 Cr, and every day matters.Run a free check
Sammati
All posts
DPDPGrievance OfficerDPOGovernance

What Is a Grievance Officer Under the DPDP Act — and Does Your Company Need One?

2 June 20267 min readBy Sammati

"Do we need to appoint a Data Protection Officer?" is one of the most common — and most muddled — DPDP questions. The short answer: most companies do not need a DPO, but nearly all need a published contact for grievances and a redressal mechanism behind it. Conflating the two leads to either over-hiring or under-complying. Here is the clean version.

Two different roles, often confused

India's Digital Personal Data Protection Act, 2023 contemplates two distinct things:

  • A Data Protection Officer (DPO) — a senior, accountable privacy officer based in India, required only for organisations designated as Significant Data Fiduciaries (SDFs) (§10).
  • A grievance-handling contact and mechanism — required of every Data Fiduciary, so Data Principals have a clear way to raise and resolve complaints (§8(9), §13).

What to do: First determine whether you are an SDF. If you are not — and most organisations are not — you do not need a DPO, but you still must publish a grievance contact and stand up a redressal process.

What the Act and Rules actually require

Two provisions do the work:

  • §8(9): Every Data Fiduciary must publish the business contact information of a Data Protection Officer (if it has one) or of a person able to answer, on its behalf, Data Principals' questions about the processing of their personal data.
  • §13: Every Data Fiduciary must provide an effective grievance redressal mechanism, and the Data Principal has the right to use it.

The Rules add the detail: this contact must be displayed prominently on your website or app (Rule 9), and grievances must be redressed within a reasonable period not exceeding 90 days (Rule 14(3)).

A note on titles. The popular shorthand is "appoint a Grievance Officer," and many notices use exactly that label. The Act's own words are narrower — it requires a published contact and a redressal mechanism, not necessarily a person carrying the specific title "Grievance Officer." The substance (a named contact, a working process, a 90-day ceiling) is what matters; the exact job title is a presentation choice.

[VERIFY: confirm with counsel whether your sector or terms of service oblige you to use the specific designation "Grievance Officer," versus simply publishing a contact and mechanism per §8(9)/§13.]

What to do: Publish a real name or role-based contact, a channel (email/form), and the redressal process — and brief whoever sits behind that inbox.

The 90-day ceiling, and what it does not cover

Rule 14(3) sets the only Rules-stated rights timer: grievances resolved within 90 days. Notably, the Rules set no fixed day-count for the other rights — access (§11) and correction or erasure (§12). Those should be handled within a reasonable, policy-defined time, but there is no statutory 15- or 30-day clock for them, despite what some summaries claim. See Data Principal rights under DPDP for the full picture.

What to do: Set your own internal SLAs for access, correction, and erasure — and treat 90 days as a hard ceiling for grievances, not a target.

Do you need a DPO? The SDF test

A DPO becomes mandatory only on SDF designation by the Central Government (§10), which weighs factors such as the volume and sensitivity of data processed and risks to the rights of individuals and to the state. SDFs also face DPIAs, independent audits, and other heightened duties — covered in our DPDP vs GDPR comparison.

What to do: Assess your SDF exposure honestly. If you process large volumes of sensitive or high-risk data, prepare for designation rather than waiting for it.

A minimal, compliant setup for most companies

  • Name a contact and publish it prominently (§8(9); Rule 9)
  • Stand up a grievance channel — a monitored email or form, not a black hole
  • Build a tracked workflow so complaints are logged, actioned, and closed within 90 days (Rule 14(3))
  • Set internal SLAs for access, correction, and erasure
  • Assess SDF status to know whether a DPO is in your future

This commences with the rest of the substantive obligations on 13 May 2027 — see the founder's timeline.

What a good grievance response looks like

Publishing a contact is the easy part; the obligation is to actually redress grievances within the 90-day ceiling (Rule 14(3)). A defensible response cycle has four stages:

  • Acknowledge. Confirm receipt promptly so the Data Principal knows the complaint landed and is being tracked.
  • Investigate. Verify the complainant's identity where the request touches their data, then establish the facts — what was processed, on what basis, and whether something went wrong.
  • Resolve and communicate. Take the corrective action, and tell the individual what you did in plain language. "Resolved" without an explanation is not redressal.
  • Record. Log the complaint, the steps taken, and the date closed. This audit trail is what demonstrates compliance if the Board ever asks.

What to do: Run grievances through a tracked queue with a visible 90-day clock and named owners — never a personal inbox where complaints can quietly age out. A Data Principal who is ignored can escalate to the Data Protection Board, which turns a routine complaint into a regulatory interaction.

Frequently asked questions

Must every company appoint someone with the title "Grievance Officer"?

The Act requires you to publish a contact (§8(9)) and provide an effective grievance redressal mechanism (§13). The popular shorthand "appoint a Grievance Officer" captures the substance, but the Act's words are about a published contact and a working process, not a specific job title. [VERIFY: confirm whether your sector or terms of service oblige the specific designation with counsel.]

What is the difference between a DPO and a grievance contact?

A DPO is a senior, India-based privacy officer required only for Significant Data Fiduciaries (§10). A grievance contact and mechanism are required of every Data Fiduciary. Most companies need the latter, not the former.

How long do we have to resolve a grievance?

A reasonable period not exceeding 90 days (Rule 14(3)). This is the only rights timer the Rules state — there is no fixed day-count for access, correction, or erasure.

Where must we publish the contact?

Prominently on your website or app (Rule 9), so a Data Principal can find it without digging.

Can the grievance contact be a shared role or be outsourced?

A role-based or team contact generally works in practice, provided complaints are actually actioned within the 90-day ceiling. [VERIFY: confirm any constraints on outsourcing the role with counsel for your sector.]

What happens if we ignore a grievance?

A Data Principal whose grievance is not redressed can escalate to the Data Protection Board, which can investigate and impose penalties. An unanswered complaint is also the kind of avoidable lapse that turns a minor issue into a regulatory one — the 90-day ceiling (Rule 14(3)) is a backstop, not a target to drift toward.

How Sammati helps

Sammati is a consent management platform (CMP) and Data Processor — not a registered Consent Manager — that operationalises grievance handling:

  • A single published contact point wired to a tracked grievance queue
  • Workflows that enforce the 90-day grievance ceiling (Rule 14(3)) and your own SLAs for other rights
  • An immutable, hash-chained audit trail of every complaint and its resolution
  • Multilingual intake so Data Principals can complain in their own language

Take the free DPDP assessment or talk to a DPDP expert.

Check your DPDP compliance readiness

62 questions · 15 obligation areas · Instant results · No login

Take the Assessment

More from the library

Browse all posts