Home » What Are Your Rights If Your Personal Data Is Leaked By A Company?

What Are Your Rights If Your Personal Data Is Leaked By A Company?

General Legal issues / By
What Are Your Rights If Your Personal Data Is Leaked By A Company?

Today’s personal data is just as valuable as money. Almost every app, bank, hospital, telecom operator, and e-commerce platform collects and stores your personal information, including Aadhaar, PAN, phone number, geolocation, bank account information, internet browsing history, health records, and much more.

If a company fails to protect your personal information and it is exposed to the public, you may suffer severe consequences. In India, data leaks have been on the rise recently from large banks to fintech apps, from hospitals to government websites.

Through the enactment of the Digital Personal Data Protection Act, 2023 (DPDPA), individuals now have access to legal rights and remedies to better safeguard their personal data. This guide explains in simple terms what the legal rights and remedies are that are provided by the DPDPA, as well as what to do, how to obtain compensation, how long it will take, and what penalties and case law will be applicable, as well as useful client-focused actions.

What Exactly Counts as a Personal Data Leak?

When an individual uses your personal information in any capacity that is contrary to your consent, this is defined as a personal data leak. 

Types of personal data that may leak include:

  • Aadhaar
  • PAN
  • Credit or debit card details
  • Bank account information
  • Phone number
  • Email
  • Address
  • Location
  • KYC documents
  • Employment details
  • Medical reports
  • Biometrics
  • Passwords
  • Photos
  • Loan and credit information

Common real examples we have seen include:

  • A fintech app leaking a client’s contact list, resulting in calls to every number in his phone.
  • Hospital records showing HIV results appearing in public search results.
    E-commerce platforms exposing lakhs of names and phone numbers.
    Bank employees selling customer KYC data to fraudsters.
  • If your data becomes accessible to the wrong person, you have enforceable rights under Indian law.

India’s Legal Shield: The Laws That Protect You

1. Digital Personal Data Protection Act (DPDPA), 2023

This is India’s strongest data protection law. Companies handling your data must follow strict legal obligations including:

  • Ensuring cybersecurity
  • Collecting only necessary data
  • Taking valid consent
  • Informing users of breaches
  • Deleting data once the purpose is completed
  • Compensating victims of data leaks
  • Ensuring encryption and access control
  • Reporting the breach to the Data Protection Board (DPB)
ALSO READ:  Bank Fraud Reporting In India: Supreme Court’s View And Procedure To File Police Complaints

2. Information Technology Act, 2000

The Act continues to apply to: 

  • Compensation of an individual for any negligent behaviour (Section 43A)
  • Punishable behaviour of intentionally sharing an individual’s data with another party without their knowledge and consent (Section 72A: up to three years’ imprisonment)

3. Fundamental Right to Privacy

The Supreme Court in the case of Justice K.S. Puttaswamy vs. Union of India, it declared privacy as a fundamental right. Any misuse, leak or any type of wrongful disclosure of your data violates Article 21.

Your Rights After a Personal Data Leak

Explained in simple language as usually explained to clients during consultations.

1. Right to Be Informed About the Breach

Companies must inform you. The Data Protection Board (DPB)

They must share:

  • What data leaked
  • How it leaked
  • What risk it poses
  • What steps the company is taking
  • How you can protect yourself

In most cases that are handled, companies initially try to hide the breach, which is now a punishable violation under DPDPA.

2. Right to Claim Compensation

You can claim compensation for:

  • Financial loss
  • Fraudulent transactions
  • Identity theft
  • Harassment
  • Mental stress
  • Loss of privacy
  • Reputational harm
  • Emotional distress

In experience, companies rarely compensate voluntarily. Once a formal complaint is filed, they respond differently.

3. Right to Know How Your Data Was Used

You can demand details about:

  • What data was collected
  • Why it was collected
  • Whether consent was properly taken
  • Which third parties received your data
  • Whether the company had strong security controls

4. Right to Withdraw Consent

You can instruct a company to stop:

  • Using your data
  • Sharing your data
  • Processing your data
  • Storing your data
  • Selling your data to advertisers

5. Right to Correction and Erasure

You can request:

  • Correction of inaccurate information
  • Deletion of your data
  • Removal from third parties
  • Erasure of data once purpose ends
ALSO READ:  Toilets to be built in schools within one month- J&K HC

6. Right to File a Complaint with the Data Protection Board (DPB)

The DPB can:

  • Investigate
  • Order audits
  • Issue penalties
  • Award compensation
  • Suspend data processing
  • Order corrective steps

Based on regulatory patterns, DPB is expected to act firmly against companies.

7. Right to Approach Courts

If you are dissatisfied with the DPB order, you may approach:

  • TDSAT
  • High Court
  • Supreme Court

The First 24 Hours After a Data Leak What You Must Do

Step 1: Change your passwords immediately

For your Bank, Email, UPI apps and Social media accounts.

Step 2: Inform your bank

Request:

  • Card block
  • Lower transaction limits
  • Freeze on account
  • Fraud monitoring alerts

Step 3: Ask the company to confirm the breach in writing

This often becomes the most important evidence.

Step 4: File a complaint with DPB

As soon as the portal becomes fully available.

Step 5: File a cybercrime complaint

Visit www.cybercrime.gov.in or the nearest cyber police station.

Step 6: Preserve evidence

Screenshots, bank alerts, emails and messages.

How Much Compensation Can You Claim?

Courts and the DPB consider:

  • Sensitivity of data leaked
  • Extent of exposure
  • Nature of harm
  • Financial fraud suffered
  • Mental or emotional impact
  • Whether company acted negligently
  • Duration for which data remained exposed

Compensation range based on case patterns:

  • ₹50,000 to ₹2 lakh for basic misuse
  • ₹2 lakh to ₹25 lakh for identity theft and harassment
  • ₹25 lakh to ₹5 crore for financial fraud and sensitive data leak

Common Company Excuses and How They Are Countered

Based on legal experience, these are the excuses companies usually give:

“We were hacked; it’s not our fault.”

Law: Weak security still makes them liable.

“We only leaked phone numbers, nothing sensitive.”

Reality: Phone numbers lead to SIM swap fraud and scams.

“We sent a generic safety email.”

Law: Specific, complete disclosure is mandatory.

“No financial loss has occurred.”

Reality: Mental distress itself is compensable harm.

Landmark Judgments That Protect Your Privacy

  • Justice K.S. Puttaswamy v. Union of India (2017): Privacy is a basic right
  • Aadhaar Judgment (2018): The gathering has to be both necessary and proportionate
  • Ram Jethmalani v. U.O.I. (2011): Economic information is private information 
  • Google India v. Visakha Industries (2020): Digital intermediaries are liable for their actions 
  • WhatsApp Privacy Case: Transparency and consent are essential.
ALSO READ:  Who are covered under labour laws?

When You Should Hire a Lawyer?

You should consider legal assistance if:

  • Your bank account was compromised
  • Your photos or sensitive medical data leaked
  • Harassment or intimidation has begun
  • The company refuses compensation
  • A loan or SIM card was issued in your name
  • Your personal documents were sold or misused
  • A government department leaked your data

Conclusion

Personal data leakage can lead to substantial financial and emotional damages. However, through the Digital Personal Data Protection Act, individuals have many legal rights that provide authority to request an explanation, receive compensation, and hold the companies accountable for their negligent conduct.

In cases where data has been leaked, individuals should take action as soon as possible, collect evidence of their personal data being leaked, and not accept generic apologies or excuses from companies. Personal data belongs to you and the Digital Personal Data Protection Act has now granted you rights as the owner of your personal information.  

One can talk to lawyer from Lead India for any kind of legal support. In India, free legal advice online can be obtained at Lead India. Along with receiving free legal advice online, one can also ask questions to the experts online free through Lead India.

FAQs

1. Does a corporation take the blame for a data breach if the data was hacked into?

Definitely. A company can be held responsible for its negligence in all instances including hacking if it has implemented reasonable cyber-security standards. 

2. May I demand a company to erase my data even when it has been breached? 

Yes. You can withdraw consent, demand deletion, and instruct them to stop further processing under DPDPA.

Social Media