One of the most commonly missed DPDP compliance requirements, and one of the simplest to fix. Here is everything you need to know about the Grievance Officer obligation under the DPDP Act 2023.
Section 13 of the Digital Personal Data Protection Act 2023 requires every Data Fiduciary to publish the name and contact details of a person who is responsible for handling complaints and grievances from Data Principals (your users).
This person is called the Grievance Officer. They act as the point of contact between your organisation and your users when users have complaints about how their personal data is being handled.
Key obligation: The Grievance Officer's name and contact details must be publicly published on your website, not just mentioned in an internal document. This is a mandatory disclosure that regulators and users must be able to find.
The Grievance Officer's primary responsibilities under the DPDP Act are:
The Act does not require a specific qualification, certification, or legal background. Any of the following can fulfil the role:
Location requirement: For companies incorporated in India, the Grievance Officer must be based in India. For foreign companies processing data of Indian residents, the Act requires appointment of a representative in India, which can serve as the Grievance Officer contact.
These are two different roles. Most businesses only need a Grievance Officer.
| Dimension | Grievance Officer | Data Protection Officer (DPO) |
|---|---|---|
| Who must appoint | Every Data Fiduciary | Only Significant Data Fiduciaries (designated by Central Government) |
| Qualification required | None specified | Must have knowledge and experience in data protection (exact specification pending) |
| Location | India-based for Indian entities | Resident in India |
| Primary role | Handle user complaints and data rights requests | Oversee all DPDP compliance; advise on DPIA; Board liaison |
| Public disclosure | Name and contact on website | Name and contact on website |
| Cost | Internal role, no separate cost for SMBs | Typically a dedicated hire or outsourced role |
For the vast majority of Indian startups and SMBs, appointing a Grievance Officer from the existing team is sufficient. The DPO requirement only applies if you are designated a Significant Data Fiduciary by the government.
At minimum, your website's privacy policy and footer must include:
Copy and paste this into your Privacy Policy and website footer. Replace the placeholders with your details.
When you run a DPDP compliance scan on CompliSeal, one of the 16 checkpoints specifically checks whether:
Missing this checkpoint is one of the most common failures in CompliSeal scans, particularly for startups that used a generic privacy policy template. The fix takes 15 minutes.
Yes. For early-stage companies, a co-founder or CEO routinely fulfils this role. There is no prohibition on a senior officer being the Grievance Officer. As the company scales, you may want to delegate to a senior operations or legal hire.
The Act requires acknowledgement within 48 hours and resolution within 7 days. These appear to be calendar days based on the Act's language, though the Board may clarify working-day interpretations. Setting up an auto-acknowledgement email ensures the 48-hour requirement is met even outside business hours.
You need both: a privacy policy disclosing your data practices, and a Grievance Officer disclosure within it. CompliSeal's policy generator creates a DPDP-compliant privacy policy that includes the Grievance Officer section. You can complete both in under 30 minutes.
Technically yes, but a dedicated grievance email (grievance@yourcompany.com) is strongly recommended. It demonstrates good faith to users and the Board, ensures complaints are not buried in support queues, and makes it easier to maintain the required response-time records.
Check if your Grievance Officer disclosure passes the DPDP compliance scan. Free, takes 2 minutes.
Scan My Website Free