How to File a Data Privacy Complaint in India

I read a LinkedIn post last week from a self-described "data privacy consultant" who claimed that ordinary Indians have no real way to push back when a company misuses their personal information. Just accept it and move on, he said. And I just... no. That's not even close to accurate. It might've been true five or six years ago when the legal scaffolding was thinner, but we're living in a different moment now. You've got options. Real ones. And I want to walk you through them because a close friend of mine went through this exact process in late 2025, and what she learned surprised both of us.

Here's What Happened

My friend Meera -- not her real name -- got a call in November 2025 from a marketing company she'd never heard of. They knew her full name, her PAN number, and the branch of her bank. She was shaken. Badly. Wouldn't you be? Someone out there had her financial details and was using them to pitch insurance plans she'd never asked about.

She asked them how they got her number. They mumbled something about "partner databases." That was it. No explanation, no apology, no sense that they'd done anything wrong. Meera called her bank. The branch manager sounded uncomfortable, told her he'd "look into it," and then went quiet for two weeks. No follow-up. No accountability. Just silence.

That's when she called me. And honestly, I didn't know the exact steps either. So we figured it out together. What I'm sharing here is basically the trail we followed -- mistakes and all.

Start With the Organisation's Grievance Officer

Your first move, always, is to go directly to the company that mishandled your data. I know that sounds obvious. But here's the thing most people miss: under the IT Act's intermediary guidelines, every company with an online presence in India is required to appoint a Grievance Officer. Not optional. Required. And they must respond to you within 15 days.

For Meera, this meant writing to her bank. Not calling the branch manager again. Writing. An email, specifically, because you need a paper trail. She drafted a clear message that said: "I believe my personal data, including my PAN and phone number, was shared with a third party without my consent. I'm requesting an explanation and corrective action under the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023."

Short and direct. She didn't rant. She didn't threaten. She stated facts and cited the law. That matters more than you'd think.

Now, the bank's Grievance Officer actually replied within a week. Surprising, right? They acknowledged her complaint, said they were "investigating," and gave her a reference number. Progress, sort of. But the 15-day window came and went without any real resolution. They never told her what happened, whether the marketing firm had a data-sharing agreement, or what steps they'd take to prevent it from happening again.

So we moved to the next step.

Filing With the Data Protection Board

Under the DPDP Act of 2023, India established the Data Protection Board (DPB) as the primary body that handles privacy complaints from citizens. Think of it as the place you go when the company itself won't give you a straight answer. The Board was operationalized in phases throughout 2025, and by late that year, its online portal was accepting complaints.

Here's roughly what Meera had to do when filing:

• Identify the data fiduciary -- that's the legal term for the organisation that collected and processed her data (in this case, the bank)
• Describe the violation -- what data was exposed, how she found out, and what harm or risk it caused
• Specify which rights were violated -- as a "data principal" (that's you and me, the people whose data it is), you've got rights under the DPDP Act including the right to consent, the right to correction, and the right to erasure
• Attach evidence -- her email to the Grievance Officer, the response she received, screenshots of the marketing call log, and a written timeline

One thing that caught us off guard: the portal asked her to confirm she'd already approached the organisation's Grievance Officer first. Makes sense. They want to see you've tried to resolve it directly before escalating. This is why that first step isn't just a formality. It's a prerequisite.

And the penalties? They're not symbolic. The DPB can impose fines of up to Rs 250 crore on organisations found violating the Act. I'm not saying every complaint results in a penalty that large -- most probably won't. But the enforcement teeth are there, and that alone changes how companies respond when they know a DPB complaint is on file.

Meera's case is still being reviewed as of early 2026. She received an acknowledgement from the Board within ten days. We'll see where it goes. But just the act of filing -- of being on record -- seemed to accelerate things at the bank. Funny how that works.

When Your Problem Isn't Just a Privacy Issue

Here's something I wish I'd understood earlier. Not every data misuse situation fits neatly into one box. Meera's case was primarily a privacy violation -- her data was shared without consent. But depending on what happened to you, there are other channels that might be more appropriate, or that you can use in parallel.

CERT-In: For Actual Breaches and Hacking

If your data was exposed because of a security breach -- say a company got hacked and your records ended up on the dark web -- that's a cybersecurity incident, and it falls under CERT-In's jurisdiction. The Indian Computer Emergency Response Team (CERT-In) operates at cert-in.org.in. They handle reports of hacking, data breaches, malware attacks, and other technical security failures.

You might wonder: should I file with CERT-In and the DPB? Possibly, yes. If a breach led to your data being exposed, CERT-In handles the technical/security dimension while the DPB addresses the privacy and consent angle. They're different agencies with different mandates, and one doesn't replace the other.

A friend of a colleague reported a health-tech startup to CERT-In last year after discovering that the startup was storing patient records in an unencrypted database accessible via a public URL. That's not just a privacy violation. That's a security disaster. CERT-In was the right call there.

Cybercrime.gov.in and the 1930 Helpline: For Fraud

When data misuse crosses into financial fraud or identity theft, you're dealing with criminal activity. Someone used your Aadhaar to take out a loan? Your credit card details showed up in a phishing scam? That's cybercrime territory.

The National Cybercrime Reporting Portal at cybercrime.gov.in lets you file complaints online. You can also call 1930, which is the dedicated cybercrime helpline. It's staffed and operational, and they can freeze fraudulent transactions quickly if you report early enough. I've heard mixed reviews about response times -- some people get callbacks within hours, others wait days -- but the portal itself creates a documented record, which is what you need.

UPI fraud, banking scams, social media impersonation, SIM swap attacks -- these all fall here. Meera's case didn't involve direct financial loss, so we didn't use this channel. But if yours does, don't skip it. Time matters enormously with financial fraud. The faster you report, the higher the chance of recovery.

Consumer Forums: The Path People Forget About

This one surprised me. Data privacy violations can be framed as a deficiency in service under the Consumer Protection Act of 2019. You paid for a service (banking, telecom, e-commerce), and part of that service is handling your data responsibly. When a company fails to protect your information, they've arguably failed to deliver the service you're paying for.

You can file complaints through the National Consumer Helpline at 1800-11-4000 or use the e-Daakhil portal for online filing with consumer commissions. This is particularly useful if you've suffered tangible loss -- financial damage, emotional distress, time wasted -- because consumer forums can award compensation. The DPB might penalise the company, but it doesn't necessarily put money back in your pocket. Consumer forums can.

A lawyer I consulted mentioned that consumer forum complaints sometimes move faster than regulatory complaints, especially at the district level. Something to keep in mind.

What I Learned About Building a Strong Case

Going through Meera's situation taught me a few things that aren't always spelled out in the official guidance. I'll share them because they're the kind of practical details that make the difference between a complaint that gets attention and one that sits in a queue.

Save Everything, Even Before You Think You Need To

Screenshots. Emails. Call logs. SMS messages. Transaction records. Save them the moment something feels off. Meera almost deleted the marketing company's call from her call log before I told her to screenshot it. That call record, with the timestamp and number, became part of her evidence file. Don't assume you'll remember the details later. You won't. Your phone's screenshot function is your best friend here.

I'd also suggest creating a simple document -- even just a Google Doc -- where you log everything in chronological order. Date, what happened, what you did, who you spoke to, what they said. When you're filling out complaint forms weeks later, you'll be grateful you did this.

Be Specific, Not Emotional

I get it. Data misuse feels violating. You're angry, maybe scared. That's completely valid. But your complaint needs to read like a factual account, not a frustrated rant. State what data was compromised. Explain how you discovered the violation. Describe what harm resulted or could result. Stick to facts and let the facts do the heavy lifting.

Meera's first draft of her complaint to the DPB was three pages of "how dare they" and "this is outrageous." I helped her trim it to one and a half pages of clear, chronological facts with specific references to the DPDP Act sections that were violated. The second version was ten times more effective. Regulators read hundreds of these. Make yours easy to act on.

Cite the Law -- Even Roughly

You don't need to be a lawyer. You really don't. But mentioning specific provisions of the DPDP Act or the IT Act in your complaint signals that you know your rights and you're serious. Even something like "I believe this violates my rights under Section 6 of the Digital Personal Data Protection Act, 2023, which requires that personal data be processed only for lawful purposes with valid consent" carries weight. It tells the company or regulator that you've done your homework.

If you're not sure which section applies, a quick search online will usually point you in the right direction. The DPDP Act isn't that long, honestly. The key provisions about consent (Section 6), notice (Section 5), data principal rights (Sections 11-14), and penalties (Section 33) are worth at least skimming.

Follow Up. Then Follow Up Again.

Bureaucracy moves slowly. That's true everywhere in the world, and India's no exception. If you file a complaint and hear nothing after two weeks, send a follow-up. Reference your complaint number. Ask for a status update. Be polite but persistent. Meera sent three follow-up emails to her bank before they escalated her case internally. Each email was brief, professional, and referenced the previous one.

Set calendar reminders for yourself. Every two weeks, check in. Don't let your complaint become a forgotten file on someone's desk.

Know When to Bring in a Lawyer

For straightforward cases -- like Meera's, where the violation was clear and the evidence was solid -- you probably don't need legal representation to file a complaint. The DPB process is designed to be accessible to ordinary citizens. Same with consumer forums and the cybercrime portal.

But if you're dealing with a large-scale breach, significant financial loss, or a company that's actively pushing back with legal threats of their own, get a lawyer. Specifically, one who specialises in cyber law or data protection. They'll know the procedural nuances, the right forums to approach, and how to frame your complaint for maximum impact. Legal aid services are also available through the National Legal Services Authority (NALSA) if cost is a concern.

A Few Things That Still Frustrate Me

I won't pretend the system is perfect. It isn't. The DPB is still finding its footing in early 2026. Processing times are uncertain. Some companies still don't have a clearly designated Grievance Officer despite the legal requirement -- or they list one on paper whose email bounces. The 1930 helpline can have long wait times. And consumer forum cases, while sometimes faster at district level, can drag on for months at higher levels.

There's also the awareness gap. Most people I talk to don't even know these options exist. They think complaining about data misuse is something only activists or lawyers do. It's not. These channels exist for regular people. For your parents who got scam calls after a telecom company shared their number. For your college friend whose medical records showed up somewhere they shouldn't. For you, if an app you trusted decided your data was their product.

But the trajectory is in the right direction. Five years ago, we had almost nothing. Now we have the DPDP Act, a functioning Board, strengthened CERT-In directives, an operational cybercrime portal, and consumer protection routes. Is it all working smoothly? No. Is it dramatically better than what came before? Absolutely.

A Quick Recap of Where to Go

Because this is a lot of information, here's a quick reference you might want to bookmark or screenshot:

• Grievance Officer -- your first stop, always. Look for the company's grievance officer contact on their website or in their privacy policy. They've got 15 days to respond. Write to them by email so you have proof.
• Data Protection Board (DPB) -- escalate here if the Grievance Officer doesn't resolve your issue. File through their official portal. Penalties for companies can reach Rs 250 crore.
• CERT-In (cert-in.org.in) -- for data breaches, hacking incidents, and technical security failures. Report the incident even if you're also filing with the DPB.
• Cybercrime Portal (cybercrime.gov.in) or Helpline 1930 -- for financial fraud, identity theft, UPI scams, and criminal data misuse. Report fast because timing affects recovery.
• Consumer Forums via e-Daakhil or National Consumer Helpline 1800-11-4000 -- when you've suffered measurable loss and want compensation, not just penalties against the company.

You can pursue multiple channels simultaneously. Filing with the DPB doesn't prevent you from also going to a consumer forum. Different bodies address different dimensions of the same problem.

What Meera Would Tell You

I asked Meera what she'd say to someone in her position. She thought about it for a minute and said: "It's annoying. The process takes time and you'll feel like giving up around the third email. But don't. Because the moment you file that complaint, the power dynamic shifts. You're not just someone they ignored. You're someone with a case number."

She's right. Filing a complaint is partly about getting your specific problem resolved. But it's also about being counted. Every complaint adds to the data that regulators use when deciding enforcement priorities. Every complaint sends a signal to the company that people are watching. And every complaint makes it marginally harder for the next company to shrug and say "nobody cares."

If your data was misused, you don't have to accept it. Start with the Grievance Officer. Escalate to the DPB if they don't respond. Explore CERT-In, the cybercrime portal, or consumer forums depending on what happened. Document everything. Be specific. Be patient. And be persistent. Meera's still waiting for the final outcome on her case. But she doesn't regret filing for a second.