Privacy guide

What is a grievance officer? Why your company needs one under DPDP.

Grievance officer and data rights handling explained for Indian companies preparing for DPDP compliance.

The simple answer

A grievance officer is the person or function that receives privacy complaints and data-rights requests. For users, this is the place to ask what data a company has or request deletion.

For companies, the important part is not just listing an email. The workflow behind that email must work.

What to check

1
Publish a clear contact route.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

2
Route privacy requests to trained staff.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

3
Track deadlines and responses.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

4
Keep records of requests and outcomes.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

5
Do not send users in circles.

If this is unclear, treat it as a signal to ask the company for a plain-English explanation.

From our investigation

An email address is not a system.

State of Privacy tested response behavior because a right is only useful if the company can act on it. Grievance handling is operational, not decorative.

What to do next

1
Create a request intake tracker.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

2
Write response templates.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

3
Train support and legal teams on escalation.

Keep it practical: take one action, save proof, and avoid giving more data than the task needs.

People also ask

Is a grievance officer the same as a DPO?

Not always. The role depends on the law, company and internal setup.

What should users send?

Send your name, account identifier, request type and the exact data right you want to exercise.

What is the company risk?

Listing a contact but failing to respond creates trust and compliance risk.

If you are a company
Check your own website.

How many trackers run on your pages? Does your privacy policy name them? Can you answer a data-rights email? If you don't know, we can help you find out.

Talk to Meridian Bridge Strategy →
Your right under Indian law
Mera data mera hai.

Your personal data belongs to you. Under DPDP, every company must tell you what they have and delete it if you ask. One email is all it takes.

Get the template email →
Read the full investigation.

We investigated 107 Indian company websites. The public report shows what we found.

Read the reportTry the experience