Limitation in Composite Suits: Supreme Court Clarifies in Rajeev Gupta V. Prashant Garg (2025)
Introduction
In Rajeev Gupta & Ors. v. Prashant Garg & Ors., the Supreme Court has clarified how limitation must be established in suits involving multiple reliefs, such as cancellation of sale deeds and recovery of possession. The Court held that when cancellation of a deed is the primary relief, the limitation period must be determined under Article 59 of the Limitation Act, 1963, which is three years from the date of knowledge of the alleged fraud or illegality, rather than the twelve years under Article 65 of the Act, which governs possession claims. This ruling marks a significant development in Indian civil jurisprudence, as it prevents litigants from bypassing stricter limitation rules by disguising the nature of their suit.
Background
The dispute revolves around House No. 49/1, Nai Mandi, Muzaffarnagar, originally owned by Dr. Babu Ram Garg. In 1951, Dr. Garg executed a Registered Will bequeathing the western portion of the property to his son, Ishwar Chand Garg, and the eastern portion to another son, Dr. Karam Chand Garg. Notably, Ramesh Chand Garg, his third son, received ₹5,000 and the family pharmacy business but was not given a share in the property.
Despite having no legal claim to the property, Ramesh Chand Garg executed two sale deeds in June 1992, transferring parts of the property to third parties. This action was taken even though an ex-parte injunction had been granted on 15 June 1992 in a suit filed by Dr. Karam Chand Garg, restraining any such transfers. Rajeev Gupta and others contested the sale deeds in 2003, sparking a protracted legal struggle that ended in a landmark Supreme Court ruling in 2025.
Key Legal Issue: Limitation and The Distinction Between Primary and Ancillary Reliefs
At the heart of Rajeev Gupta & Ors v. Prashant Garg & Ors. was the question: From which relief should the limitation period be computed in a suit involving both cancellation of a deed and recovery of possession?
The plaintiffs sought to challenge the sale deeds executed by Ramesh Chand in 1992 and 1993, calling them void and violative of an earlier injunction. They also prayed for the recovery of possession of the property. A pivotal issue arose: should the limitation period be governed by Article 59 of the Limitation Act, which prescribes three years for seeking cancellation of documents, or by Article 65, which allows twelve years for recovery of possession based on title?
The Supreme Court cleared this confusion by ruling that in composite suits, the primary relief (in this case, cancellation of the sale deeds) determines the applicable limitation period. Recovery of possession was viewed as a consequent or ancillary relief contingent on the success of the cancellation action. As a result, the limitation period began when the plaintiffs became aware of the contested sale deeds, not from any alleged dispossession.
This distinction is not just procedural; it shapes whether a claim survives or stands barred. By holding that the three-year limitation period under Article 59 governs such suits, the Court reinforced the need for plaintiffs to act promptly when challenging fraudulent or illegal documents.
Supreme Court's Judgment and Reasoning
In this case, the plaintiffs knew the sale deeds as far back as 1992, when they were executed, and an injunction order had already been passed, notifying the parties involved. However, the suit was only filed in 2003, more than a decade later. The Court held that this delay rendered the suit barred by limitation.
The Court also dismissed the argument that the sale deeds could be ignored outright because they were void ab initio. It held that even if a document is void, especially one affecting property rights, it must be formally cancelled through legal proceedings, particularly when third-party purchasers are involved. Simply ignoring such documents would lead to legal ambiguity and conflict with established property law principles.
Additionally, the Supreme Court criticized the approach taken by the First Appellate Court and the High Court, which had wrongly treated the suit primarily as one for possession, thereby applying the 12-year limitation period under Article 65. The Court clarified that the limitation period should be determined based on the nature of the relief sought, not how the suit is framed. Since the primary relief in this case was the cancellation of the sale deeds, the three-year limitation period under Article 59 was applicable.
In the end, the Supreme Court allowed the appeal, overturned the decisions of the lower courts, and dismissed the suit as timebarred, emphasizing the critical need to adhere strictly to limitation laws.
Broader Legal Ramifications
1. For Litigants:
This judgment is a strong reminder that simply labelling a suit as one for possession would not help avoid limitation laws. If the heart of the dispute is about cancelling a sale deed, the law gives you just three years from when you knew about it, not twelve. The Court emphasized that what matters is the real relief being sought, not how cleverly it has been framed. Litigants now have clearer direction: if you are challenging property documents, you must act quickly and structure your case around the actual legal issue, not just the outcome you want.
2. For Trial Courts:
The Supreme Court provided much-needed clarity for trial courts dealing with suits that ask for multiple remedies. It directed that courts must first identify the primary relief, the one that drives the whole suit, and apply limitation accordingly. This helps prevent confusion where cases involving cancellation and possession are mistakenly treated as possession suits alone. It is a call for greater scrutiny of pleadings, and ensures that the substance of the claim takes priority over form.
3. For Property Law:
The ruling reinforces a key principle of property law: challenges to ownership or title must be made within a clear and reasonable timeframe. Even if a sale deed is allegedly void, the Court clarified that it cannot simply be ignored when someone is also asking for possession. Such documents must be formally set aside, especially when third parties are involved. This promotes stability in property transactions and discourages legal uncertainty caused by stale claims.
4. For Legal Interpretation & Jurisprudence:
The judgment marks an important development on how courts interpret Article 59 of the Limitation Act. It will act as a precedent that limitation must be assessed by looking at the primary issue at stake, not just how the prayers are worded. This brings a sharper focus on timeliness and intent, ensuring that limitation periods are not diluted by technical pleadings. It also strengthens the idea that procedural discipline is essential to a fair justice system.
5. Strengthening Clarity in Procedural vs. Substantive Relief:
This judgment also brings a much-needed clarity to the distinction between procedural and substantive reliefs. It emphasizes that procedural aspects, such as possession, cannot override substantive issues like the cancellation of sale deeds. This distinction will help avoid confusion in cases to come, where litigants may attempt to seek relief through creative pleadings that obscure the real issue in hand. By clearly drawing the line between these two types of relief, the Court has provided essential guidance on how limitation laws should be applied.
Conclusion
The Supreme Court judgment in Rajeev Gupta & Ors. v. Prashant Garg & Ors. (2025) marks a significant milestone in real estate law and limitation jurisprudence. By clarifying that the limitation period for suits seeking cancellation of deeds is governed by the primary relief, rather than the ancillary relief of possession, the Court sets an important precedent for future property disputes. This decision reinforces the need for timely legal action in property matters and underscores the importance of formal cancellation of documents, even those considered void. Moreover, the ruling emphasizes that courts must prioritize the substance of a claim over its form, providing much-needed guidance for litigants and trial courts alike.
This landmark judgment not only strengthens the application of limitation laws but also ensures greater legal certainty in property rights, reinforcing the principle that justice must be pursued within a reasonable timeframe to uphold the integrity of property transactions. With its far-reaching implications, this case undoubtedly shapes the future litigation of property disputes, making it an essential reference for all.
Contractual Arrangement between Data Fiduciaries and Data Processors | Key Considerations from Data Protection Perspective
On January 3, 2025, the Ministry of Electronics and Information Technology published the draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”), for public consultation. The Draft Rules are proposed to be issued under the Digital Personal Data Protection Act, 2023 (“Act”) and mark a significant step towards the implementation of the Act. Pursuant to the Act and the Draft Rules (together “DPDPA”), organizations which process personal data (in digital form) are required to implement adequate technical and organizational measures in compliance with DPDPA in relation to the processing of such digital personal data.
DPDPA defines the term ‘processing' of personal data as “…a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction (Section 2(x)).” The definition of processing casts a wide net and any activity involved in the performance of day-to-day business operations of an organisation may fall within the ambit of ‘processing'. The activity of ‘processing' typically involves 3 (three) stakeholders: (i) data principal who is “the individual to whom the personal data relates……”; (ii) data fiduciary who is “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”; and (iii) data processor who is “any person who processes personal data on behalf of a Data Fiduciary”.
Pursuant to Section 8(2) of the Act, data fiduciaries may “…engage, appoint, use, or otherwise involve a data processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.” However, Section 8(1) of the Act states that “the Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor.” Given the foregoing, a reading of the provisions of DPDPA suggests that, notwithstanding any contractual agreement to the contrary, a data fiduciary is primarily responsible and liable for all acts of the data processor in respect of processing of personal data undertaken by them. In this article, we examine the key provisions that may be considered in the contractual arrangement/agreements between the data fiduciaries and the data processors.
1. Scope:
In light of the broad definitions of ‘personal data' and ‘processing' under the DPDPA, the processing activity to be undertaken by the data processor, including appropriate organisational and technical measures to be adhered to, should be clearly specified under the agreement. Additionally, covenants obligating the data processors to process personal data only in accordance with the predetermined scope and to the limited extent of providing services on behalf of the data fiduciaries should be adequately incorporated under the agreement. Any additional processing outside the scope of the agreement should require prior written consent of the data fiduciaries.
Conversely, on behalf of data processors, the scope should additionally clarify that the obligations of the data processor are limited to processing the personal data on behalf of, and under the instructions from, the data fiduciaries. In such arrangements, it should be ensured that the data fiduciaries will have adequate control over the means and purposes for which the data processors will process personal data under the agreement.
2. Indemnification:
Indemnity obligations of the data processors should include indemnification for any and all statutory liabilities incurred under the DPDPA and other applicable laws, and monetary penalties levied pursuant to their breach should be made an exception to any thresholds under the indemnification provisions.
3. Confidentiality:
The agreement should include strict confidentiality obligations for data processors and limit access of the same to data processors' employees/ retained consultants on a need-to-know basis. However, the primary responsibility to ensure compliance, and liability in case of any security / confidentiality breach, should be of the data processors. Also, care should be taken to limit the disclosure of confidential information to the scope agreed between the parties for processing the personal data so as to limit exposure and prevent liabilities.
4. Data Principals' Rights:
Necessary provisions in relation to implementation of data principals' rights under the DPDPA, should be enforced by data fiduciaries against data processors on a back-to-back basis to protect the data fiduciaries from any monetary penalties under the DPDPA.
5. Security Provisions:
The agreement should obligate the data processors to have in place appropriate technical and organisational measures and reasonable security safeguards in compliance with data fiduciaries' obligations under the DPDPA. Adequate inspection rights should be provided to the data fiduciaries to ensure compliance of the same. Additionally, appropriate provisions requiring the data processors to immediately intimate the data fiduciaries in the event of any breach or cybersecurity incidents (in compliance with the directions issued by the Indian Computer Emergency Response Team) should be included in the agreement.
6. Prior Consent:
Data processors should obtain prior written consent of the data fiduciaries in the event that they intend to sub-contract their obligations, as the sub-contractor may also be considered to be a data processor for the purposes of DPDPA.
7. Access to Records:
The data fiduciaries should obligate the data processors to provide access to their records and information relevant to the processing activity to ensure that such processing is in compliance with DPDPA, and to be able to respond to any information requests from the authorities under the DPDPA. The obligation of the data processors to maintain the records should flow on a back-to-back basis with the statutory obligations of the data fiduciaries under the DPDPA.
8. Appointment of a PoC:
The data fiduciaries may appoint/ nominate one of their employees (who may also be the grievance officer/ data protection officer under the DPDPA) as the point of contact for purposes of the agreement.
9. Legal Relationship:
With reference to data processors, and in circumstances where such data processors are required to directly interact with the data principals, the legal relationship and the manner of interaction between the data processors and the data principals should be specifically outlined under the agreement, to clearly state that the data processors are only acting for, on behalf of, and under the instructions of, the data principals for the purposes of the DPDPA.
Agreements between data fiduciaries and data processors should ensure that data fiduciaries should have enough control over the processing activity undertaken by the data processors and data fiduciaries should be able to continuously monitor and assess the processing activity to be able to take remedial measures on a timely basis. As we await the implementation of the DPDPA, enterprises are already gearing up towards revamping their privacy and data-specific policies to ensure compliance with the DPDPA. However, they should also review their existing agreements to incorporate appropriate amendments as well as factor in considerations in agreements to be executed in the future, to ensure compliance with the DPDPA resulting in minimum legal/ regulatory exposure.
The Data Protection Officer Under the DPDP Act | An Analysis
The increasing digitization of services and the consequent surge in electronic data generation has necessitated the implementation of stringent data protection measures globally. In India, the Digital Personal Data Protection Act, 2023, (“Act”) was introduced to address the need for protecting individuals' personal data while enabling the growth of the digital economy. The Act represents an advancement in India's efforts to establish robust data protection standards. One element of the Act is the role of the Data Protection Officer (“DPO”), who is entrusted with the responsibility of representing a significant data fiduciary and acting as the point of contact for addressing grievances in accordance with the provisions of the Act.
The Act mandates the significant data fiduciaries, being, organizations notified by the Central Government, basis its assessment of certain factors such as the volume and sensitivity of personal data, risks to the rights of data principals, potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State and public order (“SDF”) to appoint a DPO. The DPO's role is to oversee the SDF's data processing mechanism in accordance with the Act, represent the organisation as required under the Act, and ensure adherence to the principles of data privacy and related provisions as laid down under the Act. Additionally, the Act also requires all data fiduciaries (other than the SDFs) to publish the contact details of an individual, akin to a DPO, who will be responsible for engaging with data principals to facilitate the exercise of their rights and addressing questions from data principals regarding the manner of processing of their personal data by the data fiduciary. In this article, we analyse the manner of appointment and the obligations of the DPO under the Act and its role in safeguarding the data principals' personal data.
1. Appointment:
The Act states that the DPO appointed by the SDF must be ‘based in India'. This requirement can be understood in two distinct aspects. The phrase can be interpreted directly to mean that the DPO should qualify as an Indian resident under the provisions of the Income Tax Act, 1961, which defines a resident as an individual who stays in India for 182 (one hundred and eighty two) days or more during the previous year, or for 365 (three hundred and sixty five) days or more over the 4 (four) preceding years, with a stay of 60 (sixty) days or more in the relevant financial year. Alternately, it could also include a foreign individual residing in India for work, receiving remuneration in India. However, the Act falls short of providing a precise definition, leaving the requirement open to a broader interpretation.
2. Role of the DPO:
The DPO acts as the primary point of contact between the SDF and the data principals to address grievances and respond to any communications from the data principals in the course of exercising their rights under the Act. In other words, the DPO will be answerable, on behalf of the SDF, to any questions posed by the data principals about the processing of their personal data. Additionally, the DPO will also be responsible to the board of directors or similar governing body of the SDF for the purposes of the Act.
3. Manner of publishing the business contact information of a DPO:
Section 8(9) of the Act and Rule 9 of draft Digital Personal Data Protection Rules, 2025 (“Draft DPDP Rules”) sets out that every data fiduciary “shall prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a data principal under the Act, the business contact information of the DPO, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of his/her personal data.”
Pursuant to the current framework under the Information Technology, Act, 2000 and its corresponding Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, pending implementation of the DPDP Act and the Draft DPDP Rules, body corporates are mandated to ensure a designated grievance officer is appointed to address discrepancies and grievances related to the processing of sensitive personal information, with grievance resolutions to be completed within one month. The name of the grievance officer is required to be published on the website of the body corporate.
The concept of the DPO under the Act and the Draft DPDP Rules expands on the existing statutory framework and emphasizes a broader, more proactive role for the DPO as compared to the grievance officer. The DPO represents the SDF before the data principal as well as the Data Protection Board of India appointed under the Act. This is a shift from a narrow focus on resolving specific issues to a holistic approach encompassing communication and accountability within the data protection legislative framework. The current construct of the Act and the Draft DPDP Rules do not seem to clearly set out the gamut of DPO's duties and obligations. It is necessary that the authorities, through rules and regulations under the Act, clarify the role and responsibilities of DPOs so as to provide the stakeholders necessary guidance to effectively fulfil their obligations and avoid any monetary penalties under the Act.
Considering the evolving data protection landscape, DPOs are pivotal in fostering data principal's trust through accountability and safeguarding the confidentiality of personal data. For SDFs, integrating DPOs as key stakeholders is not merely a compliance exercise, but a strategic imperative. Their specialized expertise will provide invaluable insights for navigating complex data protection and privacy compliance requirements. By leveraging the DPO's knowledge, organizations can effectively protect the interests of data principals and cultivate a culture of accountability and transparency, ultimately strengthening stakeholder confidence and long-term sustainability.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
