Sector Specific

CA Firms and DPDPA: Your Obligations When Handling PAN, Aadhaar, and Client Financial Records

13 March 20257 min read·DPDPA Editorial Team

CA Firms

Why this matters for your business

CA firms have traditionally relied on client relationships and professional confidentiality as their primary data governance framework. DPDPA creates a parallel statutory layer with enforceable obligations. Firms that process payroll for clients are acting as Data Processors. Firms that manage their own employee data are Data Fiduciaries. Both roles create compliance obligations that must be addressed proactively.

What does this mean for YOUR business?

Firms must audit their client data flows and identify where personal data of individuals (not just companies) is processed. Shared drives, email attachments, and cloud accounting tools are all vectors for personal data that need governance. Staff must be trained on data handling. Retention and deletion schedules must be documented.

Plain-English Summary

Under DPDPA, processing personal data for tax filings, audits, payroll, or advisory services requires a lawful basis. Where the client is a company, the firm processes personal data of third-party individuals (employees, directors, shareholders). This creates obligations around notice, purpose limitation, and retention. Aadhaar data is particularly sensitive — its use is already governed by the Aadhaar Act, and DPDPA adds further requirements. Bank account numbers, salary slips, and investment records are personal data that must be handled with access controls, encryption, and documented retention schedules.

Who Is Affected

Chartered Accountant firms processing payroll
Tax consultants handling individual ITR filings
Audit firms with access to employee and director records
Accounting firms using cloud tools like Tally, Zoho Books, or QuickBooks
Professionals managing GST compliance for clients

3 things you can do this week

List all categories of personal data your firm processes (PAN, Aadhaar, bank, salary)

Identify which engagements make you a Data Fiduciary vs Data Processor

Audit access controls on your shared drives and email

Define retention periods for client files (including digital scans)

Add data handling terms to your client engagement letters

Train staff on data minimisation and secure handling

Create a documented process for responding to data access or deletion requests

Free — takes 3 minutes

Is YOUR business ready for DPDPA?

Answer a few simple questions. Get your free Readiness Score — sent to your email or WhatsApp.

Check My Readiness →

Disclaimer: This briefing is for educational purposes only and does not constitute formal legal advice. Consult a qualified data protection lawyer for formal legal opinions specific to your business.

Free checkCheck your readinessGet your free Readiness Score →Free resourceDownload white paperComplete DPDPA guide — 45 pages →

Related Briefings

Consent Management

DPDPA Consent Notice Requirements: What Your Forms Must Say From Day One

15 Mar 2025

Consent Management

D2C Brands: WhatsApp and SMS Marketing Under DPDPA — What Changes Now

12 Mar 2025

Industries Affected

CA Firms

Is your business DPDPA-ready?

Take our free 10-minute industry assessment to find out your compliance risk level.

Take Free Assessment →

Get daily briefings by email

2-min reads, plain English, every morning. Free forever.