Data Retention and Deletion Under DPDPA

Data retention is one of the most practically urgent compliance areas for Indian businesses. Many organisations hold personal data indefinitely because they have never defined a deletion process. DPDPA requires that you stop.

The Storage Limitation Principle

Section 8(7) of DPDPA states that a Data Fiduciary must delete personal data as soon as the purpose for which it was collected is no longer being served, unless retention is required or permitted by law.

This creates a clear obligation: if you no longer have a lawful reason to hold personal data, you must delete it.

What Counts as a "Lawful Reason to Retain"?

Legitimate reasons to retain personal data beyond the immediate purpose include:

• Active contractual relationship — you are still providing a service to the individual
• Legal or regulatory obligation — for example, the Income Tax Act requires certain financial records to be retained for specified periods
• Ongoing dispute or litigation — where the data is relevant to a pending legal matter
• Explicit consent for future contact — where the individual has given specific consent to be retained in your database for future opportunities

What Does NOT Justify Indefinite Retention?

• "We might need it someday"
• "It's easier to keep everything"
• "Our system doesn't have a deletion function"
• "We paid for the ATS and we want value from the data"

None of these are lawful bases for holding personal data under DPDPA.

Defining Retention Periods by Data Category

The first step is to define retention periods for each category of personal data you hold. Here are starting-point guidelines:

Recruitment agencies:

• Active candidates (in process): Retain during active engagement
• Rejected candidates: 12 months from rejection, then delete unless consent given to retain
• Placed candidates: Duration of placement + 12 months, then archive/delete

CA firms:

• ITR-related documents: 7 years from filing date (aligned with Income Tax Act)
• Payroll records: 5 years from employee exit
• General client correspondence: 3 years from end of engagement

Training institutes:

• Enrolled students: Duration of course + 3 years
• Rejected applicants: 6 months from rejection decision
• Placement records: 5 years, with student consent for marketing use

D2C brands:

• Active customers: Retain while relationship is active
• Inactive customers (no purchase in 18+ months): Send re-engagement notice; delete if no response within 60 days
• Marketing unsubscribers: Retain suppression list only (to ensure you do not re-add them)

Communicating Retention Periods

Your Privacy Notice must state how long you retain personal data (or the criteria used to determine retention periods). This is not optional — individuals have a right to know how long their data will be held.

Building a Deletion Process

• Map your data locations — where is personal data stored? ATS, CRM, email, cloud drives, spreadsheets, backups?
• Set deletion triggers — what event triggers deletion? End of contract? Inactivity? Withdrawal of consent?
• Automate where possible — configure your CRM and ATS to flag records for review after the defined period
• Don't forget backups — deletion policies must apply to backup copies, not just live systems
• Document destruction — keep a record of when and what was deleted

What About Legal Holds?

If data is subject to a legal hold (litigation, regulatory investigation, statutory obligation), it may be retained beyond your standard retention period. Document the legal hold and its scope. Remove the hold and delete when the legal matter is resolved.

Practical First Step

Conduct a data mapping exercise: list every category of personal data you hold, where it is stored, how old the oldest records are, and whether you have a defined deletion process. This single exercise will reveal your largest retention risks and give you a clear prioritised action list.