How to set up data retention and deletion schedules under DPDP
How to set up data retention and deletion schedules under DPDP

The Digital Personal Data Protection Act, 2023 (DPDP) provides a clear emphasis on the data principal’s right to access and control their data. This further extends to the right of the data principals to seek deletion of their personal data. Furthermore, the DPDP provides that the data of the data principal must be deleted once the purpose for which it was collected has been completed. To this event, any data fiduciary must undertake to set up a DPDP data retention and deletion schedule. This enables the data fiduciary to ensure that it has a systematic compliance policy and methodology which provides the timeline for the retention of the personal data and the manner in which the right to deletion can be fulfilled by the data fiduciary in accordance with DPDP. The Act does not have specific timelines but the deletion is governed by the purpose and the right of data principal.

All organisations entities which fall under the scope of data fiduciary or the data processor are under the obligation to handle personal data in India in accordance with the DPDP. The present article provides insight into the obligation and mechanism for DPDP data retention and deletion schedule.

What does the DPDP Act state about the data retention and deletion?

The DPDP places emphasis on the importance of right to privacy of the personal data. The law mandates that any personal data which is collected by the data fiduciary must only be retained for a period which is mandatory for the processing of such information or to such timeline which is required by other statutory laws. The Digital Personal Data Protection Rules, 2025 allows the data fiduciary to retain such information for additional one year from the end date of its processing requirements. Beyond the timeline stated hereinabove the data fiduciary is obligated to destroy such personal information which is collected by the data fiduciary.

While the act is implemented in a phased manner, the statutory requirement for deletion of data can be implemented by enforcing a compliant DPDP data retention and deletion schedule, in order to convert legal requirements into action items.

1. Principle of storage limitation

The DPDP provides obligation on the data fiduciary to establish its mechanism to determine the storage of the data and to limit the storage of such information to extent permitted by law. The act mandates that any data which is being processed must be retained to the extent provided hereinbelow:

  • The personal information shall not be retained permanently by the data fiduciary.
  • The retention should be subject to the requirement of meeting the purpose of processing of the personal information.
  • The retention should have a legal ground which includes the purpose provided under the data protection notice or any statutory requirement.

Failure to comply with the retention standard provided under the DPDP may lead to statutory, financial and reputational risk as well as is likely to attract regulatory scrutiny against the unauthorised storage.

2. Limit of purpose under DPDP Act

The DPDP provides for the grounds of processing which can be implemented into the data protection notice. Such grounds for processing acts as the nexus for the processing and retention of the personal data. The determination of the grounds for processing of personal data includes the following: [SS4] 

The processing must be conducted for the grounds which are legal in nature and have been prescribed under the DPDP act.

The processing and retention can only be made for the purpose stated in the notice.

The retention is only allowed for the duration of processing for the  purpose along with a one-year retention period beyond which once the timeline is fulfilled, the personal data needs to be destroyed.

The time period for such retention must be read in accordance with the timeline prescribed under the DPDP rules as per rule 8 and schedule III.

The DPDP data retention and deletion plan should identify the purpose prescribed under the notice and must be able to data map each dataset to their specific purpose and implement a deletion mechanism accordingly.

3. No fixed statutory timeline

  • The DPDP Rules prescribed certain prescribed time period based on the purpose for processing of the personal information subsequent to which the same has to be deleted by the data fiduciary. The key governing points with respect to the timeline are as follows: Retention is based on the schedule III of the DPDP rules.
  • Sector specific regulatory retention requirements must be complied with by the data fiduciary. can lay down certain timelines.
  • Retention may be subject to extension based on the legal agreement between the parties.

The retention is thus subject to the purpose and the sectoral requirement and thereby the data fiduciary must establish a data specific mechanism instead of a generic.

Why must companies define a formal data retention and deletion schedule?

A formal and well strategised DPDP data retention and deletion schedule is a statutory obligation and is mandatory to ensure risk mitigation by deletion of the personal data once the purpose for which such data is stored and other statutory requirements are fulfilled. It is a vital tool as it transforms the statutory obligations of the DPDP into enforceable internal practices and procedures.

The presence of the data retention and deletion schedule ensures that the data fiduciary can undertake the data processing and deletion in an effective manner. The absence of the same creates risk due to lack of structured proceduret adherence to purpose limitation and storage restriction, thereby creating an accountability deficiency.

  • From a practical standpoint, the lack of a procedure for determination of data retention and deletion schedule creates the following difficulties in an organisation:The lack of deletion mechanism leads to building up of legacy personal information.
  • The volume of retained personal data is grounds for incurring risk arising from the breach of personal data.
  • The lack of proper structure creates difficulty in the defensibility of the organisation in a proceeding before the regulators.
  • The increased volume of data creates Inter-departmental operational inconsistency and hampers accuracy of the data.

A defined DPDP data retention and deletion plan may assist in reducing of risks and promote the synchronising of organisation data retention mechanism with legal requirements.

Data Governance Discipline and Risk Minimization

It is crucial to establish a well strategised and organisation specific mechanism for data retention in order to ensure that the operations are conducted in a manner which least incurs risk to the entity.

It ensures:

  • Information is kept in manner which is compliant with the applicable laws.
  • Any data which is no longer required for conducting business operation is deleted from the organisation’s data system.
  • Backups and archives are limited to actually business and statutory requirement.
  • Exception in retention is recorded and examined by the entity to ensure that such data is treated separately.

These strategies promote data minimisation and ensure that the organisation is protected against risk arising out of the [SS6] unnecessary storage of personal data outside the purpose.

In addition to restricting the accumulation of data, the data fiduciary must undertake to reduce collection of personal data in proportion to actual requirement. Such activity minimises the following implications on the data fiduciary:

  • It protects the data fiduciary against any surface level breaches.
  • Reduces the complexity of incident response.

Retention and deletion mechanism thereby promotes establishment of not only statutory compliance but also security control.

Litigation, Investigation and Regulatory Preparedness

The preparation and formation of written policy ensure greater defensibility in regulatory proceedings. Preparation of an internal data retention policy under DPDP ensures that the best industrial practices are implemented.

The written documents allow the organisation to:

  • Establish its retention policy and prevent any arbitrary decision.
  • Substantiate the interaction between purpose and retention time.
  • Ease in the audit process.

On investigation by the Data Protection Board, the organisation will have to demonstrate documents to substantiate its internal procedure with respect to the data retention and deletion.

Penalty Exposure Control Financial

The DPDP provides penalty for non-compliance of its retention and deletion requirements with respect to personal data.  Exposure to statutory fine arises out of both intentional non-compliance as well as due to retention of the legacy data in the systems.

A well structured data retention and deletion policy protects the data fiduciary by establishing the following:

  • Ensuring that the data is retained only to the extent permitted by law.
  • The ability to set up automatic deletion mechanism to ensure timely compliance.
  • Holding data processors accountable to follow the retention timelines applicable on the data.
  • Ensuring compliance with the industry specific timeline with respect to retention of data.

Financial exposure in the event of non-compliance of the act is high .

Retention policy consequently acts as a cost-control mechanism by reducing legacy data and risk.

Cross-departmental Consistency of Operations

  • Information is typically maintained separately by each of the stakeholders be it HR, Finance etc. A carefully and well strategied plan takes into consideration the various factors to guarantee the following: Ensure same retention standards are enforced among all the stakeholders.
  • Ensure that the departmental responsibility is based on individual departmental requirements.
  • Clear training on deletion measures.
  • Review and compliance of the retention and deletion obligation on a periodically basis.

How do you design a compliant data retention schedule under DPDP?

A defensible document with respect to the retention and deletion of the data in accordance with the DPDP must be incorporate the following:

1. Include essential fields

  • Collected data and the applicable category (if any);
  • Purpose of collection in an itemised manner;
  • Retention period of such data for both the purpose and the sector specific requirements;
  • Deletion rights of the data principal and the other event which may lead to deletion of the data;
  • Concerned person or department to handle grievance with respect to personal data;
  • Review frequency

2. Assign accountability

  • Data Protection Officer (if applicable): To address concerns arising from DPDP;
  • IT team responsibilities: To ensure retention and processing is conducted in secure manner;
  • Legal team to ensure the purpose is legal and retention period is compliant under the law;
  • Departmental owners: Department specific responsibilities.

Accountability if assigned in the document itself ensures transparency and strengthens the Data retention policy under DPDP Act[SS7] .

3. Set review timelines

Retention schedules and applicable policies must be reviewed for accuracy on the following trigger points:

  • Annually;
  • After regulatory amendements;
  • After business model shifts or mechanism for data collection;
  • After security incidents.

How do you implement automated deletion and archival mechanisms?

A compliant DPDP data retention and deletion schedule must be automatic and technologically driven in order to prevent risk associated with manual deletion of the personal data.

1. Configure system-based deletion triggers

  • Account closure deletion of personal data;
  • Employee exit from the entity.

The deletion of personal data on account of Inactivity of the data principal.Automation reduces the risk and chances arising due to human error.

2. Manage backups

Backups must ensure the following:

  • Defined retention limits.
  • Must have a specified time period for retention.
  • Be updated on a periodically basis.

Backups are not exempt from Data deletion obligations in India.

3. Control cloud and SaaS systems

Ensure vendors through a data processing agreement comply with the following:

  • Support deletion of personal data from its system in a manner which is compliant with the internal practices of the data fiduciary.
  • Provide deletion certificates.
  • Follow contractual retention limits and the security measures.

How should companies handle user requests for erasure under DPDP?

The DPDP also provide the right to erasure to the data principals. Individuals may exercise their right to deletion of personal data by making a request to the data fiduciary in the manner prescribed in the notice. Your DPDP data retention and deletion schedule must integrate both the mechanism applicable on the erasure of workflows.

1. Distinguish routine deletion from erasure request

Routine deletion:

  • Triggered by the completion of the purpose prescribed under the notice.

Erasure request:

  • Initiated by the data principal by exercising its right under the law.

Both must be handled in the manner which is prescribed in the notice and the internal documents.

2. Grounds to refuse deletion

Deletion may be refused if:

  • Retention of such personal data is mandated by sector specific regulations.
  • Data is required for evidence in the court of law.
  • Ongoing contractual obligation exists.

Refusal must be provided along with a legally sound reason backed by evidentiary  documents.

3. Timely grievance redressal

Erasure of the personal data is conducted in a manner that is must align with:

  • Internal grievance mechanism and the timelines therein.
  • Regulatory requirements pertaining to disclosures.
  • Personal data breach reporting requirements .

How do you manage retention obligations for Significant Data Fiduciaries?

Significant Data Fiduciaries (SDF) are entities which are holding higher volume of data and meeting other requirements prescribed under the law. The DPDP mandates greater degree of compliance on such entities. Thereby, the data retention and deletion schedule must be more robust.

1. Enhanced documentation

SDFs should ensure that its maintains and has well document:

  • Data processing records;
  • Retention risk assessments;
  • Audit documents; and
  • Deletion request and logs.

2. Data Protection Impact Assessment (DPIA)

Where an entity is classified as SDF, it required to conduct a DPIA exists:

  • Retention of personal data must be assessed and the risks associated with such data.Extended retention must be justified based on legal soundness and operational requirements.

3. Independent audit

Periodic audits should:

  • Verify and assess the deletion implementation.
  • Test the mechanism and whether such deletion is conducted by an automated trigger.
  • Review deletion logs and the grounds for exemption from deletion and check for viability with sector specific requirements.

How do you ensure third-party processors comply with your retention schedule?

Data processors under the DPDP must not retain personal data beyond purpose which has been provided under the notice and the processing agreement. The mandatory contractual obligations on the Data Processor with respect to the retention and deletion of information are as follows:

1. Mandatory contractual clauses

  • Defined retention period for each data set;
  • Secure deletion obligations and requirement for deletion certificate;
  • Audit rights;

Data return clauses.

2. Vendor audits

Conduct:

  • Periodic compliance reviews;
  • Audits with respect to compliance with DPDP;
  • Documentation verification.

What records must be maintained to demonstrate compliance?

Compliance requires documentary evidence in ensure mitigation of risk. A documented DPDP data retention and deletion schedule is a step towards following of the best practice and promotes risk mitigation by providing  supporting  records.

1. Deletion logs

Maintain:

  • Date of deletion;
  • Dataset deleted;
  • Method of deletion;
  • Authorising officer; and
  • Certificate of deletion by data processor (if any).

2. Retention justification records

Keep record of the rationale behind retaining of any personal data beyond the retention period:

  • Legal sound reason for the retention;
  • Business necessity notes; and
  • Contractual obligation with specific reference.

3. Exception tracking

If deletion is paused:

  • Record the reason for the same.
  • Set new review date.

What penalties apply for non-compliance with deletion obligations?

Failure to comply with Data deletion and retention obligations in India may attract monetary penalties under the DPDP framework.

1. Exposure areas

Non-compliance may arise from:

  • Indefinite retention of the personal data;
  • Failure to enforce the erasure requests filed by data principals;
  • Failure to delete backups and archival personal data in accordance with the law;
  • Retention without lawful purpose.

2. Regulatory consequences

The Data Protection Board may:

  • Impose financial penalties in accordance with the DPDP Act;
  • Direct corrective measures to prevent further violations
  • Issue directions to comply with the provisions under which the violation has occurred.

FAQs on DPDP Data Retention and Deletion

Does the DPDP Act mandate a fixed number of years for retaining personal data?

Yes, the DPDP Rules under Schedule III provides the specific period of retention for certain personal data. The Act further mandates that the data fiduciary must delete the personal data once the  purpose for collection of such data has been completed, unless retention is legally mandated by sector specific laws.

Can a company retain data indefinitely if consent was obtained?

No, the data fiduciary may only retain the data in accordance with the purpose limitation, sector specific statutory requirements and schedule III of the rules.

Is anonymised data subject to deletion?

While the anonymisation of data prevents the data from being classified as personal data.  However, if such personal data can be re-identification, it must comply with the obligation under the DPDP.

How should companies handle retention of employee data?

Employee data must:

  • Follow RBI, labour and tax data retention requirements.
  • Be deleted after serving the purpose of collection and other statutory requirements.
  • Align with the organisation’s Data retention policy formulated in accordance with the  DPDP Act.

Are backups exempt from deletion requirements?

No, the backup or other archival mechanism acts as retention mechanism and must comply with the provisions of the DPDP.

What is the safest approach for startups implementing compliance?

Startups should undertake the following to ensure compliance with the DPDP:

  • Conduct a data mapping and data inventory management.
  • Create a documented DPDP data retention and deletion schedule and prepare a policy accordingly.
  • Automate deletion mechanism.
  • Integrate compliance with grievance handling mechanism which must be enshrined in the notice.
  • Align with personal data breach reporting requirements under the DPDP.

Conclusion

At its core, a DPDP data retention and deletion schedule aims to meet  two objectives . First, it enforces the purpose based limitation on retention of personal data as per the  DPDP Act into defined retention timelines . Second, it protects the data fiduciary from excessive storage of personal data which is not required by the data fiduciary

A compliant retention framework must comprise of the following:

  • A complete data mapping and data inventory management. This also includes the classification exercise.
  • Identification of statutory and contractual obligations and align the same with dispute mitigation.
  • Clear mapping of triggers with respect to the processing of personal data.
  • Implementation of an automated mechanism for  the deletion and archival controls
  • Structured handling of erasure requests by the data principals.
  • Extension of retention obligations to data processors and vendors.
  • Maintenance of deletion logs.

Retention mechanism and internal policies also directly impact risk exposure of the organisation to potential breaches and other statutory liabilities. Excess data increases vulnerability and degree of financial compensation in the event of a breach.   Alternatively, a well-documented and implemented DPDP data retention and deletion schedule displays bonafide intent and accountability on the part of the organisation. It reduces instances of breach , and demonstrates governance maturity before the Data Protection Board.

Ultimately, data protection compliance under the DPDP regime is not a single time compliance and requires a lifecycle governance. The collection, use, storage, archival, and erasure must operate in a manner which integrates the requirement under the DPDP . A structured, documented, and enforced DPDP data retention and deletion schedule ensures that this lifecycle ends lawfully, predictably, and defensibly.

About Us

Corrida Legal is a boutique corporate & employment law firm serving as a strategic partner to businesses by helping them navigate transactions, fundraising-investor readiness, operational contracts, workforce management, data privacy, and disputes. The firm provides specialized and end-to-end corporate & employment law solutions, thereby eliminating the need for multiple law firm engagements. We are actively working on transactional drafting & advisory, operational & employment-related contracts, POSH, HR & data privacy-related compliances and audits, India-entry strategy & incorporation, statutory and labour law-related licenses, and registrations, and we defend our clients before all Indian courts to ensure seamless operations.

We keep our client’s future-ready by ensuring compliance with the upcoming Indian Labour codes on Wages, Industrial Relations, Social Security, Occupational Safety, Health, and Working Conditions – and the Digital Personal Data Protection Act, 2023. With offices across India including GurgaonMumbai and Delhi coupled with global partnerships with international law firms in Dubai, Singapore, the United Kingdom, and the USA, we are the preferred law firm for India entry and international business setups. Reach out to us on LinkedIn or contact us at contact@corridalegal.com/+91-9211410147 in case you require any legal assistance. Visit our publications page for detailed articles on contemporary legal issues and updates.

Legal Consultation

In addition to our core corporate and employment law services, Corrida Legal also offers comprehensive legal consultation to individuals, startups, and established businesses. Our consultations are designed to provide practical, solution-oriented advice on complex legal issues, whether related to contracts, compliance, workforce matters, or disputes.

Through our Legal Consultation Services, clients can book dedicated sessions with our lawyers to address their specific concerns. We provide flexible consultation options, including virtual meetings, to ensure ease of access for businesses across India and abroad. This helps our clients make informed decisions, mitigate risks, and remain compliant with ever-evolving regulatory requirements.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    To Top