Pricoris

Retention & Erasure Under the DPDP Act 2023 & DPDP Rules 2025: A Simple, Practical Guide

By /

(The most misunderstood part of the law — explained clearly)

Retention and erasure sound straightforward.
But under the DPDP Act and the DPDP Rules 2025, they are among the most operationally complex parts of the entire framework.

Most organisations misunderstand:

  • when they can retain
  • when they must erase
  • what overrides erasure
  • how inactivity rules work
  • how special Schedules apply
  • what audit trails must look like
  • how logs differ from data
  • what applies to which industry

This guide breaks everything down into simple, correct, India-specific steps, so privacy, legal, IT and business teams can build a compliant retention programme.

1. The Retention “Golden Rule” — Section 8(7)

This is the backbone of India’s deletion obligations.

Under Section 8(7), a Data Fiduciary must erase personal data:

  1. When the purpose of processing is met, OR
  2. When the Data Principal withdraws consent,

whichever is earlier,
unless retention is required by law.

In short:

▶ Purpose complete → Delete
▶ Consent withdrawn → Delete
▶ Legal mandate → Keep

This single rule drives most retention decisions.

2. Rule 6 — The Operational Retention Rule

Rule 6 adds the operational teeth to Section 8(7).

Under Rule 6, organisations must:

  • Erase personal data that is no longer necessary
  • Maintain records of erasure
  • Retain logs for at least 1 year
  • Track rejection of erasure requests (with reasons)

Important:
Rule 6 is the default rule for all Data Fiduciaries unless overridden by a Schedule.

3. Third Schedule — 3-Year Inactivity + 48-Hour Pre-Erasure Notice

This is where most confusion happens.

The Third Schedule applies ONLY to specific notified sectors such as:

  • Large e-commerce companies
  • Large gaming platforms
  • Large social media platforms

(Final categories are defined in the Rules.)

What the Third Schedule requires:

  1. If a user has been inactive for 3 years, the organisation must erase their personal data.
  2. But before erasing, the DF must:
    • Send a 48-hour pre-erasure notice
    • Wait for the user’s response
  3. If the user does not respond → Erase
  4. If the user objects or reactivates → Retain

Real Examples

  • Marketplace accounts with no logins for 3 years
  • Streaming service accounts unused for 36 months
  • Gaming IDs not accessed for 3 years

This rule does NOT apply to:

  • BFSI
  • Healthcare
  • EdTech
  • HR data
  • Government services
  • Any sector not notified under the Third Schedule

4. Seventh Schedule — 1-Year Mandatory Retention

This schedule applies to sovereign and statutory functions only.

It covers activities such as:

  • law enforcement
  • courts
  • taxation
  • government welfare delivery
  • licensing
  • statutory registers
  • regulatory functions

Rule:

Personal data must be retained for at least 1 year even if:

  • the purpose ends
  • consent is withdrawn
  • an erasure request is raised

This Schedule is very limited.
Most private-sector companies will not use it.

5. Schedule VI — Log Retention (1 Year or 3 Years)

This schedule applies to all organisations because logs are treated separately from personal data.

Minimum Log Retention:

  • 1 year for all Data Fiduciaries
  • 3 years for large online platforms (as designated)

Logs include:

  • access logs
  • consent logs
  • rights-handling logs
  • breach logs
  • system activity logs
  • changes to personal data

▶ Even if personal data is erased, logs may be retained as required.

6. Special Cases: Children & Persons With Disability

Retention rules for children (Section 10 + Schedule IV):

  • Data collected from children must be erased when no longer necessary
  • Tracking, profiling, behavioural ads → completely prohibited
  • Parents must be able to withdraw consent easily

For Persons with Disability (PWD):

  • Guardian verification is mandatory
  • If guardian relationship ends → erase unless lawful basis continues

7. Special Case: Complaints, Grievances & Legal Obligations

If a complaint, grievance, investigation or legal dispute is ongoing:

  • You may retain data until closure
  • Provide clear justification in your retention register
  • Document evidence of lawful override

8. Putting It All Together — A Retention Decision Tree

Step 1: Is the purpose complete?
→ Yes → Move to Step 2

Step 2: Has consent been withdrawn?
→ Yes → Move to Step 3

Step 3: Is there any legal obligation or Schedule override?
→ Yes → Retain with documentation
→ No → Erase personal data

Step 4: Retain logs separately as per Schedule VI

9. Practical Retention Table Template (Use on Website or Toolkit)

You can publish this as a downloadable table on your toolkit page.

DPDP Retention Matrix (Template)

Data CategoryPurposeLegal BasisRetention RuleOverride (if any)Erasure Trigger
Account InformationUser onboardingConsentSection 8(7) + Rule 6Third Schedule for large platformsPurpose complete / withdrawal
Transaction LogsComplianceLawfulStatutory retentionSeventh ScheduleAfter legal period ends
Children’s DataService deliveryConsent (parent/guardian)Strict minimisationSchedule IVPurpose complete or withdrawal
Activity LogsSecurityLegitimate UseSchedule VINone≥1 year (or 3 years for large platforms)
Marketing DataConsentConsentSection 8(7)NoneWithdrawal or purpose complete

10. Final Takeaways (Add as CTA on Website)

DPDP retention is not “keep as long as necessary”. It is:

  • purpose-first
  • consent-sensitive
  • schedule-dependent
  • log-specific
  • sector-controlled

Many Indian organisations will need completely new retention schedules, erasure workflows, and audit trails.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top