Some industries (e.g., healthcare and insurance) must retain patient records for X years as per government mandates. What will happen in this case when user asks for deletion of their data?
1 Answers
-
General Rule: Erasure of Data
• Under Section 8(7) of the DPDPA, a Data Fiduciary (DF) must erase personal data when:
o The Data Principal (user) withdraws consent, or
o The specified purpose for which the data was collected is no longer being served, whichever is earlier.
• This means that if consent is withdrawn, the DF must generally delete the data unless there is a valid legal basis for retaining it. -
Exceptions to Erasure
The DF is not required to delete past data if:
• Retention is necessary for compliance with a legal obligation:
o For example, under tax laws, financial regulations, or court orders, the DF may be required to retain certain data for a specified period.
• The data is needed for certain legitimate uses under Section 7 of the DPDPA, such as:
o Legal claims or disputes.
o Medical emergencies or public health purposes.
o Employment-related purposes (e.g., maintaining records of former employees).
• The data is required to fulfill a contract with the Data Principal (e.g., processing payment for an order already placed). -
Time Period for Erasure
• The DPDPA does not specify an exact timeline for erasure, but it requires the DF to act within a reasonable time after consent is withdrawn.
• The Digital Personal Data Protection Rules, 2025 (under Rule 8) provide further guidance:
o If the Data Principal does not approach the DF for the performance of the specified purpose or exercise their rights for a prescribed time period, the DF must erase the data.
o The DF must inform the Data Principal at least 48 hours before erasure unless the user takes action to retain the data. -
Obligations to Data Processors
• If the DF has engaged a Data Processor, it must ensure that the Processor also erases the data upon withdrawal of consent, unless retention is required by law (Section 8(7)(b). -
Practical Considerations
• Data Minimization: The DF should only retain data that is necessary for the specified purpose or for compliance with legal obligations.
• Record Keeping: The DF must maintain records of consent withdrawals and erasures to demonstrate compliance with the DPDPA.
• User Communication: The DF should inform the Data Principal about the erasure of their data and any exceptions (e.g., legal retention requirements). -
Example Scenarios
• Scenario 1: A user withdraws consent for their email address to be used for marketing purposes.
o The DF must stop using the email for marketing and erase it unless required by law.
• Scenario 2: A user withdraws consent for their transaction history to be used for personalized recommendations.
o The DF must erase the transaction history unless it is needed for legal or contractual purposes (e.g., tax compliance or dispute resolution). -
Penalties for Non-Compliance
• If the DF fails to erase data after consent withdrawal, it may face:
o Monetary penalties of up to ₹250 crore under Section 33 of the DPDPA.
o Legal action by the Data Principal or the Data Protection Board of India
Related Questions
Can business build their own consent management?
1 answers
Possible to collect consent in Google Form?
1 answers
How to collect consent from illiterate data principals?
1 answers
How will parental consent work use parent/guardian is not registered on the platform?
1 answers
How can i know that a particular consent manager is valid and authentic?
What happens to a consent that was acquired for a duration of 60 days once the period expires?