Data does not live forever. DPDPA requires that personal data be erased once the purpose for which it was collected has been fulfilled and retention is no longer necessary. This is not a suggestion. It is a statutory obligation with penalty exposure.
The Retention Principle
Section 8(7) establishes the rule: erase personal data when the purpose is fulfilled and retention is no longer necessary for that purpose or legal requirements. This means you cannot keep data indefinitely just in case it might be useful. You need a reason. When the reason ends, the data must go.
Defining Retention Periods
Your policy must specify retention periods for each data category. These periods should be tied to purpose fulfillment plus any legally mandated retention. Employment records may need to be kept for years after employment ends due to labor law requirements. Transaction records may need preservation for tax compliance. The policy must account for these overlapping requirements.
- Retention period for each data category
- Legal basis for each retention period
- Trigger events for retention period commencement
- Review schedule for retention period appropriateness
Erasure Procedures
Stating that data will be deleted is not enough. You need procedures for how deletion occurs. Who initiates it. How it is verified. What happens to backups. Deletion must be complete, not just removal from active systems while copies persist in archives.
Interaction with Data Principal Rights
Data Principals have the right to erasure under Section 12. Your retention policy must accommodate this. When a Data Principal requests erasure, you must comply unless a legal obligation requires continued retention. The policy should clarify how erasure requests interact with retention schedules.
Essential Clauses
Retention Schedule by Data Category
Section 8(7)Specific periods for each type of personal data
Legal Retention Obligations
Section 8(7)Reference to laws requiring retention beyond purpose fulfillment
Erasure Trigger Events
Rule 6What events initiate the deletion process
Deletion Verification Procedure
Rule 6How complete deletion is confirmed
Backup and Archive Treatment
Section 8(7)How deletion extends to backup systems
Exception Handling
Section 8(7)Process for cases where retention beyond schedule is necessary
Implementation Steps
Conduct data inventory identifying all personal data repositories
Map each data category to its processing purpose
Research applicable legal retention requirements
Define retention period for each category with documented rationale
Implement automated retention monitoring where possible
Establish deletion workflows with verification checkpoints
Train relevant personnel on retention policy application
Schedule periodic policy reviews to reflect changing requirements
Frequently Asked Questions
Need This Document Drafted?
Understanding the requirement is the first step. Having it implemented correctly is what protects your organization. Our team drafts DPDPA-compliant documents tailored to your specific operations.
Get in Touch