Rule 8 of DPDP Rules 2025

Time period for specified purpose to be deemed as no longer being served.


.—(1) A Data Fiduciary, who is of such class and is processing personal data for such corresponding purposes as are specified in Third Schedule, shall erase such personal data, unless its retention is necessary for compliance with any law for the time being in force, or, for the corresponding time period specified in the Third Schedule, if the Data Principal neither approaches such Data Fiduciary for the performance of the specified purpose nor exercises her rights in relation to such processing.
(2) At least forty-eight hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period, unless she logs into her user account or otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises her rights in relation to the processing of such personal data.
(3) Without prejudice to sub-rules (1) and (2), a Data Fiduciary shall retain, in respect of any processing of personal data undertaken by it or on its behalf by a Data Processor, such personal data, associated traffic data and other logs of the processing for a minimum period of one year from the date of such processing, for the purposes as specified in the Seventh Schedule, after which the Data Fiduciary shall cause such personal data and logs to be erased, unless further retention is required for compliance with any other law for the time being in force or notified by the Government.
Illustration.
Case 1: X, a Data Principal purchases an e-book on an e-book platform Y. Once delivery is completed, the specified purpose of processing is served. The platform Y must retain the order details, personal data, and logs of the processing (such as order confirmation, payment, and delivery events) for at least one year from the date of the transaction, even if X deletes her account.
Case 2: X, a company engages a cloud service provider C as its Data Processor to host customer records. X as the Data Fiduciary, is required to ensure that the C also retains the data and associated logs for at least one year before erasure, unless any other applicable law requires a longer period.

Rule 2 →
DPDPA
Table of contents


Report error

Legal Interpretation: Time Period for Specified Purpose to Be Deemed as No Longer Being Served

Data retention is a double-edged sword—while it’s essential for fulfilling specific purposes and ensuring seamless operations, holding on to personal data beyond necessity can lead to legal, ethical, and security challenges. Rule 8 of the Digital Personal Data Protection Act (DPDPA) strikes a balance, offering a clear framework for when personal data should be erased if its purpose is no longer being served. Let’s explore the finer details of this rule.

1. The Core Principle: Data Erasure After Purpose Completion

At its heart, Rule 8 mandates that personal data should not outlive its usefulness. If the purpose for which data was collected is no longer relevant, the Data Fiduciary must erase it unless retention is mandated by law. This ensures that personal data isn’t stored indefinitely, reducing the risk of misuse and reinforcing the principle of data minimization.

Think of it as decluttering your home. Once you’ve used an item for its intended purpose and no longer need it, it’s better to discard it than to let it take up unnecessary space.

2. Key Conditions for Data Erasure

The rule outlines specific triggers and timelines for data erasure:

  • (1) Trigger for Erasure: Personal data must be erased if:
    • The Data Principal hasn’t interacted with the Data Fiduciary to fulfill the specified purpose.
    • The Data Principal hasn’t exercised any rights related to that data during the time period specified in the Third Schedule.
    • Retention of the data isn’t required by any existing law.
  • (2) Notification Before Erasure: At least 48 hours before the data is scheduled for erasure, the Data Fiduciary must notify the Data Principal. This notification serves as a reminder, giving the individual an opportunity to:
    • Log into their user account.
    • Contact the Data Fiduciary to reinitiate the specified purpose.
    • Exercise their rights related to the data, such as accessing, correcting, or objecting to its processing.

This approach combines accountability with user empowerment, ensuring individuals are not caught off guard by data erasure.

3. Definition of "User Account"

The rule clarifies that a "user account" includes any digital presence or identifier registered by the Data Principal with the Data Fiduciary. This could range from a traditional online account to profiles, email addresses, or phone numbers. By broadening the definition, the rule ensures comprehensive coverage across various modes of interaction.

4. Practical Implications for Data Fiduciaries

For Data Fiduciaries, this rule isn’t just a legal obligation—it’s a roadmap for responsible data stewardship. Here’s what compliance entails:

  • Streamlined Data Management: Fiduciaries must maintain systems to monitor the activity and engagement of Data Principals with their data. Automated reminders and alerts can help track and enforce the timelines specified in the Third Schedule.
  • Clear Communication Channels: A robust notification mechanism is essential. Notifications should be easy to understand and accessible, ensuring Data Principals can respond promptly if they wish to retain their data.
  • Alignment with Legal Requirements: Fiduciaries must ensure that any exceptions to data erasure—such as legal requirements to retain data—are clearly documented and justifiable.

5. Empowering Data Principals

For Data Principals, this rule serves as a safeguard against unnecessary data retention. By offering clear timelines and proactive notifications, it ensures individuals remain in control of their personal data. It also minimizes the risks of breaches or misuse, reinforcing trust in digital interactions.

Imagine receiving a friendly reminder from a service you’ve stopped using, giving you the chance to decide whether you want your data erased or retained. This approach respects your autonomy while ensuring transparency.

6. Broader Implications for Privacy and Governance

Rule 8 reflects the growing recognition that data retention must be purpose-driven, not perpetual. By mandating erasure of unnecessary data, the rule:

  • Reduces Risk: Unused or outdated data can become a liability, increasing the risk of breaches or unauthorized access.
  • Strengthens Accountability: Fiduciaries are required to actively manage data lifecycles, demonstrating their commitment to responsible data handling.
  • Aligns with Global Standards: The principle of data minimization is a cornerstone of privacy frameworks like GDPR, and this rule brings Indian law in line with international best practices.

Conclusion

Rule 8 of the DPDPA underscores the importance of purposeful data retention. By defining clear timelines for data erasure and mandating proactive notifications, it strikes a balance between organizational needs and individual privacy. For Data Fiduciaries, compliance isn’t just about meeting legal requirements—it’s about fostering trust and demonstrating respect for the data entrusted to them. This rule sets a new benchmark for responsible data management, ensuring that personal data serves its purpose without overstaying its welcome in the digital ecosystem.

© 2024 Advocate (Dr.) Prashant Mali