.svg){kind=small}
.png)
Sometimes Data Fiduciaries are mandated by law or regulation to retain certain customer data for a specific period of time.
For example, the RBI KYC Master Direction says regulated entities must preserve customer identification/address records for at least five years after the business relationship ends.
On the other hand, the DPDP Act gives customers the power to withdraw consent or request deletion of personal data.
Can a customer request deletion of her address from her Bank's records - even though the Bank is obligated to retain this for 5 years under the RBI KYC Master Directions?
There seems to be clear tension here.
Fortunately, the DPDP Act is quite explicit in resolving this tension - via Section 6(6) and Section 8(7).
The DPDP Act allows retention and processing for regulatory purposes — even after consent withdrawal
Section 6(6) allows for processing of data for a legal/regulatory purpose even after withdrawal of consent:
(6) If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India.
Section 8(7) of the DPDP Act allows retention of data for legal compliance - even after other purposes have been withdrawn/extinguished:
(7) A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,— (a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and (b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor.
Both of the above provisions carve out an exemption to withdrawal/deletion:
- Section 6(6) allows Data Fiduciaries to process data for a legal/regulatory purpose even after withdrawal of consent
- Section 8(7) allows Data Fiduciaries to retain data for a legal compliance purpose - even after other purposes have been withdrawn/extinguished
Many businesses will be tempted to use the legal/regulatory carveouts in Section 6(6) and Section 8(7) to indiscriminately retain and process personal data. Do not do this. The carveouts are narrow exceptions — not wide permissions. You cannot say "Customer is asking me to delete, RBI wants me to retain, so I will retain and use it to market to the customer." That is a violation.
Let's understand the practical implications of the exceptions via an illustration.
Retaining/processing for legal/regulatory purposes does not mean you can use the data for other purposes
Jyothi is an account holder with Nova Bank.
1 year after opening her account, Jyothi decides to close the account. She requests that Nova Bank close the account and delete/withdraw her personal data - including her phone number and customer address.
Nova Bank has to retain both the phone number and customer address for 5 years under RBI KYC Master Directions.
At this point, Nova Bank is using the phone number and customer address for the following 3 purposes:
- Purpose 1: Servicing Jyothi's account
- Purpose 2: Telemarketing and physical marketing
- Purpose 3: For RBI compliance purposes
After Jyothi's withdrawal Nova Bank can continue to retain Jyothi's phone number and address for Purpose 3.
However, Nova Bank must stop using Jyothi's phone number and address for Purposes 1 and 2.
Nova Bank cannot retain Jyothi's personal details for RBI compliance reasons - and then use that personal data for other purposes like marketing.
Retention for legal/regulatory purposes will require good data mapping and segregation
Practically speaking, Data Fiduciaries will need to make changes to how they process and store data - in order to properly handle legal/regulatory retention requirements.
This means building 4 system-level capabilities:
- Map and label personal data based on purpose: Personal data like phone numbers cannot be stored as loose records in the CRM. They must be clearly mapped to each purpose they are being used for. This does not currently happen.
- Programmatically de-activate processing for withdrawn purposes: When a customer withdraws consent for a specific purpose — your system must send a deletion or deactivation instruction to every downstream system tied to that purpose. If a customer withdraws consent for use of her email for marketing, the email must be deleted from your marketing platform and your email tool. But the same email stored in your LMS for loan servicing — like sending account statements — must not be deleted. Deletion should be purpose-specific and not dataset-wide. Your system must be capable of distinguishing between purposes and acting accordingly. Such a logic does not currently exist in most organizations.
- Data retained for regulatory purposes must not be usable except for that purpose: The data being retained will continue to exist on your systems. As a Data Fiduciary, you need to ensure that this data can only be accessed for the purposes of regulatory audits or disclosures. It must be rendered unusable and inaccessible for other purposes. This may require creation of a specific Retention Vault for regulatory compliance.
- Tell the customer what continues and why: As a Data Fiduciary, you must respond to the customer's withdrawal request by stating clearly that you are still going to retain certain data for the stipulated legal/regulatory timelines as a compliance measure.
What if the customer's personal data is needed for recovery action?
What if, in the above example, Jyothi had an outstanding loan owed to Nova Bank.
Nova Bank, obviously, needs details like Jyothi's address to initiate recovery action in the event that Jyothi does not repay the loan - even after she has closed her account and withdrawn consent.
The DPDP Act carves out an exception for this.
Section 17(1)(a) of the DPDP Act states that consent is not needed where
the processing of personal data is necessary for enforcing any legal right or claim;
Loan recovery is clearly enforcement of Nova Bank's legal claim. Therefore, Nova Bank can continue using Jyothi's data for that purpose.
Again: Nova Bank can only use the data for the narrow purpose of enforcement/recovery. It cannot use that data for other purposes like marketing under the guise of "I needed that data for loan recovery so I kept it and am using it"
This same exception is not confined to loan recovery. It also applies to other scenarios like:
- Suing for recovery under invoice
- Initiating action for breach of contract
What if a customer withdraws consent for data needed to continue service?
So far we've discussed what happens when a customer withdraws consent for data that you are required to retain under regulation. But there's a related question this doesn't address: what if the customer withdraws consent for data that is necessary to provide the service itself — like KYC data for an active bank account?
The DPDP Act addresses this directly. Section 6(5) states that the consequences of withdrawing consent are borne by the Data Principal — and that withdrawal does not affect the legality of processing that occurred before withdrawal. If the customer withdraws consent for data without which you cannot continue providing the service, you can deny or cease the service.
So if a customer with an active savings account withdraws consent for KYC data — and KYC is necessary to operate the account — the bank is within its rights to close the account.
One caveat: the data must genuinely be necessary for providing the service. You cannot classify telemarketing as an essential component of service delivery and then close the customer's account when they revoke consent for telemarketing.
Matrix of Retention
We've consolidated everything we've discussed above and created a Matrix of Retention for you — for easy reference.
[INSERT TABLE]
Can processing activities like KYC verification fall under the Section 17(1)(c) exception?
No. The exceptions under Section 17(1)(c) are narrow exceptions designed to aid investigations into offences and/or prevention of offences.
KYC is a compliance process that can be used as a data point during an investigation. But it, in and of itself, is not inherently related to an offence.
You will still need to collect consent for data used for KYC purposes.
This article reflects our operational understanding of the DPDP Act. It is not legal advice. Consult your legal counsel for interpretation specific to your business.
