BACK TO DPDP RULES INDEX
DPDP Rules 2025 Phase 3 (13 May 2027) RIGHTS

Rule 12

Erasure of Personal Data from User Accounts

Practical Note

Rule 12 is the 'right to be forgotten' rule for User Accounts. When a user closes their account, the Data Fiduciary must erase the data unless a legal retention obligation applies. This requires businesses to build account deletion workflows that actually delete (not just deactivate) user data and cascade deletion to processors and third parties the data was shared with.

THE STATUTE

Original Text

(1) Where a Data Principal closes her User Account with a Data Fiduciary, the Data Fiduciary shall, as soon as it is reasonably practicable, erase the personal data associated with the User Account, and cause the Data Processors to erase such data, except where the Data Fiduciary is required by law to retain any part of such data.

Analysis & Details

Rule 12 creates a specific, operationally important obligation: when a Data Principal closes their User Account, the Data Fiduciary must erase all personal data associated with that account — and must also cause its Data Processors to erase the same data. The only exception is where a specific law requires retention (e.g., RBI requiring banks to retain KYC data for 5 years post-account closure, GST requiring transaction records for 6 years). 'User Account' is defined broadly in Rule 2: social media, email, banking, streaming, e-commerce accounts all qualify. The 'as soon as reasonably practicable' standard gives some operational flexibility — data cannot be deleted instantaneously from all backup systems, but there must be a reasonable timeline with active deletion processes, not indefinite retention in archived form. The cascade to Data Processors is significant: a Data Fiduciary that shares user data with third-party analytics providers, cloud storage, email processors, or other data processors must instruct them to delete the data too. This requires contract provisions in Data Processing Agreements. Practically, this means businesses must build: (a) an account deletion mechanism that is user-accessible; (b) automated deletion workflows that cascade through all data stores and processors; (c) exception handling for legally required retention; (d) documentation of deletion for evidence of compliance.

GDPR Parallel

Article 17 (Right to Erasure / Right to be Forgotten)

IT Act Impact

Rule 12 creates the first affirmative duty to delete User Account data on closure under Indian law. The IT Act had no equivalent — this is an entirely new obligation for digital platforms operating in India.

Common Queries

Yes, with exceptions. Rule 12 requires erasure of all personal data associated with a User Account when the user closes it — and requires the Data Fiduciary to cascade that deletion instruction to its processors. Exceptions: where a law requires retention (e.g., RBI KYC retention, GST transaction records, IT Act record-keeping requirements). The deletion must happen 'as soon as reasonably practicable' — not immediately, but through active deletion processes, not indefinite archiving.
Deactivation (hiding an account from other users without deleting the data) does not satisfy Rule 12. Rule 12 requires actual erasure of personal data — the data must be deleted from the Data Fiduciary's systems and from all processors. A business that deactivates accounts but retains the underlying personal data indefinitely would not comply with Rule 12.

Key Rules & Provisions

Automatic erasure obligation on User Account closure — no separate erasure request required.

Cascade deletion obligation — processors must also erase.

Legal retention exceptions preserved (RBI, GST, IT Act retention periods).

'User Account' broadly defined — covers all major digital account types.