BACK TO DPDP RULES INDEX
DPDP Rules 2025 Phase 3 (13 May 2027) OBLIGATIONS

Rule 9

Retention Limits and Erasure of Personal Data

Practical Note

Rule 9 creates an automatic retention obligation — the trigger for deletion is not a request from the user but the completion of processing purpose. Data Fiduciaries must build automated data lifecycle management into their systems. The 'reasonably expected use' concept allows for some period after the original purpose ends (e.g., data for a closed account may be retained for dispute resolution/legal compliance period). Sector-specific retention mandates (RBI, SEBI, income tax) override Rule 9's general principle.

THE STATUTE

Original Text

(1) A Data Fiduciary shall, as soon as it is reasonably practicable, erase the personal data held by it or under its control upon — (a) the Data Principal withdrawing consent for processing of personal data for the specified purpose; (b) the Data Principal exercising the right to erasure under section 12(1)(b) of the Act; (c) the purpose for which the personal data was collected has been served, unless retention is required for compliance with any law. (2) A Data Fiduciary shall cause its Data Processors to erase the personal data processed by them on behalf of the Data Fiduciary, as soon as it is reasonably practicable. (3) The retention period for personal data processed pursuant to legitimate use under section 7 shall not exceed the period for which such processing is required for the respective legitimate use.

Analysis & Details

Rule 9 implements the storage limitation and right-to-erasure obligations from Act Sections 8(7) and 8(8). The Rule creates three erasure triggers: (1) CONSENT WITHDRAWAL — when the Data Principal withdraws consent, the Data Fiduciary must erase the data 'as soon as reasonably practicable'; (2) RIGHT TO ERASURE REQUEST — when the Data Principal exercises their right to erasure under Act Section 12(1)(b); (3) PURPOSE COMPLETION — when the purpose for which the data was collected has been served, the data must be erased unless retention is required by law. The 'purpose completion' trigger is significant because it is automatic — it does not require the Data Principal to make a request. A Data Fiduciary cannot retain data indefinitely 'just in case'. The 'unless retention is required by law' exception is important: sector-specific regulations impose their own retention mandates (RBI requires banks to retain KYC records for 5 years post-relationship end; SEBI requires broker records for 5 years; Income Tax Act requires records for 6+ years). These sector-specific mandates override Rule 9's general erasure principle. The Rule also extends the erasure obligation to Data Processors: the Data Fiduciary must ensure that its processors also erase data when the Data Fiduciary itself must erase it. This requires contract provisions in Data Processing Agreements.

GDPR Parallel

Article 5(1)(e) (Storage limitation) + Article 17 (Right to erasure)

IT Act Impact

Rule 9 significantly strengthens data lifecycle requirements beyond what SPDI Rules required. SPDI Rules had no mandatory erasure obligations — Rule 9 creates the first affirmative duty to delete in Indian privacy law for digital personal data.

Common Queries

Until the processing purpose is complete, consent is withdrawn, or the Data Principal requests erasure — whichever comes first — unless a specific law requires longer retention. There is no fixed universal retention period. For example: data collected for a one-time transaction must be erased once the transaction and any related dispute period is complete. Data retained under sector-specific mandates (RBI's 5-year KYC retention, SEBI's 5-year records, income tax 6-year records) may be retained for those statutory periods.
When the reason for which the data was collected no longer applies, the data must be erased. For example: if data was collected for processing a loan application and the application is decided (approved or rejected), the processing purpose is complete. Data cannot be retained to later use for marketing or analytics — that would be a new processing purpose requiring fresh consent. This is an automatic obligation — the Data Principal does not need to request deletion for this trigger to apply.

Key Rules & Provisions

Three automatic erasure triggers: consent withdrawal, erasure request, purpose completion.

Purpose completion is automatic — no user request required.

Sector-specific retention mandates (RBI, SEBI, IT Act) continue to override Rule 9.

Extends erasure obligation to Data Processors through Data Fiduciary instruction.

No specific retention period specified — purpose-based approach.