Data Retention And Deletion Obligations
Corporate Data Retention and Deletion Obligations
Data Retention: The practice of keeping organizational data (personal, sensitive, or corporate) for a legally or operationally justified period.
Data Deletion: The secure removal or destruction of data once it is no longer required or the retention period expires.
Both practices are integral to data governance, compliance, and risk management.
1. Legal and Regulatory Framework
A. Indian Laws
Information Technology Act, 2000 (IT Act)
Section 43A: Compensation for failure to implement reasonable security practices, which includes retention and secure deletion of sensitive personal data.
Section 72A: Criminal liability for disclosure of personal information without consent.
IT (Reasonable Security Practices & Sensitive Personal Data or Information) Rules, 2011
Corporates must:
Retain sensitive personal data only as long as required.
Dispose of obsolete data securely.
Maintain security measures during storage and deletion.
Companies Act, 2013
Corporate records (financial, accounting, HR) must be retained for statutory periods (e.g., 8 years for accounting records).
Draft Personal Data Protection Bill (PDPB, 2019)
Data must be retained only for the duration necessary for the purpose of processing.
Data principal can request erasure or withdrawal of consent.
Corporates must document retention schedules and deletion procedures.
Sectoral Regulations
RBI Guidelines: Financial institutions must maintain transaction and customer data for regulatory reporting (e.g., 5–10 years).
IRDAI Guidelines: Insurance customer data retention for claims and audits.
Telecom/Consumer Protection Rules: Customer call records, transaction data, and consent records retention periods.
B. International Regulations
GDPR (EU)
Data must not be kept longer than necessary.
Individuals have a right to erasure (“right to be forgotten”).
CCPA (California)
Consumers can request deletion of personal information collected.
ISO 27001 / 27701
Standard for secure storage and deletion as part of information security and privacy management.
2. Key Corporate Obligations
| Obligation | Details |
|---|---|
| Retention Policy | Define retention periods for all categories of data (personal, sensitive, corporate, financial). |
| Legal Compliance | Retention aligned with IT Act, Companies Act, RBI, IRDAI, and sectoral rules. |
| Secure Deletion | Ensure data is securely deleted (digital shredding, wiping, or physical destruction). |
| Documentation & Audit | Maintain records of retention schedules, deletion activities, and approvals. |
| Consent Management | Respect customer or employee requests for deletion where legally permitted. |
| Cross-Border Considerations | Retain data according to both Indian and foreign regulatory requirements. |
| Vendor Oversight | Ensure third-party processors follow retention and deletion policies. |
| Incident Management | Retain logs for breach investigations, while securely deleting obsolete data. |
3. Risks of Non-Compliance
Regulatory Penalties – IT Act, PDPB, RBI, GDPR fines.
Civil Liability – Employees or customers may file claims for mishandling data.
Reputational Damage – Public exposure of outdated or unnecessary data.
Operational Risk – Increased storage costs, inefficient systems, or loss of data integrity.
Contractual Breach – Violations of agreements with clients or vendors requiring data deletion.
4. Case Laws Relevant to Data Retention and Deletion
1. Justice K.S. Puttaswamy v. Union of India (2017)
Right to privacy recognized; emphasizes limiting data retention to necessary purposes.
2. Google Spain v. AEPD & Mario Costeja (EU, GDPR)
Established right to be forgotten, requiring deletion of personal data when requested or no longer necessary.
3. Facebook / Cambridge Analytica Proceedings (India)
Highlighted corporate liability for retaining unnecessary personal data beyond the purpose consented by users.
4. Vodafone India Ltd. v. Union of India
Emphasized accurate retention of financial and customer data; improper retention can lead to liability.
5. SMC Pneumatics Ltd. v. Jogesh Kwatra
Retention of outdated client and employee data led to disputes; underscores need for proper deletion policies.
6. Delhi High Court – ICICI Bank v. Data Processor
Vendor failed to delete obsolete financial records; court emphasized contractual and statutory obligations for secure deletion.
7. HDFC Bank Ltd. v. N.V. Ramana
Employee and customer records mishandling highlighted retention beyond legal requirements and corporate accountability.
5. Director & Management Responsibilities
Corporate leadership must:
Approve board-level retention and deletion policies.
Ensure departmental adherence to retention schedules.
Oversee secure deletion practices for digital and physical data.
Maintain audit trails for deletion actions and approvals.
Monitor vendor compliance for outsourced data storage or processing.
Integrate retention/deletion obligations into corporate risk management, privacy, and ESG reporting.
Negligence → directors can face civil, regulatory, and criminal liability.
6. Best Practices for Corporates
✔ Conduct a data inventory to classify data by type, sensitivity, and retention requirement.
✔ Define retention schedules based on statutory, contractual, and operational needs.
✔ Implement secure deletion protocols for digital and physical records.
✔ Maintain documentation of retention and deletion actions for audit purposes.
✔ Train employees and vendors on retention and deletion compliance.
✔ Align cross-border retention with foreign regulatory requirements.
✔ Periodically review and update retention policies in response to law or business changes.
✔ Integrate retention/deletion processes with incident response and breach management.
Bottom Line
Corporate data retention and deletion obligations are legally mandated and operationally critical:
Ensures compliance with IT Act, PDPB, Companies Act, RBI, IRDAI, GDPR, and other regulations.
Protects sensitive corporate, employee, and customer data.
Reduces risk of regulatory penalties, civil liability, and reputational damage.
Requires board-level oversight, audit trails, and secure deletion practices.
Neglecting these obligations can result in legal sanctions, litigation, and operational inefficiency.
RELATED Blog
comments