Introduction
The “right to erasure,” also referred to as the “right to be forgotten,” is a key element of modern data protection laws. It grants individuals the legal authority to request that organizations delete their personal data when it is no longer necessary, consent is withdrawn, or the processing is unlawful. This right directly influences how organizations manage their data retention policies, compelling them to align data lifecycle practices with privacy obligations.

In the Indian context, the Digital Personal Data Protection Act, 2023 (DPDPA) formally introduces the right to erasure, bringing Indian data protection law in line with global standards like the European Union’s GDPR (General Data Protection Regulation). For organizations, this right necessitates a careful balancing act between compliance with erasure requests and obligations under data retention mandates prescribed by other laws (e.g., tax, finance, telecom, etc.).

This explanation explores how the right to erasure affects organizational data retention strategies, policies, processes, and compliance obligations.

1. What Is the “Right to Erasure”?

The right to erasure allows individuals (data principals) to request the deletion of their personal data from an organization’s systems when:

• The data is no longer required for the purpose it was collected

• The individual withdraws consent (and no other legal ground for processing exists)

• The data was collected or processed unlawfully

• The data principal objects to the processing and there are no overriding legitimate grounds

• The data must be erased to comply with a legal obligation

In essence, this right empowers individuals to control their digital footprint and enhances their informational autonomy.

2. Right to Erasure under India’s Digital Personal Data Protection Act, 2023 (DPDPA)

Section 12(3) of the DPDPA provides that a data principal has the right to correction, completion, and erasure of their personal data. Specifically, the data fiduciary (organization) must:

• Erase personal data once the purpose for which it was collected is no longer being served

• Erase personal data upon withdrawal of consent unless required to be retained by law

• Inform data principals about their rights to erasure during collection or consent process

However, the law also recognizes certain exceptions:

• Data cannot be erased if it is required to comply with any legal obligation

• Data required for law enforcement, taxation, fraud prevention, or contractual claims must be retained

• Public interest or archiving purposes may override erasure in certain cases

This means that the right to erasure is not absolute and must be evaluated alongside statutory retention requirements.

3. Comparison with the EU GDPR’s Right to Erasure

Under Article 17 of the GDPR, the right to erasure follows similar grounds, with notable exceptions for:

• Exercising the right of freedom of expression

• Legal obligations under Union or Member State law

• Public health and scientific research

• Legal claims and defense in court

India’s DPDPA is conceptually aligned with these principles, though its implementation is still evolving.

4. Impact on Data Retention Policies

To comply with the right to erasure, organizations must redesign their data retention policies and processes. This includes:

a. Purpose-Based Retention Mapping
Organizations must clearly define why they collect specific data, how long it is needed, and when it should be deleted.

Example:
A travel website collecting passport details for booking international tickets must delete that data after the journey is completed and no legal disputes exist.

b. Dynamic Data Lifecycle Management
Organizations need automated or manual mechanisms to:

• Track data subject requests

• Review purpose expiration timelines

• Trigger alerts for data deletion

• Flag exceptions for legal holds

c. Erasure Workflow and Documentation
Retention policies must now include erasure request workflows, documenting:

• Receipt of erasure requests

• Legal evaluation of exceptions

• Execution and confirmation of data deletion

• Communication with the data principal

d. Technical Implementation
Organizations must ensure that erasure is complete, including:

• Backups and archives

• Cloud storage

• Third-party processors and service providers

• Structured and unstructured data sets

e. Consent Management Integration
Consent withdrawal must trigger checks on whether the personal data can still be retained. Retention policies should be linked with consent expiration tracking.

5. Conflicts Between Erasure and Mandatory Retention

Often, organizations face a legal conflict between the right to erasure and their obligations to retain data for specific periods under other laws.

Examples of Mandatory Retention Laws in India:

• Income Tax Act: Accounting records to be preserved for 6–8 years

• RBI KYC Norms: Customer identification data must be retained for 5 years after account closure

• SEBI Regulations: Stock brokers must retain client records for 8 years

• Telecom Regulations: Call detail records to be retained for 2 years

• CERT-In Directions (2022): Logs to be stored for 180 days

In these cases, organizations cannot delete the data even if the user requests erasure. Instead, they must inform the user of the legal grounds that override the erasure request and securely retain the data for the mandated duration.

6. Privacy by Design and Policy Adaptation

To embed the right to erasure into operational practice, organizations should update their policies to reflect privacy by design principles:

• Collect only the minimum data required

• Set default retention limits for each data category

• Create data classification schemas that flag personal and sensitive data

• Ensure third parties and vendors follow the same erasure protocols via contracts and audits

7. Right to Erasure and Data Portability

When users exercise their right to erasure, they may also request portability of their data. Therefore, retention policies must accommodate both:

• Secure transfer of data to another service provider

• Deletion of data once the transfer is completed (subject to legal limits)

8. Record-Keeping and Accountability

Under DPDPA, organizations must maintain records of:

• When and how erasure was requested

• Whether erasure was granted or denied

• Legal grounds for retention (if applicable)

• Dates of actual deletion

• Impact on related systems and processes

Such logs help demonstrate compliance in case of regulatory audits or complaints to the Data Protection Board of India.

9. Sectoral Sensitivity and Customization

Retention policies must be customized based on sector-specific rules and the sensitivity of data.

Examples:

• E-commerce: Retain transaction history for tax and returns; erase browsing history on request

• Healthcare: Retain medical records for clinical and insurance use; erase app usage data when no longer needed

• Education: Retain certificates and scorecards; erase learning behavior analytics when consent is withdrawn

10. Challenges in Implementation

• Legacy Systems: Older databases may not support targeted deletion

• Third-Party Vendors: Erasure coordination across processors can be complex

• Cloud Storage: Ensuring data deletion in multi-region cloud environments

• Cross-Border Transfers: Different jurisdictions may impose conflicting retention rules

• Data Duplication: Erasure must ensure all copies are deleted, including cached data

Conclusion

The right to erasure under India’s DPDPA significantly reshapes how organizations must think about and implement data retention. No longer can data be stored indefinitely without consequence. Organizations must adopt flexible, compliant, and transparent retention policies that integrate erasure protocols, purpose-based justification, and statutory exception handling.

In practice, this means investing in data governance tools, privacy-enhancing technologies, and employee training to handle erasure requests legally and ethically. While the right to erasure empowers users, it also demands a more accountable and responsive data culture within organizations. Ultimately, this contributes to a more secure and privacy-respecting digital ecosystem in India.