India does not have a single unified law prescribing data retention periods across all sectors. Instead, the retention mandates are fragmented, and often vary depending on the type of data (personal, financial, telecom, etc.), the regulator involved, and the purpose (legal investigation, audit, compliance, etc.). The introduction of the DPDPA in 2023 has brought more structure to personal data processing, including retention, but exemptions and overlaps still exist.

1. Retention Periods Under the Digital Personal Data Protection Act, 2023 (DPDPA)
The DPDPA, India’s comprehensive privacy law, regulates the collection, processing, storage, and deletion of personal data. Although it does not specify fixed retention periods, it establishes clear principles and obligations regarding data retention.

Key Principles Under DPDPA:

• Purpose Limitation: Personal data can only be retained for as long as it is necessary to fulfill the specified purpose for which it was collected.

• Storage Limitation (Section 8(7)): Once the purpose is fulfilled, and retention is no longer necessary for legal or business purposes, the data must be erased.

• User Rights: Data principals (i.e., individuals) have the right to request erasure of personal data if the purpose of processing is no longer served.

• Notice Requirement: The data fiduciary (the organization handling the data) must inform users about the expected retention period or the criteria used to determine it in the privacy notice.

Example:
If an e-commerce platform collects delivery address data for order fulfillment, it must delete that data once the transaction is complete and the return window has expired, unless required by law or taxation rules to retain it longer.

2. IT Act, 2000 and Rules for Data Retention
The Information Technology Act, 2000 and its associated rules provide specific retention periods for entities like intermediaries and cyber cafes.

a. Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021:

• Rule 3(1)(h): Intermediaries must retain user data for 180 days after the user has deactivated the account or withdrawn the service.

b. Cyber Café Rules, 2011:

• Cyber cafes must retain user logs, identity proofs, and session data for one year, and make them available to law enforcement upon request.

c. CERT-In Directions (April 2022):

• Under powers derived from the IT Act, CERT-In mandated that all service providers, intermediaries, data centers, and VPN providers must store logs for 180 days, and report cyber incidents within 6 hours.

3. Sector-Specific Data Retention Mandates in India

a. Banking and Financial Services – RBI Guidelines:

• KYC Documents: As per RBI Master Directions on KYC, customer identification data must be retained for 5 years after the end of the business relationship or the account closure.

• Transaction Records: Transaction data must be stored for 5 years as per Prevention of Money Laundering Act (PMLA), 2002.

• Cybersecurity Incident Logs: RBI requires banks to retain logs and incident reports for at least 6 years, per its Cybersecurity Framework (2016).

b. Securities and Investments – SEBI Guidelines:

• Stock brokers, mutual fund agents, and investment advisors must retain client data, communication, and transaction history for 8 years after the client exits.

c. Telecom Sector – TRAI and DoT Regulations:

• Call Detail Records (CDRs) and Internet usage logs must be retained by telecom companies for at least 2 years, as per Department of Telecommunications (DoT) guidelines.

• Internet service providers must also store logs of IP addresses and session logs for 2 years, to assist in criminal investigations.

d. Insurance Sector – IRDAI:

• Insurers are required to preserve policy documents, premium payment history, and claim records for a minimum of 7 years after policy lapse or claim settlement.

e. Education and UGC Norms:

• Universities and institutions must retain examination papers, answer scripts, and student records for 8 years, per University Grants Commission (UGC) guidelines.

f. Corporate and Tax Laws – Companies Act, 2013:

• As per Section 128(5), every company must retain books of account and relevant documents for 8 financial years preceding the current financial year.

4. Legal Retention for Investigations and Law Enforcement

a. Indian Penal Code, CrPC, and Evidence Act:

• In criminal matters, there is no fixed limitation on retention. Law enforcement agencies may require retention of evidence (emails, logs, CCTV footage, digital records) for the entire duration of investigation, trial, or appeal process.

b. Aadhaar (Targeted Delivery of Financial and Other Subsidies) Act, 2016:

• UIDAI must retain authentication logs for 6 months and archive them for a maximum of 5 years, after which the data must be deleted.

5. Conflict Between Retention and Deletion Rights

One major legal tension exists between mandatory retention requirements and the right to be forgotten (RTBF) under privacy laws. For instance:

• A customer may request the deletion of their account and data from a telecom operator, but TRAI regulations mandate the operator to retain CDRs for 2 years. In such cases, retention obligations override the deletion request under law.

6. Retention Policies Under Indian Contract Act, 1872

In commercial transactions, contracts may specify retention periods based on warranty, support, liability, or limitation periods. If not otherwise prescribed, parties follow the general limitation period of 3 years for civil claims under the Limitation Act, 1963.

7. DPDPA vs. Sectoral Laws: Who Prevails?

Under Section 29 of the DPDPA, the central government may issue rules to harmonize conflicts between data protection rules and sector-specific regulations. However, until such harmonization is done, specific sectoral laws prevail when they impose stricter or longer retention mandates.

Example:
Even if DPDPA suggests deletion of data once the purpose is fulfilled, a financial institution cannot erase KYC data before 5 years due to the RBI and PMLA mandates.

8. Organizational Responsibilities Regarding Retention

Under DPDPA and other rules, organizations must:

• Document and justify data retention periods in their privacy policy

• Use secure storage and access controls

• Periodically review and delete data that no longer serves any legal or operational purpose

• Maintain audit trails of data lifecycle (creation, access, use, and deletion)

• Appoint a Data Protection Officer (if Significant Data Fiduciary) to ensure compliance

Conclusion

Data retention in India is governed by a mix of broad privacy principles, specific legal mandates, and sectoral regulations. The DPDPA lays the foundation by emphasizing purpose limitation and data minimization, but it deliberately avoids hard-coding retention periods, relying instead on contextual relevance and sectoral laws.

For businesses, this means implementing a data retention policy that maps applicable laws, identifies record-keeping obligations, and integrates both compliance and privacy standards. Over-retention may expose entities to regulatory risks under privacy laws, while under-retention may lead to non-compliance in sectors like banking, telecom, or insurance.