DPDPA Data Erasure: Procedures, Purpose Limitation, and the Pre-Erasure Notice

The Digital Personal Data Protection Act, 2023 (DPDPA) reinforces the principle that personal data should not be held indefinitely. Data Fiduciaries have clear obligations regarding the erasure of personal data, both upon the request of a Data Principal and when the purpose for which the data was collected is no longer served. The Draft DPDP Rules further introduce specific procedural elements, such as a pre-erasure notification period.

Understanding these erasure requirements is crucial for Data Fiduciaries to ensure compliance, manage data lifecycles effectively, and respect the rights of individuals. This article explores the DPDPA’s data erasure provisions and the practical steps businesses need to implement.

The Dual Triggers for Data Erasure under DPDPA

The DPDPA outlines two primary scenarios under which a Data Fiduciary must erase personal data:

1. Data Principal’s Right to Erasure

Data Principals have the right to request the erasure of their personal data from a Data Fiduciary, particularly where the processing was based on their consent or voluntary provision of data. Upon receiving such a request, the Data Fiduciary must erase the personal data unless retention is necessary for:

• The specified purpose for which it was collected (if that purpose is still active and valid).
• Compliance with any law for the time being in force (e.g., legal record-keeping obligations under financial regulations, tax laws, etc.).

2. Purpose Limitation and Automatic Erasure

The DPDPA mandates that a Data Fiduciary must erase personal data (and cause its Data Processors to erase any data made available to them) when:

• The Data Principal withdraws her consent (and there is no other lawful basis for continued processing for that purpose).
• It is reasonable to assume that the specified purpose is no longer being served, whichever is earlier.

This “purpose no longer served” principle is a proactive obligation on the Data Fiduciary, meaning erasure should occur even without a specific request from the Data Principal once the data is no longer needed for its original, stated purpose.

Defining “Purpose No Longer Served” and Draft Rules

The DPDPA clarifies that the purpose shall be deemed to no longer be served if the Data Principal does not approach the Data Fiduciary for the performance of the specified purpose AND does not exercise any of her rights in relation to such processing, for a time period as may be prescribed.

The Draft Digital Personal Data Protection Rules, 2025 provide further context on these “prescribed periods” for specific classes of Data Fiduciaries and purposes. For instance, the Third Schedule currently suggests a three-year period of inactivity for e-commerce entities and social media intermediaries (for most purposes, excluding access to user accounts or virtual tokens). (It is crucial to remember these are draft provisions and are subject to change.)

The 48-Hour Pre-Erasure Notice

A significant procedural requirement introduced in the Draft DPDP Rules is the pre-erasure notification. This draft rule states that “At least forty-eight hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period, unless she logs into her user account or otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises her rights in relation to the processing of such personal data.”

Implications of the Pre-Erasure Notice:

• Operational Complexity: Implementing a system to track inactivity periods for all users and purposes, and then issuing a reliable 48-hour notice before automated erasure, can be operationally complex, especially for businesses with large user bases.
• User Re-engagement Opportunity (and Potential Annoyance): While intended as a safeguard, this notice also acts as a prompt for users who might wish to continue the service or retain their data. However, for users who genuinely want their data erased after inactivity, this notice might be seen as an unnecessary interaction.
• Technical Implementation: Requires robust systems to:
  • Accurately track the “last approached” date or “last rights exercised” date for each Data Principal concerning specific purposes.
  • Reliably trigger and send the pre-erasure notification through appropriate channels (e.g., registered email, in-app notification).
  • Halt the erasure process if the user re-engages within the 48-hour window.
  • Securely erase the data if no re-engagement occurs.

Practical Steps for Implementing Data Erasure Procedures

Data Fiduciaries need to establish clear and effective procedures for data erasure:

1. Develop a Data Retention Policy & Schedule:
   • Define clear retention periods for different categories of personal data, based on the purposes of processing and any legal/regulatory obligations. This policy should align with DPDPA’s purpose limitation principle and any prescribed periods from the (finalised) DPDP Rules.
   • Document the justification for each retention period.
2. Integrate Erasure into Data Lifecycle Management:
   • Build erasure mechanisms into your systems and processes from the design stage.
   • Automate erasure where possible, based on the retention schedule and inactivity triggers.
3. Establish a Process for Handling Erasure Requests:
   • Use the same accessible channels provided for other Data Principal rights (as discussed in our article on “Building an Efficient Data Principal Rights System”).
   • Implement robust identity verification for erasure requests.
   • Define a clear workflow for assessing the validity of the request, checking for legal retention obligations, and executing the erasure.
4. Technical Measures for Erasure:
   • Define what “erasure” means in your technical context (e.g., cryptographic erasure, secure deletion, anonymisation if appropriate and effective to DPDPA standards).
   • Ensure data is erased from all systems, including primary databases, archives, and backups (within a reasonable timeframe for backups).
5. Coordinate with Data Processors:
   • Ensure your contracts with Data Processors obligate them to erase personal data upon your instruction and in line with DPDPA requirements.
   • Establish clear communication channels for issuing and confirming erasure instructions.
6. Implement the Pre-Erasure Notification System (Based on Final Rules):
   • Develop a system to track user inactivity against prescribed periods (once finalised).
   • Automate the 48-hour pre-erasure notification to Data Principals.
   • Ensure mechanisms are in place to pause erasure if the user re-engages.
7. Maintain Erasure Logs:
   • Keep auditable records of all erasure activities, including Data Principal requests, automated erasures based on purpose completion/inactivity, and confirmations of deletion. This is vital for demonstrating compliance.

Challenges in Data Erasure

• Technical Complexity: Securely erasing data from all distributed systems, backups, and logs can be technically challenging.
• Defining “Reasonable to Assume”: Interpreting when a purpose is “no longer served” beyond prescribed inactivity periods can be subjective and requires careful internal assessment and documentation.
• Balancing Erasure with Other Obligations: Ensuring erasure requests do not conflict with overriding legal or regulatory data retention mandates.

Conclusion: Proactive Erasure as a Core DPDPA Tenet

The DPDPA’s provisions on data erasure, including the Data Principal’s right to request it and the Data Fiduciary’s proactive obligation to erase data once its purpose is fulfilled, are central to the Act’s goal of minimising data holdings and respecting individual autonomy. The introduction of a pre-erasure notice in the Draft Rules adds a specific procedural layer that businesses must prepare for.

By developing clear data retention policies, robust technical erasure capabilities, efficient request handling workflows, and systems to manage the pre-erasure notification (once rules are finalised), Data Fiduciaries can meet these critical DPDPA obligations. This proactive approach to data erasure not only ensures compliance but also enhances data hygiene and reinforces trust with Data Principals.

Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. The content is based on the Digital Personal Data Protection Act, 2023, and the Draft DPDP Rules, which are subject to change. For advice on specific legal issues, please consult a qualified legal professional.