

For years, Indian businesses treated customer data like an asset you never throw away. The DPDP Act 2023 flips that thinking: storage limitation is a core principle, and DPDP data retention rules now require you to erase personal data once you no longer have a valid reason to hold it.
The DPDP data erasure rules are simple to state: delete personal data when the purpose has been served or when the person withdraws consent. But applying them across every database, backup, spreadsheet, and vendor system takes a proper retention schedule and, ideally, automated deletion.
This page walks through the rules, including the special ones for large platforms, and how to build a retention policy that actually works.
No cost. No obligation. Get your compliance gap report.
| Rule | What It Means | Who It Applies To |
|---|---|---|
| Erase when purpose is served | Delete personal data once the reason you collected it no longer exists | Every Data Fiduciary |
| Erase on consent withdrawal | When a user withdraws consent, stop processing and erase their data | Every Data Fiduciary |
| 1-year minimum log retention | Keep security and processing logs for at least 1 year, tamper-resistant | Every Data Fiduciary |
| 3-year retention/erasure rule | Erase data of inactive users after the 3-year window under the Rules | Large platforms: e-commerce with 2 Cr+ users, social media, gaming |
| 48-hour pre-erasure notice | Notify the user at least 48 hours before erasing their data | Certain platforms covered by the retention rules |
Note the tension by design: user data gets deleted, but logs stay at least 1 year. Your retention schedule has to handle both, and your security safeguards must keep those logs tamper-resistant.
A retention policy is only real when it runs on its own. Here is the path from paper to automation.
Map every place personal data lives: databases, CRMs, spreadsheets, email lists, backups, and vendor systems. You can't delete what you can't find.
For each data category, record the purpose it serves and the event or period after which that purpose ends, that's your deletion trigger.
Some data must be kept longer under tax, labour, or sector laws. Document the exceptions so deletion doesn't break another obligation.
Manual deletion fails quietly. Set up automated jobs that erase or anonymize data when its clock runs out, including in backups and archives.
Your processors must delete data on the same schedule. Put it in writing through a data processing agreement, you stay legally responsible for them.
Keep deletion logs and evidence. Our free audit checks your retention setup end to end.
Book Free AuditThe DPDP Rules 2025 add a stricter layer for the biggest data holders. If you run an e-commerce platform with 2 crore or more users, a social media platform, or a gaming platform, the 3-year retention and erasure rule applies: personal data of inactive users must be erased once the retention window closes.
Certain platforms must also give users a 48-hour pre-erasure notice before deletion, a heads-up that lets the user log in or act if they want their data kept. Practically, this means your deletion pipeline needs a notification step built in, not just a cron job that drops rows.
Even if you're nowhere near 2 crore users, the direction of travel is clear: regulators expect deletion to be systematic, evidenced, and automatic. Building it now is far cheaper than retrofitting it later.
Consent rules become mandatory on 13 November 2026, and full enforcement, including retention and erasure duties, begins 13 May 2027. Compliance setup takes 2-6 months, and automated deletion is one of the slower pieces to build.
Retention is one obligation among many. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.
When it's no longer needed: either the purpose it was collected for has been served, or the person has withdrawn consent. Keeping data "just in case" isn't allowed unless a legal obligation requires retention.
Large platforms, e-commerce companies with 2 crore or more users, social media platforms, and gaming companies, must erase personal data of inactive users under the 3-year retention and erasure rule in the DPDP Rules 2025.
Certain platforms covered by the retention rules must notify a user at least 48 hours before erasing their personal data, giving them a chance to log in or act if they want the data retained.
A minimum of 1 year, in tamper-resistant form. Log retention sits inside the Rule 6 reasonable security safeguards, the obligation that carries the highest penalty tier of ₹250 crore.
Our free audit reviews what you store, how long you keep it, and whether your deletion actually happens, with a gap report and roadmap.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.