Sector Specific FAQs on the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and Digital Personal Data Protection Rules (“Rules”) 2025

The transition period may be utilised to achieve compliance in a phased manner, depending on the scale of the organisation and the resources required. Some indicative steps are set out below for ease of reference:

• Phase I: Identification of Personal Data Touchpoints: Identify all touchpoints of personal data collection, whether undertaken directly by the bank/NBFC or indirectly from third-party sources.
• Phase II: Purpose Classification: Establish a purpose classification framework across all data touchpoints and assess whether the personal data sets currently being collected are necessary for such purpose. Focus on minimising the data points and associated risk exposure.
• Phase III: Role Assessment: Determine, for each identified purpose of personal data processing, whether the bank/NBFC acts as a data fiduciary or a data processor (Please see FAQ 2 for more information on the metrics of role assessment).
   
• Phase IV: Data Fiduciary Specific Considerations: Where the bank/NBFC is identified as a data fiduciary, assess:

1. whether the relevant purpose is exempt under the DPDP Act, qualifies as a legitimate use, or requires explicit consent (Please see FAQs 3 and 4 for more information on consent requirements and legitimate use cases for personal data processing);
2. whether a notice is required to be provided to the data principal (Please see FAQ 4 for more information on notice requirements);
3. the manner in which consent is to be sought, where applicable (Please see FAQ 3 for more information on consent requirements);
4. the appropriate retention period for personal data associated with the relevant purposes, including whether extended retention is required to comply with applicable laws or RBI directives (Please see FAQ 5 for more information on retention obligations);
5. whether the scale and nature of processing is likely to result in classification as a significant data fiduciary (Please see FAQ 10 for more information on significant data fiduciaries);
6. whether personal data is shared with third parties and whether valid and binding data sharing arrangements are in place; and 
7. the roles of such third parties or vendors, including whether they function as data processors or joint data fiduciaries.

• Phase V: Documentation and Processes

1. Update and execute data processing agreements and other contractual arrangements with third parties (whether acting as data fiduciaries or data processors) to ensure adequate contractual safeguards including representations, warranties, counterparty obligations and limitation of liability clauses, in compliance with the DPDP Act  (Please see FAQ 6 for more information on key considerations while engaging with third party vendors and service providers).
2. Draft and update (as applicable) internal and external documentation governing collection, processing, and management of personal data, in line with the DPDP Act, including internal and consumer-facing privacy policies, policies and standard operating procedures (“SOPs”) for onboarding of data processors, and organisation-wide policies for data handling, sharing, retention, erasure, breach reporting, and grievance redressal.
3. Review contracts and arrangements with vendors, distributors, retailers, and other third parties involving sharing or processing of personal data, including identification and assessment of potential joint data fiduciary scenarios that may arise from co-lending arrangements, credit bureau reporting relationships, payment gateway integrations and engagement of KYC service providers (Please see FAQ 2 for more information on joint fiduciary scenarios).
4. Draft template agreements for personal data collection, processing and management, including request for consent and notice formats in all required languages, clearly setting out the specific purposes for collection and use across different use cases.
5. Put in place a comprehensive grievance redressal and request handling mechanism, including appointment of a grievance redressal officer for data principals, establishment of dedicated channels for resolving customer grievances under supervision of said officer, formulation of a customer-facing grievance redressal policy with contact details, and an internal policy to identify and route complaints to other relevant data fiduciaries, where applicable (Please see FAQ 12 for more information on grievance redressal mechanisms).
6. Establish a DPDP-compliant vendor assessment process, including pre-engagement due diligence, conflict checks, and security testing.

• Phase VI: Other ancillary but important checks

1. Should the bank/NBFC qualify as a significant data fiduciary, assess applicable compliance obligations, including appointment of a Data Protection Officer (“DPO”) and independent data auditor, and conduct Data Protection Impact Analysis (Please see FAQ 10 for more information on significant data fiduciaries) 
2. Implement updates to user interfaces to ensure compliance with all necessary options and functionalities to be provided to data principals, such as verifiable consent, access to information related to personal data, withdrawal of consent, and grievance redressal. 
3. Identify the location of data processing and associated restrictions for cross-border data transfers, in the context of restricted jurisdictions. 
4. Train relevant personnel/employees of the bank/NBFC on the DPDP Act and the Rules; and
5. Assess applicability of enhanced or special obligations that may apply to the bank/NBFC and implement sector-specific measures to ensure compliance (Please see FAQs 12 and  14 for more information on sector-specific obligations applicable to a bank/NBFC).

The classification of a bank/NBFC under the DPDP Act and the Rules depends primarily on who determines the purpose and means of processing personal data in the relevant processing activity. Banks and NBFCs will generally be regarded as data fiduciaries when  they collect and process customer personal data (either directly or with the help of outsourced service providers) for purposes such as onboarding, KYC, credit assessment, transaction processing, fraud monitoring, or compliance with regulatory obligations. In such cases, the bank/NBFC determines both the purpose (“why”) and the means (“how”) of processing and therefore assumes the full set of obligations applicable to data fiduciaries under the DPDP Act. 

A bank/NBFC will be regarded as a data processor only where it processes personal data solely on behalf of and under the instructions of another entity and does not independently decide the purpose or means of processing such data. This role is likely to arise in limited, specific scenarios, such as when a bank/NBFC provides backend support or services strictly in accordance with the directions of another financial institution.

A joint data fiduciary role arises when such a bank/NBFC jointly determines the purpose and means of processing personal data together with another entity. In the context of operations of a bank/NBFC, this may include:

• Co-branded credit card programmes involving shared decision-making on customer data usage;
• Co-lending or digital lending marketplace models wherein the bank/NBFC and its partner jointly determine the purpose and means of processing personal data; and
• Collaborations with corporate partners for employee-benefit programmes or co-created service arrangements involving joint decisions on data usage

In such cases, an explicit contractual framework should outline the respective obligations of each party, mechanisms for managing data principal rights, and the allocation of shared accountability. Accordingly, banks and NBFCs must assess each processing activity and third-party engagement to determine whether they retain decision-making control over the purpose and means of processing.

A bank/NBFC must obtain the consent of the data principal before collecting or processing their personal data, unless such processing is exempt or undertaken for a recognised legitimate use under the DPDP Act (Please see FAQ 4 in this regard). Consent must be free, specific, informed, unconditional and unambiguous, and conveyed through a clear affirmative action indicating agreement to the processing of personal data for the specified purpose. Banks and NBFCs must also ensure that consent expressly covers the involvement of third-party vendors, including disclosures on what categories of data will be processed by such vendors and for which specific financial service or operational purpose.

Under the DPDP Act, banks and NBFCs may process the personal data of a data principal without obtaining consent of such data principal for any of the following legitimate uses:

• For any specified purpose that can be reasonably presumed by the data principal, and where the data principal voluntarily provides her personal data to the entity;
• Where the processing falls within the scope of employment, including for the prevention of corporate espionage, protection of confidentiality, or provision of any service or benefit sought by an employee;
• For fulfilling an existing legal obligation to disclose information to Government actors. This is, however, subject to the processing being in accordance with the information disclosure requirements under any law in force;
• Where the processing is required to respond to a medical emergency involving the data principal or to provide health-related measures to any individual during an epidemic or public health threat;
• Where the processing is necessary to ensure safety or provide assistance during a disaster or breakdown of public order.

Certain categories of personal data processing are specifically exempt under the DPDP Act and accordingly do not require consent from the data principal. Exemptions particularly relevant for banks and NBFCs include: (i) processing necessary for enforcing any legal right or claim; (ii) processing required by courts, tribunals or statutory authorities in the performance of judicial, regulatory or supervisory functions; (iii) processing for the prevention, detection or investigation of offences; and (iv) processing necessary to ascertain the financial information and liabilities of a loan defaulter from a financial institution (subject to other applicable laws). In such cases, the data fiduciary is primarily bound by the obligation to implement  reasonable security safeguards in order to prevent data breaches. 

Separately, the processing of personal data for research, archiving, or statistical purposes is also exempt under the DPDP Act and the Rules, provided that such data is not used to make decisions specific to a data principal. While consent of the data principal is not required in these cases, processing must nevertheless comply with prescribed standards, including lawful processing, data minimisation, and applicable retention limits.

While, as a general rule, notice need not be provided where the requirement to obtain consent from the data principal does not arise, the position is different in the legitimate use scenario where the data principal voluntarily provides her personal data for a specific purpose. This is because “specified purpose” as defined under the DPDP Act corresponds to the purpose mentioned in the notice given by the data fiduciary to the data principal. Accordingly, banks/NBFCs must ensure that the purpose for which the data is voluntarily provided is expressly set out in the notice before processing begins.

An entity can process personal data until the data principal withdraws her consent to the processing or until it is reasonable to assume that the specified purpose of the processing is no longer being served. From the date of such event, in respect to processing of personal data undertaken by the bank/NBFC or by a third-party on its behalf, such bank/NBFC is required to retain the personal data, including the associated traffic data and processing logs, for a period of 1 (one) year for use by government actors for purposes including: (i) in the interest of sovereignty and integrity of India or security of the state; (ii) performance of any legally mandated function; (iii) disclosure of any information to fulfil any other legal obligation; or (iv) carrying out assessment for the notification of any data fiduciary or class of data fiduciaries as a significant data fiduciary. 

In terms of determining the appropriate retention period, the bank/NBFC must always apply the longer retention period where sector-specific laws or regulations (such as those issued by the RBI, SEBI, IRDAI or any other applicable authority) mandate extended retention of specific data sets such as identity documents, KYC information, and account-based transaction records. It must be noted that the retention of data pursuant to sectoral legislation must be used exclusively to fulfil the legal obligation arising out of the same . The bank/NBFC must also ensure that its data processors and vendors adhere to the same retention and erasure timelines. To operationalise these obligations, banks and NBFCs should implement robust data mapping practices and structured retention scheduling mechanisms, train relevant personnel on determining applicable retention periods and erasure requirements, maintain appropriate audit trails for all retention-related decisions with appropriate audit trails, and periodically review and update retention schedules to reflect changes in applicable laws and regulations. 

Banks and NBFCs remain responsible for compliance with the DPDP Act for any processing carried out by third-party vendors on their behalf. Accordingly, all vendor engagements must incorporate appropriate technical and organisational measures to ensure the Bank/ NBFC’s compliance with the DPDP Act and the Rules and should factor in the following considerations: 

• Ensure all data sharing engagements are governed by valid contracts containing comprehensive DPDP-compliant clauses;
• Ensure requests for consent and privacy notices explicitly cover processing by third-party vendors;
• Establish mechanisms to immediately propagate consent withdrawal across the entire vendor chain;
• Maintain comprehensive records of consent and notice chains, vendor disclosures, and data sharing arrangements;
• Contractually restrict vendors to processing personal data only for specified purposes and prohibit any unauthorised secondary use;
• Perform pre-engagement security assessments before vendor onboarding and ongoing monitoring while engaging with third-party vendors;
• Ensure that reasonable security safeguards are implemented and maintained throughout the entire vendor ecosystem;
• Document vendor locations and ensure compliance with transfer restrictions and sectoral data localization mandates;
• Ensure immediate notification of data breaches by vendor breach notification and compliance with parallel regulatory reporting obligations;
• Maintain comprehensive internal and external documentation of vendor relationships and data flows;
• Provide periodic training to internal teams, vendors, and customers on DPDP obligations; and
• Implement role-based access controls and clearly defined immediate termination protocols for vendors.

A DPIA is a systematic process mandated under the DPDP Act and the Rules to assess and manage risks associated with personal data processing activities and comprises the following: 

• A description of the rights of data principals and the purpose of processing of their personal data;
• Assessment and management of the risks to the rights of data principals; and
• Such other matters regarding such processing as may be prescribed.

Banks and NBFCs will be required to undertake a DPIA only if they are classified as a significant data fiduciary. The Central Government may notify any data fiduciary or class of data fiduciaries as a significant data fiduciary based on an assessment of certain specified factors. Given the scale and nature of operations, banks and NBFCs processing large volumes of sensitive financial data are likely to be assessed under these criteria, particularly the factor relating to the volume and sensitivity of personal data processed (Please see FAQ 10 for more information on significant data fiduciaries).

However, even if the bank/NBFC is not classified as a significant data fiduciary, they may consider voluntarily undertaking DPIAs in the following scenarios, as a best practice measure:

• When processing large volumes of customer financial data, credit information, transaction histories, or wealth management data; 
• When launching new lending products, digital banking services, or fintech partnerships that involve novel data processing activities;
• When offering financial products or services targeted at minors or involving the processing of children's personal data;
• When establishing new vendor relationships or data-sharing arrangements involving multiple third parties in the lending value chain;
• When establishing new cross-border data transfer arrangements or engaging offshore service providers;
• When implementing significant changes to existing data processing operations, purposes or technologies; and 
• When reviewing and enhancing security safeguards following a personal data breach incident.

Implementing data erasure requirements across the entire data processor ecosystem is a critical compliance obligation for banks and NBFCs under the DPDP Act and the Rules. The statutory requirement for data fiduciaries to ensure erasure not only within their own systems but also across all engaged data processors creates operational and technical challenges that require systematic implementation frameworks. In light of the same, banks and NBFCs can implement data erasure requirements across all data processors in the following manner: 

• Establishing comprehensive contractual safeguards with clear erasure obligations, timelines, and verification requirements;
• Deploying automated systems to detect erasure triggers, propagate erasure requests, and verify completion;
• Implementing dedicated oversight structures, standardized workflows, and active monitoring of erasure activity;
• Periodic verification of erasure compliance through independent audits;
• Adopting a multi-layered approach covering erasure across production, backup, log, and disaster recovery systems;
• Record-keeping of erasure requests, confirmations, and exceptions;
• Training of internal teams and processors on erasure-related obligations;
• Aligning erasure processes with applicable sectoral retention requirements (E.g. data retention requirements as prescribed by RBI, SEBI, IRDAI, etc.); and
• Regular review and enhancement of erasure processes based on audit findings and industry best practices.

If a bank or NBFC is already compliant with GDPR-level data protection standards, it must still address several DPDP-specific obligations that are distinct from the GDPR. The DPDP Act requires the provision of purpose-specific, itemised notices in English or any Eighth Schedule language, going beyond the GDPR’s general transparency requirements. Furthermore, the DPDP Act’s closed list of predefined “legitimate uses” also narrows down the discretion available under the GDPR’s “legitimate interest of the controller", which leans on the dictionary meaning of the phrase – legitimate – as opposed to the Indian context. Ultimately, banks and NBFCs will need to reassess multiple use cases such as cross-selling other banking products, co-lending, fraud monitoring, credit underwriting, and payments processing to determine whether any of these would require consent under the DPDP Act (Please see FAQs 3 and 4 for more information on consent requirements). 

The DPDP Act also does not recognise data portability as a statutory right and provides a narrower, non-absolute right to erasure, subject to broad carve-outs for compliance with legal obligations and State function. The DPDP Act imposes more stringent breach notification obligations, mandating notification to both the Data Protection Board and affected data principals for every personal data breach, without a risk-based threshold. This stands in contrast with GDPR’s conditional, risk-based notification regime. The allocation of liability also differs, as while GDPR imposes independent statutory obligations on processors, the DPDP Act places primary responsibility on data fiduciaries, with processors acting solely on the basis of contractual arrangements. The regulatory design under the DPDP Act is less prescriptive, relying on principles such as “reasonable security safeguards” rather than mandating specific technical standards. Obligations such as appointment of a DPO and conduct of DPIA apply only to entities notified as significant data fiduciaries, unlike GDPR’s broader, activity-based triggers.

Operationally, the DPDP Act introduces unique requirements that have no direct GDPR analogue, including interaction with Consent Managers, statutory grievance redressal mechanisms, the right of nomination, and stricter, India-specific data retention and erasure obligations aligned with sectoral laws such as those issued by the RBI and SEBI. Cross-border data transfers are generally more permissive under the DPDP Act, subject to limited government-notified restrictions, offering greater flexibility than the GDPR’s adequacy and safeguards-based regime. Overall, GDPR compliance must be recalibrated to account for the DPDP Act’s distinct statutory architecture, sectoral overlays, and operational mechanisms.

Banks and NBFCs processing large volumes of sensitive financial data would likely be assessed under the criteria for significant data fiduciary designation, particularly the criterion regarding volume and sensitivity of personal data. The significant scale and nature of data processing undertaken by banks and NBFCs, coupled with the inherently sensitive nature of financial information they handle, create a strong likelihood that major banks and systemically important NBFCs will be designated as significant data fiduciaries once the Central Government begins issuing notifications under the DPDP Act and the Rules. If classified as a significant data fiduciary, banks and NBFCs must undertake additional obligations beyond those applicable to regular data fiduciaries. These additional obligations include: 

• Mandatory appointment of India-based DPO and independent data auditor (Please see FAQ 11 for more information regarding designation of a DPO );
• Mandatory annual DPIA and audit submitted to Data Protection Board;
• Due diligence on all technical measures and algorithmic software;
• Mandatory India-based processing and storage for specified data categories; and
• Substantial costs for compliance infrastructure, resources, and potential penalties. 

A bank or NBFC need not employ a full-time DPO unless it is designated as a significant data fiduciary (Please see FAQ 10 for more information on significant data fiduciaries), and even in such a case, the DPDP Act does not mandate that the DPO be a full-time employee. However, considering the scope of the statutory responsibilities assigned to the DPO, it may be advisable, as a matter of governance, to designate the role as a full-time function. These responsibilities include: (i) acting as the primary point of contact for the data fiduciary’s grievance redressal mechanism; (ii) reporting to, and being accountable before, the board of directors or an equivalent governing body of the significant data fiduciary; (iii) effectively representing the significant data fiduciary in matters relating to data protection; and (iv) disclosing business contact details to the data principals with every request for consent. A full-time appointment would better ensure that these obligations are discharged in an effective and timely manner. Furthermore, a third-party consultant may be appointed as the DPO, provided that the consultant is based in India and possesses the requisite qualifications and expertise to effectively discharge the role. The DPDP Act and the Rules do not prescribe specific qualification criteria beyond requiring that the DPO possess the necessary qualifications and expertise to carry out their responsibilities effectively. 

Banks and NBFCs, as data fiduciaries under the DPDP Act and the Rules, are required to implement a robust and accessible grievance redressal mechanism that enables customers to raise concerns relating to the processing of their personal data. The DPDP Act confers data principals with a statutory right to grievance redressal and obligates banks/NBFCs to provide readily available means for lodging complaints. Accordingly, the bank/NBFC must acknowledge and respond to grievances within a reasonable period, resolve the grievance within 90 (ninety) days, and ensure that customers exhaust the internal grievance redressal mechanism before approaching the Data Protection Board. Furthermore, the bank/NBFC must prominently publish details of their grievance redressal system, response timelines, and the contact details of their DPO or designated representative on their website/app and also include this information in every communication concerning data rights. Notices issued at the time of seeking consent must additionally inform data principals of the manner in which complaints may be filed with the Data Protection Board. Operationally, banks and NBFCs must establish and maintain an effective grievance-handling framework supported by appropriate technical and organisational measures to ensure timely responses and systematic handling of complaints. Significant data fiduciaries have enhanced obligations, including appointing an India-based DPO who serves as the primary point of contact for grievance redressal. 

These requirements under the DPDP Act and the Rules apply in addition to, and not in derogation of, any other applicable law. Therefore, banks and NBFCs must comply with these obligations alongside existing sectoral grievance redressal requirements under the RBI regulations. While the RBI framework addresses deficiencies in banking and financial services and provides compensatory and corrective remedies through the internal grievance mechanism, Internal Ombudsman and RBI Ombudsman, the DPDP framework focuses on violations of data protection obligations, with escalation to the Data Protection Board. In practice, certain customer complaints may overlap both regimes, such as unauthorized transactions involving personal data breaches, excessive KYC data collection, or failure to erase data after account closure, necessitating dual categorisation and compliance. Such cases may therefore require dual classification with parallel compliance and may potentially give rise to concurrent proceedings before the Data Protection Board and the RBI grievance redressal authorities.

Banks and NBFCs should therefore integrate DPDP grievances within their existing RBI-mandated grievance infrastructure, train personnel to identify whether a complaint falls under the RBI framework, the DPDP framework, or both, and apply the stricter timelines where requirements differ. 

While the DPDP Act does not mandate the implementation of a standalone internal data lifecycle management framework (commonly referred to as internal data management systems), banks and NBFCs would practically benefit from implementing comprehensive tech-enabled data lifecycle management solutions to comply with the DPDP Act and the Rules’ various substantive obligations. These include data and purpose mapping, recording of notices and consents, assigning rationalised bases for legitimate uses and exempted purposes, tracking retention timelines and deletion protocols across purposes, enabling data principal rights, integration of grievance redressal mechanisms, data integrity and erasure/anonymisation processes, risk escalation procedures and matrices and vendor management frameworks. The framework can be monitored through appropriate governance structures and harmonised with existing sectoral requirements, with the stricter obligation prevailing in case of overlap.

A personal data breach is broadly defined to include any unauthorised processing, accidental disclosure, alteration, destruction, or loss of access compromising confidentiality, integrity, or availability. This extends across varying degrees of severity without limitation. Banks and NBFCs will need to report personal data breaches through a dual notification framework under the DPDP Act: (i) immediate notification to affected data principals in clear, plain language via registered contact methods, and (ii) two-stage notification to the Data Protection Board. Additionally, Banks and NBFCs face critical sector-specific considerations requiring parallel compliance with CERT-In Directions and reporting obligations as prescribed by sectoral regulators such as SEBI and RBI. 

The obligation to notify the Data Protection Board and affected data principals is separate from, and independent of, reporting obligations under the CERT-In framework. In addition, RBI-regulated entities are required to report cybersecurity incidents to the RBI within 2 (two) to 6 (six) hours of detection, along with subsequently providing relevant details such as the severity of the incident, affected systems, and customer impact. For SEBI-regulated entities, an initial intimation must be provided to SEBI within 6 (six) hours of the breach, followed by a detailed incident report to be submitted through the SEBI Incident Reporting Portal within 24 (twenty-four) hours. These requirements operate concurrently with the breach reporting obligations under the DPDP framework and must be tracked and escalated in parallel. The stricter requirement prevails in the case of an overlap. 

Banks and NBFCs must further distinguish between personal data breaches (which must always be reported to the Data Protection Board) and broader cybersecurity incidents involving non-personal or business data, which may not have to be reported to the Data Protection Board but may still need to be notified to CERT-In or sectoral regulators. In this regard, it is pertinent to note that banks and NBFCs remain fully liable for vendor breaches if appropriate safeguards are not in place . Non-compliance attracts penalties up to INR 250 (two hundred and fifty Indian Rupees) crores for failures to implement reasonable security safeguards and up to INR 200 (two hundred Indian Rupees) crores for failures to comply with breach notification obligations. Additionally, multiple smaller violations (starting from up to INR 50  crores (fifty crore Indian Rupees), even if individually minor, may cumulatively compound to a higher overall penalty under the DPDP Act and the Rules.

When banks or NBFCs collaborate with corporates to provide employee benefits and loan products, they must ensure robust data protection governance across the arrangement. At the outset, the bank/NBFC may assume different roles within the underlying data processing framework, including: (i) acting as a data fiduciary when independently providing employee benefits and loan products; and (ii) acting as a joint data fiduciary in co-lending or similar arrangements where the bank/NBFC and the corporate jointly determine the purposes and means of processing personal data. Subsequently, the bank/NBFC and the corporate must assess whether processing can rely on employment-related legitimate grounds or whether valid employee consent is required (particularly where non-employee data is involved, e.g. in the case of family members or contracted labour/consultants). For good measure, clear and comprehensive notices must be provided by the corporate partner to its employees outlining the data-sharing arrangement, processing purposes, and their rights under the DPDP Act. 

The contractual framework with the corporate must incorporate provisions on security safeguards, breach notification, audit rights, and facilitation of data principal rights. Banks and NBFCs must recognise that fiduciary liability is non-delegable, and that they remain ultimately responsible for processing carried out on their behalf. Incrementally, as and when the bank/NBFC begins to deal with the relevant corporate employee as its own customer, the appropriate request for consent and notice mechanisms (if and to the extent applicable) must be deployed by the bank/NBFC on an independent basis as well. 

Appropriate technical and organisational security measures must be implemented across the entire data supply chain. Coordination mechanisms should be established to address employee requests relating to access, correction, erasure, grievance redressal and withdrawal of consent, including maintaining traceable consent chains where data is obtained indirectly. Finally, comprehensive documentation should be maintained covering the legal basis for processing, privacy notices, contractual terms, and all data sharing activities to evidence compliance.

For further guidance on the DPDP Act and the DPDP Rules, please refer to the FAQs available here.