RECOMMENDATION LETTER RECOMMENDATIONS REGARDING RULE 8(3) OF THE DIGITAL PERSONAL DATA PROTECTION RULES, 2025

1. The Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) have been brought into force with effect from 13^th November 2025. This marks a substantial shift in the regulatory framework governing data protection in India, fundamentally changing the manner in which organizations manage and process personal data of individuals. Accordingly, organizations will have to review and update their data protection policies and practices to ensure alignment and compliance with the requirements prescribed under the DPDP Act and the DPDP Rules.

2. Although the DPDP Act and Rules have been brought into force with effect from 13^th November 2025, the implementation of their provisions will take place in a phased manner, as set out below:

• 13th November 2025 (Phase 1): Provisions relating to the constitution, functioning, and operations of the Data Protection Board of India.
• 13th November 2026 (Phase 2): Provisions governing the registration of Consent Managers.
• 13th May 2027 (Phase 3): All other substantive and operational requirements under the DPDP Act and the DPDP Rules.

3. Through this letter, we presented certain observations and recommendations to address, and clarify certain ambiguities that may arise in the interpretation of Rule 8(3) of the DPDP Rules.
4. Rule 8(3) of the DPDP Rules states as follows:

“Without prejudice to sub-rules (1) and (2), a Data Fiduciary shall retain, in respect of any processing of personal data undertaken by it or on its behalf by a Data Processor, such personal data, associated traffic data and other logs of the processing for a minimum period of one year from the date of such processing, for the purposes as specified in the Seventh Schedule, after which the Data Fiduciary shall cause such personal data and logs to be erased, unless further retention is required for compliance with any other law for the time being in force or notified by the Government”.

5. In effect, Rule 8(3) provides that a Data Fiduciary is required to retain personal data, associated traffic data, and processing logs for a minimum period of one year from the date of processing, unless a longer retention period is mandated under any other applicable law. The purpose of such retention is as specified in the Seventh Schedule of the DPDP Rules, which includes:

• Use of personal data of a Data Principal, by the State, for the purposes of sovereignty and integrity of India or security of the State;
• Use of personal data of a Data Principal, by the State, for the performance of any function under law or, disclosure of information to fulfil obligations under law;
• Use for carrying out the assessment for notifying any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary

6. However, on a bare reading of Rule 8(3), there might be a possibility that the provision may be misinterpreted or ambiguously interpreted. Instead of interpreting the provision to mean that the retention of personal data is required for the purposes specified in the Seventh Schedule, it may be construed that personal data and related logs must be retained for a minimum period of one year, only when the specified purpose, for processing such personal data falls within the purposes listed in the Seventh Schedule of the DPDP Rules. Accordingly, such a reading may lead to the interpretation that the data retention requirement applies only in situations where the purpose of processing personal data corresponds with the purposes listed in the Seventh Schedule.
7. The illustration provided under Rule 8(3) clarifies the manner in which the Rule is intended to be interpreted. The illustration states as follows

“Case 1: A Data Principal purchases an e-book on an e-book platform Y. Once delivery is completed, the specified purpose of processing is served. The platform Y must retain the order details, personal data, and logs of the processing (such as order confirmation, payment, and delivery events) for at least one year from the date of the transaction, even if the Data Principal deletes her account.”
In this illustration, the specified purpose is “to buy an e-book,” which is not a purpose listed in the Seventh Schedule of the DPDP Rules. This indicates that the applicability of Rule 8(3) is not intended to be restricted only to personal data that has been processed for the purposes specified in the Seventh Schedule.

8. While the intent of the provision appears to be clarified through the illustration, the manner in which the Rule 8(3) is drafted may lead to potential misinterpretation, wherein it may be construed that only personal data processed for the purposes listed in the Seventh Schedule is required to be retained by the Data Fiduciary. Such an interpretation may create ambiguity in understanding the true scope and intent of the Rule
9. Therefore, in light of the above, we respectfully recommend that the Ministry of Electronics and Information Technology consider issuing a clarification, or appropriate amendment to Rule 8(3) of the DPDP Rules in order to remove possible ambiguity and ensure clear and consistent interpretation of the data retention requirements under the DPDP Rules.