The mandatory requirement to erase personal data when consent is withdrawn or the processing purpose is fulfilled.
Under DPDPA Section 8(7), Data Fiduciaries must erase personal data when it is reasonable to assume the specified purpose is no longer being served, unless retention is necessary for legal compliance. Rule 8(2) of Rules 2025 requires that Data Principals be notified 48 hours before deletion of their data. The deletion must be complete — removing data from active systems, backups, and processor systems. The Fiduciary must also direct all processors to delete the data.
Deletion is not optional after purpose fulfilment or consent withdrawal. If you retain data beyond its justified period, every day of retention is a continuing violation. Automated deletion pipelines are essential for compliance at scale.
A Bengaluru subscription box company must delete all personal data of a customer who cancels their subscription and withdraws consent, including data held by their logistics partner, payment processor, and marketing automation tool — after sending the 48-hour pre-deletion notice.
Deletion means erasure from ALL systems including backups, not just the primary database. If data remains recoverable in any backup, the deletion obligation is not fulfilled.
DPDPA Shield automates Data Inventory & RoPA. See how →