Personal data must not be retained longer than necessary for the purpose for which it was collected.
Storage limitation requires that personal data be retained only for as long as necessary to fulfil the purpose for which it was collected, unless retention is required by law. Under DPDPA Section 8(7), when the purpose is fulfilled or consent is withdrawn, the Data Fiduciary must erase the data unless legal obligations mandate retention. Rule 8 of Rules 2025 requires Fiduciaries to define and document retention periods for each category of data processed.
Retaining data indefinitely "just in case" violates DPDPA and increases breach liability. You must define clear retention periods, implement automated deletion, and document your retention schedule in your RoPA.
A Mumbai recruitment platform retains rejected candidate CVs for 5 years with no legal basis. Under DPDPA, it should define a reasonable retention period (e.g., 6 months for potential future openings), disclose this in the notice, and auto-delete after expiry.
Archiving data to cold storage is still "retention" under DPDPA. Moving data from active databases to backups does not stop the retention clock or exempt you from deletion obligations.
DPDPA Shield automates Data Inventory & RoPA. See how →