Q4 - What if a company refuses a Data Principal’s request citing “legal necessity”?
Under the Digital Personal Data Protection Act, 2023 (DPDPA), a company (Data Fiduciary) must normally correct, update, or erase personal data upon a valid request from a Data Principal. However, it may lawfully refuse such a request if the continued retention or processing of that data is necessary to comply with any law in force — a concept referred to as “legal necessity.”
1. Legal Basis for Refusal
Section 12(3) —
A Data Principal may request erasure of her personal data, and the Data Fiduciary shall erase such data unless retention is necessary for the specified purpose or for compliance with any law for the time being in force.
Similarly,
Section 8(7) —
A Data Fiduciary shall erase personal data once the purpose is no longer served unless retention is necessary for compliance with any law for the time being in force.
This means that a company can retain or refuse to erase data if it is legally required to keep it — for example, by financial-regulatory, taxation, employment, or audit-retention laws.
2. What Counts as “Legal Necessity”?
Typical cases include:
- Banking and KYC records: Banks must retain customer identification and transaction data for at least ten years after account closure under RBI and anti-money-laundering rules.
- Tax documentation: Businesses must preserve invoices and accounting records for prescribed periods under income-tax and GST laws.
- Employment records: Employers may need to retain payroll or compliance data to defend legal claims or meet labour-law requirements.
If a company relies on “legal necessity,” it must ensure the retention directly relates to a specific legal obligation, not a general business preference.
3. Company’s Duty to Communicate
Even when refusal is justified, the Data Fiduciary must:
- Inform the Data Principal clearly that erasure or correction cannot be performed because of a legal requirement.
- Specify the law or regulation under which data retention is required.
- Erase the data once the legal obligation ends.
Failure to communicate transparently can be treated as non-compliance with Sections 8 and 12, leading to possible investigation by the Data Protection Board of India.
4. Example
A customer closes her bank account and requests deletion of her personal data.
The bank refuses, citing its obligation under banking regulations to retain identity and transaction records for ten years after closure.
This refusal is lawful under Sections 8(7) and 12(3) because the retention is required for legal compliance.
Once the ten-year period ends, the bank must erase or anonymise the data.
5. Remedies for the Data Principal
If a Data Principal believes the refusal is unjustified or misused:
- They may file a complaint with the company’s Grievance Officer (Section 13).
- If unresolved, they may escalate the issue to the Data Protection Board (Sections 27–28).
- The Board can order compliance or impose penalties if the company’s invocation of “legal necessity” is found improper.
Summary
A company can deny a correction or erasure request only when legally bound to retain the data.
It must explain the legal basis, act proportionately, and delete the data once the obligation expires.
Misuse of this exemption may invite inquiry and penalties up to ₹50 crore under Section 33 & Schedule Entry 7.