Schedule III: Classes of Data Fiduciaries, Purposes, and Time Periods
THIRD SCHEDULE [See rule 8(1)] Classes of Data Fiduciaries, Purposes, and Time Periods (click to expand)
| S. No. | Class of Data Fiduciaries | Purposes | Time Period |
|---|---|---|---|
| 1. | Data Fiduciary who is an e-commerce entity having not less than two crore registered users in India | For all purposes, except for the following: (a) Enabling the Data Principal to access her user account; and (b) Enabling the Data Principal to access any virtual token that is issued by or on behalf of the Data Fiduciary, is stored on the digital facility or platform of such Data Fiduciary, and may be used to get money, goods or services. | Three years from the date on which the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is latest. |
| 2. | Data Fiduciary who is an online gaming intermediary having not less than fifty lakh registered users in India | For all purposes, except for the following: (a) Enabling the Data Principal to access her user account; and (b) Enabling the Data Principal to access any virtual token that is issued by or on behalf of the Data Fiduciary, is stored on the digital facility or platform of such Data Fiduciary, and may be used to get money, goods or services. | Three years from the date on which the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is latest. |
| 3. | Data Fiduciary who is a social media intermediary having not less than two crore registered users in India | For all purposes, except for the following: (a) Enabling the Data Principal to access her user account; and (b) Enabling the Data Principal to access any virtual token that is issued by or on behalf of the Data Fiduciary, is stored on the digital facility or platform of such Data Fiduciary, and may be used to get money, goods or services. | Three years from the date on which the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights, or the commencement of the Digital Personal Data Protection Rules, 2025, whichever is latest. |
Note: In this Schedule,—
(a) “e-commerce entity” means any person who owns, operates or manages a digital facility or platform for e-commerce as defined in the Consumer Protection Act, 2019 (35 of 2019), but does not include a seller offering her goods or services for sale on a marketplace e-commerce entity as defined in the said Act;
(b) “online gaming intermediary” means any intermediary who enables the users of its computer resource to access one or more online games;
(c) “social media intermediary” means an intermediary as defined in the Information Technology Act, 2000 (21 of 2000) who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using her services; and
(d) “user”, in relation to—
(i) an e-commerce entity, means any person who accesses or avails any computer resource of an e-commerce entity; and
(ii) an online gaming intermediary or a social media intermediary, means any person who accesses or avails of any computer resource of an intermediary for the purpose of hosting, publishing, sharing, transacting, viewing, displaying, downloading or uploading information.
The Third Schedule specifies the categories of large digital entities that handle significant volumes of personal data and defines the timeframes and permissible purposes for retaining such data. It establishes a uniform benchmark for large-scale platforms to ensure that user data is not stored or processed longer than necessary.
1. Applicability and Covered Entities
The Schedule applies to major organisations operating in India’s digital ecosystem—particularly those that process extensive user data. It includes:
- E-commerce platforms with at least two crore registered users.
- Online gaming intermediaries with fifty lakh or more users.
- Social media intermediaries with two crore or more registered users.
These entities are designated as Significant Data Fiduciaries (SDFs) due to their operational scale and the high volume of sensitive personal data they manage. By identifying these classes, the rule ensures that such organisations maintain stricter data-handling discipline and adhere to clear retention policies.
A large e-commerce company, a popular social media platform, or an online gaming network with millions of Indian users all qualify as Significant Data Fiduciaries under this Schedule. These organisations routinely handle user identity details, preferences, contact information, and transaction histories—making responsible data retention essential.
2. Purpose Limitation
Data may be retained only for legitimate and defined purposes connected to the user’s interaction with the platform. The Schedule restricts retention beyond what is necessary for ongoing use and provides two narrow exceptions:
- Account Access: The Data Fiduciary may retain data essential for allowing a user to sign in and access her account.
- Virtual Token Access: Data required to enable the user to access virtual tokens, such as loyalty points, wallet balances, or in-game credits, may also be retained.
All other data that is no longer needed to fulfil an active function must be deleted once the retention period expires.
This principle ensures that data is not preserved for speculative or unrelated business purposes, such as marketing or behavioural analysis, once the user has disengaged.
If a user has not logged into an e-commerce platform for several years, the company may retain her login details to allow account recovery and wallet redemption but must delete other inactive records, such as browsing history or personalised recommendations.
3. Retention Period and Conditions
The Schedule prescribes a standard retention period of three years. This duration is calculated from the date on which the user last interacted with the organisation—such as logging in, making a purchase, or submitting a service request. If the user takes no action after this point, the company must delete or anonymise her personal data after three years.
Alternatively, if the Digital Personal Data Protection Rules, 2025 commence later than that date, the timeline extends accordingly, ensuring a consistent national baseline.
This period allows sufficient flexibility for resolving disputes, fulfilling legal obligations, and ensuring continuity for active users while preventing indefinite storage of dormant records.
Organisations should implement automated systems to monitor the “last active date” of each user. A structured deletion or anonymisation process should be triggered once the three-year threshold is reached.
4. Policy Objective
The underlying policy intention is to promote data minimisation and accountability in India’s digital sector. Large-scale entities often retain personal data indefinitely for convenience or analysis. Over time, this practice increases the risk of unauthorised access, breaches, and misuse.
By imposing a defined retention window, the Schedule encourages responsible lifecycle management of personal information. It also strengthens user trust by ensuring that platforms retain data only while it remains relevant and justifiable.
5. Key Definitions and Cross-references
The Schedule draws on established legal definitions from the Consumer Protection Act, 2019 and the Information Technology Act, 2000.
- E-commerce entity: A digital operator managing an online facility for sale or purchase of goods and services.
- Online gaming intermediary: A platform facilitating access to online games via digital or networked systems.
- Social media intermediary: A service that enables users to communicate, create, and share content with each other online.
- User: Any person who interacts with, accesses, or avails services on these platforms.
Each category is covered under the oversight of the Digital Personal Data Protection Act, 2023 and related rules.
6. Compliance Expectations for Organisations
To comply with the Third Schedule, covered organisations should:
- Establish a Data Retention Policy outlining clear timelines and purposes for data deletion.
- Implement automated monitoring tools to track user activity and identify dormant accounts.
- Adopt secure deletion or anonymisation mechanisms once retention periods expire.
- Maintain transparency by communicating retention practices in their privacy notices.
- Undergo internal or third-party audits to verify adherence to retention and deletion obligations.
Failure to implement these measures could lead to findings of non-compliance under the DPDPA’s enforcement provisions.
A major social media intermediary that fails to delete data of inactive users beyond the three-year limit may be directed by the Data Protection Board to demonstrate compliance efforts or face administrative penalties under Section 33 of the Act.
7. Broader Impact
The Third Schedule promotes an environment where digital companies integrate privacy-by-design principles into their technical and governance frameworks. It aligns India’s data retention practices with international privacy standards while ensuring operational flexibility for legitimate business needs.
By clearly defining time limits and accountability measures, the Schedule provides clarity to both industry and regulators, ensuring that personal data is managed ethically, transparently, and within the limits of necessity.
The Third Schedule of the Digital Personal Data Protection Rules, 2025 establishes a three-year retention period for specific large-scale data fiduciaries, including e-commerce, gaming, and social media platforms. It ensures that personal data is retained only for active user functions—such as account access or token redemption—and mandates its deletion or anonymisation thereafter. This approach balances user rights with practical business considerations and reinforces India’s commitment to a transparent and responsible data protection framework.