Q4 - What happens if a company shuts down — does it have to delete all personal data first?
Yes. When a company permanently shuts down or ceases operations, it must delete or anonymize all personal data in its possession — unless there is a legal, regulatory, or contractual reason to retain it.
The Digital Personal Data Protection Act, 2023 (DPDPA) makes it clear that personal data cannot be kept indefinitely once its purpose is fulfilled, even if the business closes.
1. Legal Obligation to Delete Data
Section 8(7) —
A Data Fiduciary shall erase personal data when it is reasonable to assume that the specified purpose is no longer being served,
or retention is no longer necessary for legal or business purposes, unless retention is required by law.
This applies equally to companies that:
- Shut down voluntarily,
- Are merged or acquired, or
- Are declared insolvent or liquidated.
In each case, data held by the company — including customer, employee, and vendor records — must be securely erased or anonymized before closure.
2. What Must Be Deleted
All digital personal data collected during operations must be securely wiped, such as:
- Customer information (names, phone numbers, emails, IDs, financial details)
- Employee records (HR files, payroll data, performance logs)
- Vendor or partner contact information
- User analytics, cookies, or backup data stored on servers or cloud systems
If the company used third-party processors (e.g., cloud providers, marketing platforms), it must instruct them to delete or return the data and confirm completion.
A startup offering a financial app shuts down due to bankruptcy. Before winding up, it must permanently delete all user data, close cloud accounts, and document proof of deletion — unless certain records must be retained for tax, audit, or legal disputes.
3. When Data Can Be Retained
The only exceptions are when retention is legally required, such as:
- Tax or accounting laws (e.g., income tax, GST filings, audits)
- Employment laws (e.g., PF or ESIC recordkeeping)
- Regulatory compliance for sectors like banking, insurance, or telecom
Even then, data must be:
- Kept only for the mandated duration, and
- Securely stored, with limited access until deletion.
Once all legal retention obligations end, the organization must erase the data completely.
If a healthcare startup shuts down but keeps patient records “for future reference,” this would violate DPDPA’s purpose limitation and data retention clauses. Only retention required by law (e.g., as per medical record retention rules) is permitted.
4. Data During Acquisition or Merger
If a closing company’s assets (including data) are transferred to another entity during acquisition or merger, the data can only be transferred if:
- The original purpose of processing remains the same, or
- Users are informed and given the option to withdraw consent.
Otherwise, the data must be erased before transfer.
5. Documentation and Proof
When shutting down, the company should:
- Create a data destruction plan listing all systems, databases, and backups.
- Obtain written confirmations from third-party processors that data was deleted.
- Maintain proof of compliance in case the Data Protection Board of India requests verification.
- Ensure deletion covers active systems, archives, and backup storage.
Failure to do so may attract penalties under Section 33(1), up to ₹250 crore, for violating data retention and deletion obligations.
6. Key Takeaway
- Upon shutdown, a company must delete or anonymize all personal data unless retention is legally mandated.
- Deletion applies to all systems — local, cloud, and third-party processors.
- Mergers or acquisitions must ensure continuity of lawful purpose or obtain new consent.
- Proper documentation and deletion proof are critical to demonstrate DPDPA compliance.
Referenced Provisions:
- Section 8(7) – Erasure of personal data when purpose no longer served.
- Section 33(1) – Penalties for non-compliance (up to ₹250 crore).
- Section 7 – Lawful basis for data processing (consent and legitimate use).