Archive for category: NBFCs

-Archisman Bhattacharjee | finserv@vinodkothari.com

Introduction

The Digital Personal Data Protection Act, 2023 (“DPDPA”), along with the Digital Personal Data Protection Rules, 2025 (“DPDP Rules’, “Rules”), establishes India’s first comprehensive and rights-based data protection regime. The Act’s applicability extends far beyond financial institutions; it encompasses any entity, large or small, digital or traditional, that processes digital personal data. Although public discourse frequently associates data protection obligations with banks, fintech companies, and large technology entities, the DPDPA’s scope is intentionally crafted to be broad and sector-agnostic. As a result, non-financial entities operating in fields such as FMCG, real estate, healthcare, hospitality, education, retail, and even small kirana shops using basic digital systems are brought squarely within its regulatory ambit.

This wide applicability stems from the Act’s fundamental design. It regulates processing, not industry classification. As long as an entity processes any digital personal data, whether it is a customer’s name and phone number, an employee’s email address, a patient’s medical record, or a tenant’s identity document, the DPDPA applies, unless a statutory exemption is granted.

This article examines the applicability of the DPDPA to non-financial entities, analyses the lawful bases for processing personal data, evaluates sector-specific implications, discusses whether corporate data is included within the scope of “personal data”, and explores the operational and regulatory obligations, including security safeguards, deletion timelines, and Data Principal rights. A supporting analysis of Section 17 of the DPDPA which empowers the Central Government to exempt certain entities is also provided, along with the practical question of whether small businesses such as kirana stores may eventually be exempted.

Statutory Foundation for Applicability to Non-Financial Entities

The applicability of the DPDPA flows from Section 3, which states that the Act applies to the processing of digital personal data (including personal data which is collected physically and digitised later) within the territory of India and to processing outside India if the processing is connected with any activity of offering goods or services to data principals within the territory of India. There is no carve-out or exception based on the nature of the business, regulatory environment, or industry classification of the entity. Consequently, companies operating in sectors such as fast-moving consumer goods (FMCG), real estate, hospitality, e-commerce, education, healthcare, and professional services must comply with the Act if they process digital personal data.

The definition of “personal data” under Section 2(t) is intentionally broad, referring to any data about an identified or identifiable individual. This broad definitional standard ensures that even the most basic identifiers such as, names, phone numbers, email addresses, login credentials, and customer records fall within the purview of the Act. As a result, non-financial entities that process personal information of customers, employees, patients, visitors, students, tenants, or vendors automatically become “data fiduciaries” under Section 2(i) and must meet all obligations imposed by the Act.

The core philosophy underlying the DPDPA is processing-centric regulation. The Act deliberately avoids distinguishing entities based on their business sector, risk level, or regulatory regime. Instead, it focuses on the fundamental principle that any organisation handling personal data plays a significant role in the digital ecosystem. Non-financial entities have dramatically increased collection and utilisation of personal data for purposes such as digital marketing, analytics, supply-chain management, customer engagement, employee administration, and third-party platform integrations. This reality makes them equally capable of causing privacy harms or security breaches as financial institutions, and hence equally subject to regulation.

Moreover, non-financial sectors operate extensive digital infrastructure, such as e-commerce platforms, CRMs, ERPs, AI-based analytics systems, CCTV surveillance networks, and biometric verification systems, that rely heavily on personal data. These systems are vulnerable to cyberattacks, unauthorised access, data misuse, profiling, and identity theft. By bringing them fully within the regulatory framework, the DPDPA ensures a uniform accountability standard across the Indian digital economy.

Impact on Small Entities and the Prospect of Exemptions

Small business owners including kirana shops, local merchants, fitness coaches, small doctor’s clinics, tuition centres, neighbourhood restaurants and small real-estate brokers frequently engage in personal data processing such as storing customer phone numbers for order delivery, maintaining digital records for loyalty schemes, providing receipts digitally etc. The Act, as it stands, does not grant automatic exemptions for such entities. They are expected to issue notices, collect valid consent where applicable, respect withdrawal, ensure reasonable security safeguards, and delete data once the purpose is achieved.

This creates a compliance burden that many micro-enterprises lack the resources to fulfil. The proportionality concerns are evident: penalties under the Act may reach hundreds of crores, even though government statements indicate that penalties will be imposed only where there is significant negligence or wilful misconduct. 

The presence of Section 17(3), however, signals clear legislative recognition that small entities may require differentiated treatment. It remains reasonably likely that the government may, in future, exempt certain classes of micro-entities processing minimal personal data from certain provisions of the Act as provided under Section 17(3) and declare them as “low-risk data fiduciaries” with reduced compliance requirements.

Such exemptions would be consistent with global practice: for instance, GDPR permits reduced compliance obligations for small data volumes and uses a risk-based approach. Until notifications are issued, however, all entities including small merchants who are processing digital personal data,  remain subject to the Act.

Modes of Data Processing: Consent and Legitimate Uses

Under the DPDPA, the only lawful basis for processing personal data without consent is the limited set of “legitimate uses” specified under Section 7. Unlike earlier drafts of the Bill or international frameworks like the GDPR, “contractual necessity” or “contractual obligation” is not included as a legitimate use under the enacted DPDPA. This is a deliberate departure from global practice and means that entities cannot rely merely on contractual engagement to justify processing of personal data without consent.

Consent therefore becomes the primary lawful basis for most private-sector organisations, especially in non-financial sectors. Consent must meet the requirements of Section 6 and must be preceded by a detailed notice under Section 5. Withdrawal of consent must be as easy as its grant, placing significant obligations on data fiduciaries.

Legitimate uses under Section 7 remain narrow and apply primarily to scenarios such as compliance with law or judicial orders, medical emergencies, safeguarding individuals during disasters, and other notified public-interest functions. Most routine commercial operations in FMCG, real estate, healthcare, retail, and education do not fall within legitimate use and therefore require consent-based processing.

Applicability on Non-Financial Sector entities

Applicability in the FMCG Sector

FMCG companies, both digital-first and traditional, routinely collect and process large volumes of personal data, often through online portals, mobile applications, loyalty cards, e-commerce platforms, and promotional events. Customer names, phone numbers, addresses, behavioural data, purchase histories, and feedback form the core of their data-driven marketing strategy. Because “contractual necessity” is not a legitimate use under the DPDPA, almost all customer-facing processing requires consent, particularly marketing, profiling, analytics, and preference tracking

Additionally, FMCG entities store substantial employee personal data, which may be processed under legitimate uses for employment However, indefinite retention of customer data after fulfilment of the purpose is expressly prohibited under Section 9, mandating regular deletion or anonymisation.

FMCG entities must ensure:

1. Clear and accessible privacy notices at all customer touchpoints
2. Consent for marketing communications and behavioural profiling
3. Data minimisation—avoiding excessive or persistent tracking
4. Right to withdrawal and grievance redressal mechanisms
5. Deploy consent banners for digital marketing
6. Maintain opt-out mechanisms
7. Train sales agents on data minimisation
8. Delete customer data after loyalty programme completion

Applicability in the Real Estate Sector

The real estate sector handles sensitive personal data of prospective buyers, tenants, investors, and visitors, including identification documents, financial details, contact numbers, and biometric or CCTV data for access control in residential and commercial complexes. Most of this data is collected for contractual and compliance purposes under RERA, municipal laws, or verification procedures, placing it within the scope of legitimate uses. Yet, marketing of new projects, cold calling, and database sharing with brokers or partners require explicit consent.

A major compliance challenge in this sector is data retention, since developers often maintain personal records of customers long after project completion or sale. Section 9 makes it clear that data fiduciaries cannot retain personal data beyond the period necessary to satisfy the purpose for which it was collected, unless mandated by law. Real estate entities must therefore implement strict retention schedules and erasure policies.

Given that contractual obligation is not a legitimate use, real estate entities must:

1. Obtain explicit consent for collection of identity documents and contact details
2. Provide detailed notices explaining the purpose of collection of each category of data
3. Securely store documentation, especially digital scans of IDs
4. Establish retention and deletion policies for old applications, unconverted leads, or completed transactions
5. Obtain consent before collecting identity proofs
6. Encrypt storage of buyer documentation
7. Delete lead data after reasonable time if unconverted
8. Update customer agreements with DPDPA disclosures
9. Ensure breach notifications and incident reporting mechanisms

Limited circumstances, such as government-required land/property registration processes, may fall under legitimate use.

Applicability in the Medical and Healthcare Sector

Healthcare providers including hospitals, clinics, diagnostic centres, telemedicine platforms, and wellness service providers process exceptionally sensitive categories of personal data, such as health records, medical histories, prescriptions, laboratory results, insurance information, and emergency contact details. While the DPDPA does not create a separate class of sensitive personal data (unlike GDPR’s Article 9), it indirectly imposes a heightened duty of care through Section 8, which mandates reasonable security safeguards for all personal data.

Most healthcare processing is covered under legitimate uses, particularly when it is necessary to provide medical treatment, respond to emergencies, or ensure patient safety. However, collecting personal data for promotional communication, wellness packages, and non-essential data analytics require explicit consent. Healthcare entities must also be mindful of strict deletion timelines under Section 9, ensuring that data is retained only for statutory medical record retention periods and not beyond.

Medical entities must:

1. Implement the highest level of security safeguards mandated under the Rules
2. Minimise collection of data not directly required for treatment
3. Provide deletion rights once data retention laws (such as clinical establishment rules) permit deletion
4. Ensure breach notifications and incident reporting mechanisms

Applicability to Other Non-Financial Sectors

A wide range of other sectors also fall fully under the Act’s scope. The hospitality industry collects personal data for guest registration, reservations, and government-mandated identity verification, and must ensure consent for digital marketing, loyalty schemes, or data sharing with travel partners. The e-commerce sector relies heavily on personal data for order fulfilment, logistics, and grievance redressal, but requires explicit consent for recommendation engines and personalised advertising. Educational institutions process student data for academic administration and compliance, requiring parental consent for processing of minors’ data under the DPDP Rules. Manufacturing and industrial entities may process limited personal data, but employee data, vendor contact details, CCTV surveillance footage, and visitor logs still bring them under the scope of the Act.

Processing of employee and vendor related data

Processing of employee and vendor personal data requires a nuanced understanding under the DPDPA, because the lawful bases and practical compliance mechanisms differ significantly for each category. In the case of employees, section 7(i) of the Act expressly recognises employment-related purposes as a legitimate use, thereby permitting employers to process the personal data of their employees including candidates, full-time staff, contractors, interns and potential employees without requiring explicit consent, so long as such processing is necessary for recruitment, attendance management, payroll, statutory compliance, or performance evaluation. However, any processing that goes beyond what is necessary for employment for instance, wellness programmes, optional benefits, behavioural analytics, or promotional features must still be based on consent.

However, in contrast, vendor employee related personnel data (names, email IDs, mobile numbers of points of contact) does not fall within any legitimate use category, and contractual necessity is not recognised as a lawful ground under the DPDPA. This leads to a practical challenge: vendors must supply personal data of their representatives for coordination and performance of commercial contracts, yet obtaining individual notices and explicit consent from each representative is often impracticable, and mere inclusion of consent language in the vendor contract does not satisfy the statutory requirement of explicit, informed consent.

To mitigate this, businesses can adopt a multi-layer compliance model. First, during vendor onboarding, companies can require the vendor entity to nominate authorised representatives, and mandate that the vendor obtain explicit consent from those individuals before sharing their information. The obligation can be placed contractually on the vendor to:

1. inform its representatives of the purposes for which their data will be processed,
2. provide them with the Data Fiduciary’s privacy notice, and
3. obtain explicit, affirmative consent before disclosing the data. 

While the DPDPA requires explicit consent from the Data Principal, it does not prohibit consent being obtained through an authorised intermediary, provided the intermediary can demonstrate that the individual has indeed given such consent. Second, companies may maintain a publicly accessible privacy notice (e.g., on their website) that applies to all external stakeholders including vendor personnel setting out the purposes of processing, retention periods, rights, and grievance redressal mechanisms. Though a notice must still be “made available,” a standardised publicly available notice reduces the administrative burden of issuing individualised notices in every instance. Third, when communication is initiated with a vendor’s representative for the first time, companies should send a brief digital notice, via email or SMS, giving the individual access to the privacy notice and explaining that their data has been provided by their employer for coordination of contractual activities. This satisfies the obligation of informing the Data Principal even if consent was collected upstream by the vendor. Finally, systems must allow vendor personnel to request correction or deletion of their details, and a replacement representative can be nominated by the vendor entity, enabling ongoing compliance without business disruption.

Treatment of Corporate Data and Email IDs as “Personal Data”

The DPDPA’s definition of personal data applies strictly to natural persons, and therefore corporate data that does not identify an individual lies outside its scope. However, the boundary can be complex. Email addresses such as firstname.lastname@company.com or name@gmail.com clearly identify specific individuals and therefore may fall within the definition of personal data. Similarly, phone numbers, employee codes linked to individuals, or vendor representative names constitute personal data.

Conversely, generic email addresses such as info@company.com, support@business.com, or legal@gmail.com cannot be traced to a specific individual and therefore would not be considered personal data. This interpretation aligns closely with GDPR Recital 26, which clarifies that data relating to legal persons or generic organisational identifiers does not constitute personal data unless it directly identifies a natural person. Non-financial entities must thus carefully classify their corporate data based on identifiability to avoid over- or under-compliance.

Security Obligations, Data Principal Rights and Deletion Requirements

All non-financial entities qualifying as data fiduciaries must comply with Section 8’s mandate to implement reasonable security safeguards, including organisational policies, encryption standards, access controls, periodic audits, vulnerability assessments, and incident response mechanisms. Data breaches must be reported both to the Data Protection Board and to affected data principals in accordance with the DPDP Rules, 2025. Larger non-financial entities may be designated as Significant Data Fiduciaries under Section 10, requiring them to appoint Data Protection Officers, conduct Data Protection Impact Assessments, and undergo independent data audits.

Data principals are granted a suite of rights under Sections 11 to 15, including the right to access information about processing, seek correction or erasure of personal data, nominate a representative for emergency situations, and obtain a grievance resolution in a timely manner. These rights create substantial operational obligations for non-financial entities, which must set up dedicated channels and workflows to address such requests.

Retention and deletion are governed explicitly by Section 9, which requires that personal data be erased once the purpose has been fulfilled and no legal obligation justifies continued retention. This provision significantly impacts sectors that historically maintained extensive archives of customer and employee data with no defined deletion timeline. The DPDP Rules, 2025, require periodic data retention assessments and impose specific timelines for erasure following the withdrawal of consent or completion of purpose.

Conclusion

The DPDPA represents a transformative shift by imposing uniform obligations across all entities that process digital personal data, regardless of the industry in which they operate. Non-financial entities often overlooked in discussions of data protection engage in extensive personal data processing through their digital platforms, operational systems, and customer engagement mechanisms. As a result, they are equally bound by statutory requirements governing lawful processing, consent mechanisms, legitimate uses, security safeguards, erasure obligations, and individual rights. The DPDP Rules, 2025, further operationalise these requirements, placing significant compliance responsibilities on non-financial sectors that must now adopt structured governance frameworks, update internal policies, and strengthen technical safeguards.

As India moves closer to an integrated digital economy, the DPDPA’s application to non-financial sectors ensures that privacy protection becomes a universal standard rather than a sector-specific obligation, aligning the country’s data governance landscape more closely with global frameworks such as the GDPR, while addressing local needs through its own unique regulatory philosophy. 

As Justice D.Y. Chandrachud observed in the landmark judgment of K.S. Puttaswamy v. Union of India:

“In the digital economy, every entity that touches personal data becomes a gatekeeper of privacy.”

This statement has become a defining reality in today’s data-driven landscape.

Our other related resources:

• Data Privacy Law and Rules notified: 18 months’ time to implement
• Consent Managers for NBFCs
• Data Privacy Law and Rules notified: 18 months’ time to implement