Securities Market Code: Consolidation, principled regulation-making, and decriminalisation

/2 Comments/in , , /by

– Payal Agarwal, Partner | Vinod Kothari & Company | corplaw@vinodkothari.com

Year 2025 will go down in the history of independent India as the year of the most brisk legislative activity – mostly by way of consolidation of some of the major laws. Income Tax Act, labour laws, securities markets, IBC, RBI Regulations etc – everywhere, we find the lawmakers have been quite busy themselves,  of course making the subjects and companies even busier. The Securities Market Code (SMC) has been introduced in the Lok Sabha, pursuant to the announcement in the Union Budget 21-22. Divided into a total of 18 chapters, the SMC seeks to consolidate and repeal the following: 

  • SEBI Act, 1992, 
  • Depositories Act, 1996, and 
  • Securities Contracts (Regulation) Act, 1956

The Code reflects a structural consolidation exercise, however, also with an underpinning attempt to make rule making more practical and principled, providing for investor protection by reintroducing ombudsman, providing legal sanctity to inter-regulatory coordination, covering complex securities transactions, etc. Further, the gazette notifications issued in relation to the aforesaid Acts are also proposed to be made a part of the Code. 

Major proposals 

  • Providing timelines & limitation period for investigations and validity of interim orders, with scope of extension in some cases
  • Classification between fraudulent/ unfair practices and market abuse, towards better clarity with powers to order cease and desist, authorisation for seizure of books etc. in case of market abuse 
  • Strengthening powers and functions of SEBI by enabling power to issue subsidiary instructions, undertaking periodic research and regulatory impact assessment studies etc. 
  • Issue of new regulations in relation to SEBI Ombudsperson, restitution to persons suffering losses on account of contravention etc. 
  • Introduction of new terms such as – market participants (issuers and investors), Securities Market Service Providers (Intermediary + MII + SRO) etc. 
  • Clarity in the scope of securities and recognition to “other regulated instruments”
  • Clarifications in relation to scope of investment vehicles, title over securities held with depository etc. 

Time-bound investigations and interim orders 

  • Limitation period for investigation: eight years from the date of default or contravention
    • Extension permitted in case of matters referred by Investigating Officer or matters having systemic impact on the securities market  [Clause 16] 
  • Investigation to be completed within 180 days
    • In case of delay, status to be provided along with the reasons for delay in writing, and extension to be sought from a Whole-time Member [Clause 13] 
  • Interim orders to be valid for upto 180 days
    • Extension may be granted for upto 2 years pending adjudication/ completion of inspection/ investigation [Clause 27]

Adjudication of penalties 

  • Maximum penalty to be linked with whether or not the default results in unlawful gain or losses to the investors or other persons, and whether such gain or loss is quantifiable
  • Decriminalisation of offences, provisions in relation to fines limited to offences such as market abuse, failure of compliance with orders of SEBI etc. 
  • Additional factors to be considered for adjudication of penalty incorporated based on judicial precedents 

Clarity in the scope of securities

  • Securities to include notes or papers issued for the purpose of raising of capital, which are listed or proposed to be listed, other regulated instruments etc. 

Classification between fraudulent/ unfair practices and market abuse 

  • To classify grave acts adversely affecting the integrity of securities market as “market abuse” 
  • Powers of SEBI to order cease and desist, authorisation for seizure of books etc. in case of market abuse 

Re-introduction of SEBI Ombudsperson

  • In case of non-redressal of grievances through GRM within specified period (180 days from receipt of grievance), may file a complaint with Ombudsperson within 30 days

Introduction of new terms

  • Market participant –  a person or its agent participating in the securities markets as an issuer or an investor; SEBI may issue instructions, call for information, etc from market participants
  • Securities market service provider – Intermediary + Market Infrastructure Intermediary (stock exchange, depository & clearing corporation) + SRO.
    • Obligations of SMSP given under Clause 35 – includes fair disclosure of information, investment of money collected by it in the manner as specified, furnishing information etc.
      • To be specified by the regulations 
  • Subsidiary instructions 
    • Power to issue to be with Chairperson along with WTM or by two WTMs of Board
      • To clarify ambiguity or laying down procedural requirements 
    • Contravention to be considered as contravention of the primary regulations 

Clarifications proposed

  • Records of depository to act as conclusive proof of title over security [Clause 58(2)]
  • Issuance and holding of securities in dematerialised form only [Clause 55(2) & (3)]
    • Option with the holder for holding in physical form has been omitted 
  • Right to be consulted or to give directions not a safeguard from being considered as investment scheme [Clause 32]

The Sabka Bima Sabki Raksha Insurance Bill: The 2047 Vision in action

/0 Comments/in , , /by

– Vinita Nair and Saloni Khant | corplaw@vinodkothari.com

Updated on May 3, 2025

Being the 10th largest[1] in the world, the Indian Insurance market grows at 10-15% annually but insurance penetration is only at 3.7% of the GDP[2] as against the global average of 7.3%. With a view to boost growth in the sector and implement the vision of ‘”Insurance for All by 2047’, amendments in the existing insurance laws were placed before the public for consultation in November, 2024. Following the due process of legislation, the draft bill underwent several changes, was passed by both the houses of the parliament, assented to by the president and finally notified in the Official Gazette as the Sabka Bima Sabki Raksha (Amendment Of Insurance Laws) Act, 2025 (“Amendment Act”) on December 21, 2025. The Amendment Act, that amends the Insurance Act, 1938, Life Insurance Corporation Act, 1956 and Insurance Regulatory and Development Authority Act, 1999, introduces fundamental reforms by liberalising foreign investments and reducing capital requirements but at the same time, strengthens regulatory oversight on the market participants with additional measures to protect the interest of the policyholders.

The Amendment Act became effective from February 5, 2026. The amendment relating to prohibition on common MD and officers among insurance companies, banking companies and investment companies (Section 32A of the Insurance Act), has not been made effective, in view of industry representation made to IRDA, refer the discussion below.

Read more

Strengthening India’s Corporate Bond Market: A Look at NITI Aayog’s Recommendations

/0 Comments/in , , , /by

Simrat Singh | finserv@vinodkothari.com

India’s aspiration to become a US $30 Trillion economy by 2047 rests on its ability to mobilise long-term, stable and affordable capital. Debt capital can be an attractive source for this. While banks have historically been the backbone of credit intermediation in India, a bank-dominated financial system may be inadequate to meet the financing needs of a developing country like India which includes long-gestation exposures to infrastructure, climate transition, manufacturing and other emerging sectors. Recognising this constraint, NITI Aayog’s report on Deepening the Corporate Bond Market in India (‘Report’) lays out reforms to develop corporate bonds as another major tool for mobilising long-term low-cost capital. 

In this note we highlight some of the reforms being advocated in the Report.

Key Thrust Areas of Reforms:

Regulatory Efficiency 

A central theme of the Report is the need to reduce regulatory friction arising from fragmented and overlapping oversight by SEBI, RBI and the MCA for corporate bonds. Inconsistent treatment of similar bonds, procedural complexity, overlapping disclosures and different approval timelines are identified as major constraints, particularly for public issuances and lower-rated issuers. A specific concern highlighted is issuer-based regulation: bonds issued by banks and NBFCs are regulated by the RBI, while similar bonds issued by non-financial corporates fall under SEBI and MCA oversight. This results in different disclosure standards and compliance processes for similar bonds

To combat this, first, the Report calls for stronger inter-regulatory coordination and recommends measures such as mutual recognition of disclosures, a joint regulatory help desk/single point of contact as well as joint circulars detailing the jurisdictions of each regulator – essentially a centralised coordination mechanism involving SEBI, RBI, MCA and the Ministry of Finance.

Second, the Report emphasises the need to rationalise disclosure norms for public bond issuances, which are significantly more onerous than those applicable to private placements. This asymmetry has led to an overwhelming reliance on private placements, which account for nearly 98% of corporate bond issuances in India (p. 25). Drawing on global practices, the Report recommends a differentiated disclosure regime for well-compliant issuers (p. 66). Specific reforms include extending the validity of offer documents from one year to two or three years, removing ISIN-wise issuance constraints, simplifying PAS-2 and Information Memorandum filings through digital automation on the MCA portal, and introducing a “Well-Known Seasoned Issuer” framework to enable fast-track access to public bond markets for reputed issuers.

Third, the Report stresses the need for regulatory clarity for hybrid instruments, including covered bonds1, securitised debt and infrastructure-linked securities. Many instruments used globally to fund long-term assets do not fit neatly within India’s regulator-specific silos. Jurisdictional ambiguity (which regulator oversees which instrument?) and the absence of standardised regulatory treatment have impeded market development. The Report recommends clearly defined frameworks to facilitate market clarity. In this context, it also highlights tax distortions; for instance, SDIs2 currently attract significantly higher TDS than corporate bonds. The Report states that SDIs are taxed at a higher rate than corporate bonds which prevents securitisation of bonds. However, effective 1.04.2025, SDI TDS rates are aligned with bond rate; both at 10% (See section 194LBC of Tax Act).

Market Infrastructure and Liquidity

Bonds are heterogeneous instruments, varying by type of issuer, tenor, covenants and structure. Unlike equities, electronic order matching alone cannot ensure immediacy of execution or continuous liquidity in the secondary market, particularly in lower-rated or infrequently traded bonds. Despite progress through electronic platforms such as RFQ for secondary trading and EBP for primary issuance, trading volumes remain shallow and concentrated in highly rated bonds.

The Report recommends expanding electronic trading, enhancing post-trade reporting (to improve price discovery) and increasing the proportion of trades settled on a Delivery-versus-Payment (DVP) basis3. Absence of a robust market-making ecosystem is seen as a major constraint on secondary-market liquidity (pp. 22, 36, 106). Limited risk appetite and balance-sheet constraints deter intermediaries from providing continuous two-way quotes, especially in lower-rated and longer-tenor bonds.

To address this, the Report recommends enabling market-making through regulatory incentives and improved access to repo markets. In particular, the creation of a standing repo facility by RBI for high rated corporate bonds would allow market makers4 to monetise inventories efficiently and support continuous liquidity provision. While corporate bonds are included in the RBI’s list of repo-eligible instruments, their treatment differs materially from Government securities (G-Secs). Repos in G-Secs are exempt from CRR and SLR computation which means Banks can access funds through G-Sec repos without providing SLR and CRR on those funds. In contrast, cash raised through repos backed by corporate bonds is treated as a liability for CRR and SLR purposes, hence banks have to provide CRR and SLR on the resulting liquidity. Also, unlike G-Secs, which are centrally cleared and settled through CCIL, corporate bond repos lack a single, standardised clearing and settlement mechanism; they are cleared through F-TRAC and stock exchanges. The result is that the volume of corporate bond repo is negligible (exact data on corporate bond repo could not be sourced).

The Report also flags structural weaknesses in the credit rating ecosystem, including rating inflation, conflicts of interest under the issuer-pays model, and excessive regulatory reliance on ratings (p. 71). Strengthening governance standards is the key recommendation for credit ratings. To improve credit rating access for smaller issuers, the Report suggests exploring alternative credit assessment models, including technology-driven frameworks using GST-returns and other turnover based data and digital transaction histories.

Further, the Report recommends strengthening the existing framework requiring large corporates to raise a portion of incremental borrowings through debt securities (LCB Framework)5. Proposed enhancements include increasing the minimum market borrowing requirement and progressively extending the framework to smaller corporates with lower thresholds.

Drawing on the IMF’s FSAP 2025, the Report also recommends allowing high-quality corporate bonds to be used as collateral in RBI’s repo operations. International experience from the ECB, Bank of Japan, and Reserve Bank of Australia suggests that such measures can enhance secondary-market liquidity and broaden the investor base, subject to appropriate safeguards.

Equally important is the creation of a government-backed, centralised corporate bond data repository. Fragmented data across regulators and exchanges currently hampers price discovery and covenant monitoring. A unified, real-time repository is recommended to improve transparency for issuers, investors, and regulators.

Innovation in Instruments and Market design

The Report makes it clear that regulatory reforms alone are insufficient; product and market innovation are essential to expand depth and distribute risk. India’s bond market remains narrow not only due to investor risk aversion but also due to the limited availability of instruments aligned with diverse risk–return preferences and long-gestation financing needs. Green bonds, sustainability-linked bonds6, and transition bonds are identified as important instruments for financing climate action and infrastructure. However, the absence of a standardised green taxonomy and concerns around greenwashing have constrained growth. The Report, therefore, recommends establishing clear definitions, disclosure standards and verification frameworks to ensure credibility and scale ESG-oriented bond markets.

The Report proposes institutionalising a dedicated class of Corporate Bond Dealers (CBDs), modelled on the U.S. primary dealer system. Eligible banks, NBFCs and other financial institutions would be required to provide continuous two-way quotes, supported by incentives such as capital relief on bond inventories and access to RBI refinance and repo facilities. Enhanced market surveillance, real-time trade reporting, price dissemination and inventory disclosures are also recommended.

Investor and Issuer Participation

Broadening the investor base is identified as another critical reform pillar. Long-term institutional investors such as insurance companies, pension funds and provident funds are natural holders of long-duration bonds, yet regulatory investment norms constrain exposure only to higher-rated securities. The Report recommends a calibrated relaxation of these norms.

For retail investors, the Report proposes lowering minimum investment thresholds (from existing ₹ 10,000), increasing retail quotas in public bond issuances, particularly for tax-free and ESG-linked bonds7, and simplifying TDS provisions to address tax inefficiencies in secondary market trades. OBPPs have been acknowledged to contribute to secondary market liquidity, however, the volumes are low. Further, there is no mention of concerns w.r.t downselling through OBPPs which was recently highlighted by SEBI8

On the issuer side, India’s corporate bond market remains heavily concentrated among AAA and AA-rated entities. To address this imbalance, the Report advocates scaling up credit enhancement mechanisms such as PCEs and support from development finance institutions. It also highlights the need to promote longer-tenor issuances, especially for infrastructure and climate-linked projects, where asset lives significantly exceed typical corporate bond maturities. In this context, it is noteworthy that NITI Aayog has cited our resource, “Partial Credit Enhancement: A Catalyst for Boosting Infrastructure Bond Issuances?”, in the Report while discussing the role of partial credit enhancement mechanisms in deepening the corporate bond market (pp. 75 and 99). Further, regulatory subsidies for first-time or low-volume issuers and pooled issuance platforms to facilitate market access for smaller issuers is also recommended (pp. 65, 75).

The Report recognizes that CDS are underdeveloped. Currently, CDS can be purchased only by investors who already own the underlying bond, which prevents trading in the CDS market. Further, only single-name CDS are permitted, which means a separate CDS contract is required for each issuer, unlike global markets such as the U.S., where index CDS allows one CDS to cover a basket of bonds. Lastly, there is a limit on FPI investors providing CDS which is 5% of the outstanding corporate bond market. These restrictions have resulted in limited CDS protection. The Report also recommends bigger NBFCs to act as CDS market makers

Conclusion

NITI Aayog’s recommendations envisage a corporate bond market that evolves from a supplementary funding channel into a core pillar of India’s financial system. If implemented in a coordinated manner, these reforms could expand the market to ₹100–120 trillion by 2030, improve financial stability, and channel long-term capital into productive investment. The real challenge, however, lies in execution, particularly in achieving sustained regulatory coordination and market-making capacity. Addressing these constraints will be critical if corporate bonds are to play a meaningful role in financing India’s long-term growth and infrastructure ambitions under the vision of Viksit Bharat by 2047.

See our other resources on bonds

  1. Bond Credit Enhancement Framework: Competitive, rational, reasonable
  2. Demystifying Structured Debt Securities: Beyond Plain Vanilla Bonds
  3. Bond market needs a friend, not parent
  4. SEBI Securitisation Regulations: Track Record, Risk retention and Investment size among several new requirements
  5. Mandatory listing for further bond issues
  6. NHB’s PCE Scheme for HFCs
  7. Corporate Bonds and Debentures
  1. Covered bonds are secured debt instruments backed by a segregated pool of high-quality assets, offering investors dual recourse to both the issuer and the underlying assets. May refer to our resource on covered bonds. ↩︎
  2. May refer to our book Listing Regulations on Securitised Debt Instruments and Security Receipts ↩︎
  3. DVP is a settlement mechanism in which the transfer of securities and funds occurs simultaneously, eliminating counterparty and settlement risk
    ↩︎
  4.  May refer to our resource ‘Bond issuers set to become Market Maker to enhance liquidity’ ↩︎
  5. May refer to our resource ‘Mandatory bond issuance by Large Corporates: FAQs on revised framework’ ↩︎
  6. May refer to our resources ‘Sustainability or ESG Bonds’ and ‘From Rooftops to Ratings: India’s Green Securitisation Debut’ ↩︎
  7. May refer to our resource ESG Debt Securities: Framework for Issuance and Listing in India ↩︎
  8. May refer to our resource “Downstreamed through intermediaries: Deemed public issue concerns for privately placed debt” ↩︎

Dilemma of Duty: Companies in a fix as State demands Stamp Duties already paid as per Central law

/0 Comments/in , /by

– Sikha Bansal and Nitu Poddar | corplaw@vinodkothari.com

Published in Moneylife on December 16, 2025

The Indian Stamp Act, 1899 (“Stamp Act”) was amended in 2019 by the Finance Act, 2019 (“Amendment”), broadly – to introduce a unified mechanism for levy and collection stamp duty on issuance and transfer of securities, by insertion of sections 4(3), 9A, 9B, 62A, 73A, Article 56A among others. That Amendment introduced a unified, nationally applicable stamp duty framework that prescribes 0.005% as the duty on the issue of shares, to be collected centrally through depositories. This is how the era of dematerialised issuance of capital market instruments was ushered and furthered. 

After more than 5 years of the Amendment,  Delhi-based companies have begun receiving notices from the Delhi Revenue Department questioning the stamp duty paid on the issue of shares. The Department has, in fact, issued Letters to the depositories [NSDL, CDSL] asserting that stamp duty ought to have been paid at the rate of 0.1% on the value of shares issued, based on Article 19 of the State stamp law, disregarding the 2019 Amendment, and prohibiting the  depositories from collecting stamp duties on their behalf.

The State move has triggered uncertainty regarding share issuances effected after 1 July 2020, when the amended Stamp Act came into force. The communications issued by the Revenue Department of Delhi , with an ask of  duty which is 20 times more than the rate approved by the Parliament, disregard and challenge this uniform regime, leaving the companies grappling with compliance ambiguity and the risk of retrospective financial exposure, despite having followed the statutory mechanism approved by the Parliament.
If other States start asking for duties as per their respective laws, the intended harmonisation of stamp laws will soon turn into a cacophony!

This article touches upon the objective of the Amendments and looks for potential answers on the way forward.

The Amendment: a Unified Scheme

Pursuant to the Amendment, sections 9A and 9B were introduced in the Stamp Act. Section 9A is a non-obstante provision, which mandates that the depositories shall collect the duty on behalf of the State Government (“SG”) from the issuer, on the total market value of the securities. Similar provisions are there to deal with sale or transfer of securities. Section 9A(2) provides for levy of stamp duty as per the applicable rates given in Schedule I. Currently, as per Article 19 read with Article 56A of Schedule I, the stamp duty on the issue of shares is fixed at 0.005%. 

Notably, section 9A(3) expressly prohibits SGs from levying or collecting stamp duty on instruments covered under Section 9A(1), including the issue/sale/transfer of shares. Therefore, it is clear from a reading of bare provisions of the Stamp Act, that it was a conscious call to unify the mechanism for levy and collection of stamp duties, albeit, the right of the SGs to receive the duty remains protected – as the depositories will collect the stamp duty, only on behalf of the SGs. 

Rationale for the Amendment

The rationale and intent behind the Amendments was given in the Statement of Objects and Reasons in the Finance Bill, 2019 as follows:

“13. Clauses 11 to 21 of the Bill seek to amend the Indian Stamp Act, 1899 for levy and administration of stamp duty on securities market instruments by the States at one place through one agency, viz., through Stock Exchanges or its Clearing Corporation or Depositories on one instrument, and for appropriately sharing the same with respective State Governments based on State of domicile of the ultimate buying client.”

The Press Release by the Ministry of Finance dated Feb 21, 2019 states that, “In order to facilitate ease of doing business and to bring in uniformity and affordability of the stamp duty on securities across States and thereby build a pan-India securities market, the Central Government, after due deliberations, in exercise of powers under Entry 91 of the List I and Entry 44 of List III of the 7th Schedule of Indian Constitution, has decided to amend the Indian Stamp Act, 1899 to create the legal and institutional mechanism to enable states to collect stamp duty on securities market instruments at one place by one agency (through Stock Exchanges or Clearing Corporations authorized by it or by the Depositories) on one Instrument and develop a mechanism for appropriately sharing the stamp duty with relevant State Governments.

Further clarification on implementation of the Amendments was given vide Press Release dated June 30, 2020 which also reiterated the above and indicated that the Amendments were done after due consultation with State Governments.

See also, RBI Press Release dated July 1, 2020.

As it appears from the aforesaid Press Release, and also the Budget Speech for 2018-19 by the then Finance Minister, Shri Arun Jaitely, necessary consultation has been done with the States before amending the Central Act. Section 9A(4) specifically mandates that the 2019 Rules governing collection of stamp duty through depositories be framed in consultation with SGs

The question of constitutionality and legal principles

The issue, as it appears, involves a question of constitutionality. The Centre has enacted the Amendments citing “Entry 91 of List I: rates of stamp duty on instruments including transfer of shares and debentures” and “Entry 44 of List III: stamp duties other than judicial stamps, excluding “rates of stamp duty”. 

However, the Delhi Revenue Department appears to be disregarding the Amendments possibly on the following grounds:

  • Entry 63 of List II covers “rates of stamp duty” on documents other than those in List I. As such, this is the Entry which empowers the SG to decide on the rates of stamp duty.
  • Entry 91 of List I covers only “transfer” of shares, not “issue” of shares. As such, SG is the appropriate authority which can levy stamp duty on “issue of shares”.
  • Entry 44 of List III excludes “rates of stamp duty” from the concurrent list (which might lead to an inference that Centre cannot make laws on rates of stamp duty).
  • A further contention is that the depositories were not authorised by the Delhi Government to collect stamp duty on its behalf. 

Now, the question of constitutionality is itself a complicated matter, and is subject to judicial examination and interpretation. However, until the question of constitutionality is settled, any act/omission to act should ideally be judged on the basis of these two very important principles: One, Central law prevails over State laws, and two, presumption of validity of laws, as discussed below.

Prevalence of Central Law over State Law

First, that in case of inconsistency, if at all, between the law prescribed by the Centre and law prescribed by the State, the Central law prevails. Once Parliament legislates within its competence, and particularly when the legislation is later in time and designed to create a comprehensive framework, the Central law prevails in case of conflict. This is also referred to as doctrine of repugnancy. The Supreme Court has consistently affirmed the primacy of Parliamentary legislation in cases of overlap or conflict. 

See an exhaustive discussion on the doctrine of repugnancy in Forum for People’s Collective Efforts (FPCE) & Anr. v. the State of West Bengal and Others (2021). See also, I.T.C. Ltd. Etc v. State Of Karnataka (1985), in which the Supreme Court also observed that, “There may also be cases where despite an entry being in List II, the Parliament may under the provisions of Art. 246(3) take over that particular field and legislate on that subject which will debar the late legislative from adding or passing any such legislation which has been taken over under Act. 246(3).” See also, Baijnath Kedia v. State Of Bihar(1969).

Applied to the present context, the intent behind the 2019 amendment was unambiguous – to harmonise stamp duty on securities across India and eliminate State-level divergences that impede market efficiency.

Presumption of validity of law

Secondly, it is a well-established principle that there is a presumption always in favour of constitutionality of law, until a competent court declares it unconstitutional.  The onus to prove otherwise is on the person challenging it. In Chiranjit Lal Chowdhuri v. Union of India and Others, the Supreme Court observed, “ . . .the presumption is always in favour of the constitutionality of an enactment, and the burden is upon him who attacks it to show that there has been a clear transgression of the constitutional principles.” See also, Nand Kishore v. State of Punjab, Dharmendra Kirthal v. State of Uttar Pradesh and Another.

Therefore, in so far the question of constitutionality of the Stamp Amendments is concerned, the said Amendments have not been struck down by any court of law. Hence, there shall be a presumption that the Amendments are constitutionally valid and the stakeholders remain bound by the central framework. 

Depositories as statutory collecting agents

The contention that depositories require authorisation from individual State Governments is misplaced. Depositories collect stamp duty not as agents appointed by States but as statutory collecting authorities designated by Parliament under the Act read with Rules. Once Parliament has prescribed the mode of collection, State consent is not required.

Could Companies have paid any duty other than 0.005%?

Operationally, no. Companies issuing shares in dematerialised form have no option but to pay stamp duty at the rate of 0.005 percent. Depositories auto-calculate and collect duty at 0.005% based on the consideration value, leaving no discretion to issuers. The stamp duty calculator on the website of the depository also calculates the duty at the rate of 0.005% of the issue size. Further, CDSL’s SOP states, “the issuers have to remit applicable stamp duty to CDSL in the designated bank account before executing the corporate action in the system. If sufficient stamp duty amount is not present against the issuer, then the corporate action setup/ file uploaded by RTA remains under ‘Pending for Stamp Duty’ Status in CDSL system. In case of issuance stamp duty is applicable @0.005% of the consideration value. A stamp duty calculator has also been provided on the website for the purpose of applicable stamp duty. “

Potential steps for the companies 

From the discussion above, it is clear that:

  • the Amendment has been issued by the Central Government, 
  • the Amendment is later in time than the Delhi Amendment Act, 2001, 
  • so far, no competent court of law has declared it unconstitutional, and
  • duty paid by companies was not discretionary or something which companies would have controlled, but statutorily embedded into the functioning of the centralised system under Section 9A.

As such, all concerned are bound by such law. No fault can lie with the issuer companies which simply complied by the Centre-enacted law, and paid duty as per directions of authorities. 

Given the situation, the companies which receive any similar notice can take the following steps (to be evaluated on a case-by-case basis): 

  • Respond to the notices by citing Section 9A and enclosing evidence of duty paid through the depository;
  • Seek clarification from the Depositories and the Ministry of Finance;
  • Consider approaching the High Court by filing a writ under Article 226 to challenge the notices if enforcement action is initiated;
  • Evaluate whether any disclosure is necessary in the financial statements, depending on the wording of the notice and the likelihood of enforcement.

Closing Remarks

The unified stamp duty framework introduced in 2020 is a considered step calling for centralisation of duty collection on securities. As the communications by the Delhi Revenue Department  attempt to enforce a pre-2020 State rate, it is quite possible that the issue goes for judicial determination, mainly on the grounds of constitutionality. In any case, until the question of constitutionality is determined, the presumption of validity exists in favour of the Amendments. 

Our other resources:

  1. Article Corner on Stamp Duty
  2. Stamp duty on amalgamation with subsidiaries: Clash of court rulings
  3. Recent Amendments in Indian Stamp Act, 1899

The fine line between gossip and truth: conflicting rulings on price sensitive information disclosure

/1 Comment/in /by

– Saloni Khant, Executive | corplaw@vinodkothari.com

If there is a truth that the market needs to know, it is the duty of the company to let the market know it, no later than the truth becomes good for disclosure. It is no good for the company to sit smirking and watch unofficial media reports do rounds, even if these unofficial reports are as close to the truth as the company would have revealed. The duty to reveal does not get over with seeing the truth out through unofficial means. In fact, that raises even a larger concern: one, that the company failed its duty to speak the truth, and two, if the company did not reveal it, how did the market know it, and know almost the whole of the truth.

This is the law that we learnt and believed. This is the law that the SC in its December 2, 2025 ruling laid. This is the law that was reinforced by a clear language specifically amended vide the SEBI (PIT) (Amendment) Regulations, 2024

However, insider trading matters always tend to become so very case-specific that every case seems to say a different story. Some cases tell a story that one may not like to carry or use as a precedent, for example, the order dated December 12, 2025 by the Quasi-Judicial Authority, SEBI, in the matter of a large listed entity. 

In this article, we discuss what would be construed as “unpublished”, hence, UPSI, in the light of the recent SC order vis-a-vis recent and past rulings of SEBI on the subject. 

Meaning of UPSI

The definition of UPSI, as given under Reg 2(1)(n) of the PIT Regulations, 2015, contains the following elements: 

(i) There is an information

(ii) The information relates to the company or its securities, directly or indirectly

(iii) The information is not generally available, that is, unpublished.

(iv) The information is likely to materially affect the price of the securities upon becoming generally available, that is, price-sensitive

A list is also given, of information that would ordinarily be considered UPSI. 

Thus, in order to be construed as UPSI, both “unpublished” and “price-sensitivity” shall be present. In the absence of one of these, the information does not remain UPSI. In order to qualify as “unpublished”, the same shall not be “generally available information”. 

Generally available information and unverified media reports 

Generally available information is defined under Regulation 2(1)(e) as 

“Information that is accessible to the public on a non-discriminatory basis and shall not include unverified event or information reported in print or electronic media.

The phrase “shall not include unverified event or information reported in print or electronic media” was inserted pursuant to the SEBI (PIT) (Amendment) Regulations, 2024 following the Consultation Paper dated December 28, 2023

The CP pertained to verification of market rumours, and proposed that: 

In case the listed entity has classified certain information as UPSI and the entity neither confirms, denies or clarifies market rumour pertaining to such information published in the media, then such media reports should not be used later by an insider as a defence that the information was ‘generally available’.

Thus, an unverified media report does not constitute “generally available information”. 

Verdict of Supreme Court

In its order dated December 2, 2025, the Supreme Court upheld a penalty of Rs. 30 lakh on a listed entity for non-disclosure of UPSI to the stock exchange when the information had already been widely disseminated by news agencies. It upheld that 

Selective leakage of the information, howsoever accurate or otherwise or complete or in bits and pieces, does not discharge the company from its responsibility of making prompt disclosure to make it generally available, more so when such information has been classified by company as UPSI.’

Recent Order passed by SEBI contrary to SC’s verdict 

In a later order dated December 12, 2025, the charges against the alleged insiders were leakage of UPSI and trading while in possession of UPSI. The alleged UPSI in the instant case was acquisition of a company in the same sector which would lead to a major increase in operational capacities. The Company disclosed the same officially only on execution of the share purchase agreement on May 19, 2025, while several press reports appeared about the very same news on May 16, 2025 and May 17, 2025. In its order, the Quasi Judicial Cell (QJC) , SEBI dropped charges against the company primarily on the ground that the “news” was already in public domain. The QJC has reproduced extracts from several such media reports, none of which were based on a disclosure made by the company.  Based on these reports, QJC held that the information “ceased to be UPSI as it was available on non- discriminatory basis and became generally available information after the publication of the news reports”. The QJC cited several past rulings to support its view, even though, before the QJC order dated December 12, 2025, rulings of SAT as also the December 2, 2025 ruling of SC were also available, and not cited in the QJC Order. 

Is this order one of its kind, or does it serve as a precedent? If it serves as a precedent, then it seems to be unsettling the law, apparently settled after the specific amendment made in May 2024

We take note of the various rulings in the matter.

A. Rulings favouring unverified media reports as “unpublished” or “selectively available” information 

In a February 2021 order,  SEBI held that statements made by the Chairman/ Managing Director of a company in response to an interview to select news channels does not result in making an information “generally available”. This was based on the reason that: 

“The said information was very fluid and nebulous as it was bereft of specific details as to how this restructuring will ultimately be executed. Questions and response to the questions posed during the interview were varied and did not contain all the information in uniform/structured manner.”

In a November 2020 order, it was observed that news reports about an UPSI without any specific details and supporting evidence for its contents does not result in making that UPSI generally available. 

In a June 2020 order, SEBI, referring to the definition of “unpublished” under the 1992 Regulations, held that media reports are speculative in nature, and hence, unless published by the Company, cannot be treated as published information.

B. Rulings favouring unverified media reports as “generally available” information 

The recent December 12 order of SEBI draws reliance on various past rulings on the subject. The same has been briefly discussed below. 

An appeal against a SEBI order, back in 1998, decided by the then Appellate Authority (erstwhile Ministry of Finance) observed:

For information to be generally known, it is not necessary that it be confirmed or authenticated by the company as otherwise, it would fall within the scope of ‘published by the company.

xx

Information which was published in press reports despite non -acknowledgement by the Company, was generally available/ known information if ‘there are strong reasons to believe that the impending merger, though not formally acknowledged or published, was in one sense generally known and UTI’s denial of knowledge cannot be implied to mean that market in general had no information in this regard.

This order attempted to distinguish between “unpublished” and “generally available” information. However, following the said order, the 1992 Regulations were amended by a 2002 amendment to clarify that – “Speculative reports in print or electronic media shall not be considered as published information”. 

In a December 2023 order of SAT where the information in relation to a proposed merger became available in public domain through news articles, digital media, etc, such media-published information was considered as making the information “generally available”. 

“Thus, the contention of the respondent that the term “generally available information” means only the information which has been disseminated on the platform of the stock exchange is taking a very narrow and restrictive view. Whereas information published on the stock exchange would constitute generally available information, it would also follow that any information accessible to the public on non-discriminatory basis would also be generally available information.

Thus, publication of information regarding the transaction which was reported in multiple prince and digital publication including Economic Times, The Hindu Business, Business Lines, The Money Control, etc. wherein the nature of transactions was highlighted in depth clearly leads to an irresistible conclusion that information of the transaction was generally available”.

A similar view was taken by SEBI in an October, 2020 order where based on the wide viewership of the media, the UPSI was considered to become generally available. 

In a January 2018 order, SEBI held that UPSI related to receipt of a show cause notice becomes public from the date of its publication in a specific newspaper.

Leakage of UPSI

Parallel to the disclosure requirements applicable on the company, the leakage of UPSI through media reports also require companies to do an inquiry into the source of the leakage, and review of the internal processes to monitor and avoid any future instances of leakage of UPSI. 

Conclusion 

Despite the above QJC Order, we are of the view that the duty to make truthful disclosure is that of the company; the company cannot either remain silent, or treat media gossip as the revelation of truth. As Manusmriti 2.83 says: मौनात् सत्यं विशिष्यते. 

Author’s Comment: 
The  facts of the case in the 12th December ruling of SEBI pertain to a matter in 2021. The mandatory requirements with respect to rumour verification were first notified in 2023, with subsequent extension of dates to its applicability. Amendments in the definition of “generally available” information were also notified in May 2024. As such, the ruling is based on the position of law prior to such amendments, and is based on the views taken by SEBI and SAT in similar other matters.  
We understand that every quasi judicial decision is based on the facts of the matter, application of the law on the specific factual matrix, etc. In the instant case, the issue under consideration might have been whether, after the press releases precisely giving out the details of the matter, would there have been any additional information by the company, even if the company was to give its own disclosure.

Our other Resources:

  1. Failure to disclose price sensitive information: SC upholds penalties
  2. Prohibition of Insider Trading – Resource Centre
  3. Defining Duty: Extent of Liability of a Compliance Officer under Insider Trading Regulations

RBI Guidelines on Current Account and OD Facilities: Key Provisions

/0 Comments/in /by

– Anita Baid | finserv@vinodkothari.com

RBI has introduced significant amendments concerning the opening and operation of Current Accounts and Overdraft (OD) facilities. In case of commercial banks, the new provisions contained in Chapter XIA – ‘Opening of Current Accounts and CC / OD Accounts by Banks’, replace the erstwhile framework outlined in Chapter XI of the Reserve Bank of India (Commercial Banks – Credit Risk Management) – Amendment Directions, 2025. The revised guidelines aim to rationalize the restrictions, particularly by increasing the minimum exposure threshold for applicability and providing explicit exemptions for Cash Credit (CC) facilities, thereby streamlining the management of working capital and banking arrangements for corporate borrowers.

Read more

Shastrartha 25 – Regulations for Banking Group Entities

/0 Comments/in /by

Register your interest here: https://forms.gle/cfHXEVc39B4g14ek6

A 5th December 2025 RBI amendment has introduced significant changes to the manner in which business activities may be allocated among banks and entities within banking groups, including NBFCs, HFCs, securities broking entities, AMCs, and others. These changes impact all banks with non-banking subsidiaries or associates, as well as all NBFCs, HFCs, and related entities forming part of banking groups.

Some of the requirements come into effect as early as 31st March 2026, creating an urgent need for impacted entities to reassess, restructure, or reposition their business models and inter-group arrangements.

We intend to examine these developments in depth. Given the nature and implications of the amendment, the session will include active interaction with seasoned banking and finance professionals.

You are invited to express your interest in joining this interactive discussion, scheduled for December 15th, 2025 | 6:00 p.m. onwards | YouTube & Zoom Live.

Other Resources:

A New Way to Verify Aadhaar Offline: Introduction of Face Matching

/0 Comments/in /by

– Anita Baid | finserv@vinodkothari.com

The identity verification process, specifically in case of digital transactions, has taken another step with the introduction of the Aadhaar Verifiable Credential (AVC) verification process. Introduced vide the Aadhaar (Authentication and Offline Verification) Amendment Regulations, 2025, this intends to ease the KYC verification process by regulated entities. 

For all these years, aadhaar verification relied primarily on authentication mechanisms such as OTP or biometric scanning or various forms of offline verification such as QR code verification or e-aadhaar verification or offline paper based verification. While authentication requires interaction with the UIDAI’s central servers; offline methods can be prone to manual handling and lack the security assurance that comes with a digitally verifiable central record.

Existing Offline Verification Mode

Regulated entities like banks and NBFCs, have a requirement of performing identity verification or KYC, make use of Aadhaar offline verification for the same. The common modes of offline verifications are as follows:

  1. Collection of the Aadhaar letter copy or printed E-aadhaar or PVC card and subsequently read the QR code to validate the digital signature and match the information in QR code with the printed information. 
  2. Reading QR code from the e-Aadhaar or m-Aadhaar application or PVC card or Digi locker app by using a mobile app or computer application. Subsequently the digital signature present in the QR code is validated, the information in QR code is matched with the Aadhaar data.
  3. Borrower submits a downloaded Paperless Offline e-KYC file and the digital signature in the file is validated. 

Now the Amendment Regulations have inserted another mode that is, Aadhaar Verifiable Credential verification, which may be carried out with or without offline face verification. Further, the reference to XML file and m-Aadhaar has been removed. 

What is an Aadhaar Verifiable Credential (AVC)?

AVC is a digital document issued by the Unique Identification Authority of India (UIDAI) that encapsulates specific, minimal identity attributes of an Aadhaar holder (e.g., name, date of birth, photo, last four digits of the Aadhaar number). Given that the AVC is issued by the UIDAI, makes it tamper-proof and instantly verifiable for authenticity. 

The Amendment Regulations provides the following definition:

“Aadhaar Verifiable Credential” means a digitally signed document issued by the Authority to the Aadhaar number holder which may contain last 4 digits of Aadhaar number, demographic data, like, name, address, gender, date of birth, and photograph of Aadhaar number holder, and such other information as may be specified by the Authority, which may be shared by Aadhaar number holder in full or part with an OVSE in the manner specified by the Authority, for verifying the demographic information or photograph of the Aadhaar number holder;”

Unlike full Aadhaar authentication, which might reveal more information than necessary, the AVC allows for selective disclosure, containing last 4 digits of Aadhaar number, demographic data, like, name, address, gender, date of birth, and photograph of Aadhaar number holder, and such other information as may be specified by the UIDAI. 

The key features of the AVC are as follows:

  1. Nature of document: It is a digitally signed document, with a tamper-proof and verified nature.
  2. Issuer: The document is issued solely by the Authority, that is UIDAI.
  3. Selective Disclosure: The AVC contains selective demographic data, including the last four digits of the Aadhaar number and a photograph.
  4. Controlled Sharing: The AVC is shared by the Aadhaar number holder with an OVSE (Offline Verifying Seeking Entity), ensuring the holder maintains control over  its dissemination.
  5. Purpose: The sole purpose of sharing the VC is for verifying the demographic information or photograph of the holder, strictly limiting its use for KYC procedures.

Who are Offline Verification Seeking Entity (OVSE)?

The Amendment Regulations, 2025, require Verifying Entities on being registered as OVSE to perform offline verification. Further, the regulated entities are required to make an application to UIDAI under Regulation 13A to perform Aadhaar Paperless Offline e-KYC or Aadhaar Verifiable Credential (AVC) verification via the Aadhaar Application.

The registration process requires the entity to apply to UIDAI on specified terms and conditions. UIDAI has the power to request further information, verify the details submitted, approve the application if satisfied, or reject it otherwise. If rejected, the grounds must be communicated within fifteen days. An aggrieved applicant has thirty days to apply for reconsideration. Crucially, a registered OVSE must perform offline verification only for lawful purposes, which includes carrying out KYC and Customer Due Diligence by a regulated entity.

The Amendment Regulations also clarify that Offline Verification may be carried out by the OVSE with or without offline face verification. Hence, there is an option that AVC verification can be clubbed with offline face verification.

Offline Face Verification Process

The Amendment Regulations formally define ‘Offline Face Verification’ as: 

‘”Offline Face Verification” means a mode of offline verification in which the live facial image of an Aadhaar number holder is captured and is verified against the photograph of the Aadhaar number holder stored within the Aadhaar application of the Aadhaar number holder for the correctness, or lack thereof;”

In this regard, “Aadhaar Application” means any official mobile application or web application developed and managed by UIDAI to provide an interface to Aadhaar number holders for services related to Aadhaar, including performing offline verification.

The process of Offline Face Verification establishes a secondary, crucial layer of verification that links the digital credential embedded in the AVC to the physical presence of the individual. The requirement is to ensure a live facial image of the aadhaar holder is captured, hence requiring a physical meeting and verifying it against the photograph from the aadhaar application. This is a significant step toward preventing the fraudulent use of a verified credential by someone other than the actual holder, ensuring greater integrity of the KYC process. We will have to wait and see in case the RBI comes up with necessary amendments in the KYC Directions to recognise the AVC and face verification done remotely as a face to face mode of KYC. 

Will there be an ease for Regulated Entities (RE)?

The existing process of KYC identification includes offline verification and authentication. For the implementation of the AVC and face verification facility, the RE is additionally required to be registered as an OVSP.  

Henceforth, there will be only 3 recognised ways of performing Aadhaar offline verification with or without offline face verification- 

  • QR Code verification 
  • Aadhaar Paperless Offline e-KYC  
  • AVC verification 

It seems that the Amendment Regulations require registration as an OVSE for the purpose of carrying out offline verification in case of AVC or Aadhaar Paperless Offline e-KYC Verification through the Aadhaar Application. The other modes of carrying out the verification (QR code verification, e-Aadhaar verification/Offline Paperless e-KYC verification) do not require any such registration. However, these modes require the RE to validate the digital signature of the Authority embedded in these documents. RE will, therefore, now have to decide which of these options is operationally more convenient for them.

Further, it seems that offline verification along with offline face verification would be regarded as a complete face-to-face KYC for the purpose of the onboarding of customers by regulated entities. 

Read More:

  1. Online Authentication of Aadhaar: Exclusive Club, Members Only!
  2. Setu-ing the Standard: NPCI’s New Path to Aadhaar e-KYC
  3. Resources on KYC


Every Business is a Data Business: Applicability of DPDP Act to Non-Financial Entities

/0 Comments/in , , , , /by

-Archisman Bhattacharjee | finserv@vinodkothari.com

Introduction

The Digital Personal Data Protection Act, 2023 (“DPDPA”), along with the Digital Personal Data Protection Rules, 2025 (“DPDP Rules’, “Rules”), establishes India’s first comprehensive and rights-based data protection regime. The Act’s applicability extends far beyond financial institutions; it encompasses any entity, large or small, digital or traditional, that processes digital personal data. Although public discourse frequently associates data protection obligations with banks, fintech companies, and large technology entities, the DPDPA’s scope is intentionally crafted to be broad and sector-agnostic. As a result, non-financial entities operating in fields such as FMCG, real estate, healthcare, hospitality, education, retail, and even small kirana shops using basic digital systems are brought squarely within its regulatory ambit.

This wide applicability stems from the Act’s fundamental design. It regulates processing, not industry classification. As long as an entity processes any digital personal data, whether it is a customer’s name and phone number, an employee’s email address, a patient’s medical record, or a tenant’s identity document, the DPDPA applies, unless a statutory exemption is granted.

This article examines the applicability of the DPDPA to non-financial entities, analyses the lawful bases for processing personal data, evaluates sector-specific implications, discusses whether corporate data is included within the scope of “personal data”, and explores the operational and regulatory obligations, including security safeguards, deletion timelines, and Data Principal rights. A supporting analysis of Section 17 of the DPDPA which empowers the Central Government to exempt certain entities is also provided, along with the practical question of whether small businesses such as kirana stores may eventually be exempted.

Statutory Foundation for Applicability to Non-Financial Entities

The applicability of the DPDPA flows from Section 3, which states that the Act applies to the processing of digital personal data (including personal data which is collected physically and digitised later) within the territory of India and to processing outside India if the processing is connected with any activity of offering goods or services to data principals within the territory of India. There is no carve-out or exception based on the nature of the business, regulatory environment, or industry classification of the entity. Consequently, companies operating in sectors such as fast-moving consumer goods (FMCG), real estate, hospitality, e-commerce, education, healthcare, and professional services must comply with the Act if they process digital personal data.

The definition of “personal data” under Section 2(t) is intentionally broad, referring to any data about an identified or identifiable individual. This broad definitional standard ensures that even the most basic identifiers such as, names, phone numbers, email addresses, login credentials, and customer records fall within the purview of the Act. As a result, non-financial entities that process personal information of customers, employees, patients, visitors, students, tenants, or vendors automatically become “data fiduciaries” under Section 2(i) and must meet all obligations imposed by the Act.

The core philosophy underlying the DPDPA is processing-centric regulation. The Act deliberately avoids distinguishing entities based on their business sector, risk level, or regulatory regime. Instead, it focuses on the fundamental principle that any organisation handling personal data plays a significant role in the digital ecosystem. Non-financial entities have dramatically increased collection and utilisation of personal data for purposes such as digital marketing, analytics, supply-chain management, customer engagement, employee administration, and third-party platform integrations. This reality makes them equally capable of causing privacy harms or security breaches as financial institutions, and hence equally subject to regulation.

Moreover, non-financial sectors operate extensive digital infrastructure, such as e-commerce platforms, CRMs, ERPs, AI-based analytics systems, CCTV surveillance networks, and biometric verification systems, that rely heavily on personal data. These systems are vulnerable to cyberattacks, unauthorised access, data misuse, profiling, and identity theft. By bringing them fully within the regulatory framework, the DPDPA ensures a uniform accountability standard across the Indian digital economy.

Impact on Small Entities and the Prospect of Exemptions

Small business owners including kirana shops, local merchants, fitness coaches, small doctor’s clinics, tuition centres, neighbourhood restaurants and small real-estate brokers frequently engage in personal data processing such as storing customer phone numbers for order delivery, maintaining digital records for loyalty schemes, providing receipts digitally etc. The Act, as it stands, does not grant automatic exemptions for such entities. They are expected to issue notices, collect valid consent where applicable, respect withdrawal, ensure reasonable security safeguards, and delete data once the purpose is achieved.

This creates a compliance burden that many micro-enterprises lack the resources to fulfil. The proportionality concerns are evident: penalties under the Act may reach hundreds of crores, even though government statements indicate that penalties will be imposed only where there is significant negligence or wilful misconduct. 

The presence of Section 17(3), however, signals clear legislative recognition that small entities may require differentiated treatment. It remains reasonably likely that the government may, in future, exempt certain classes of micro-entities processing minimal personal data from certain provisions of the Act as provided under Section 17(3) and declare them as “low-risk data fiduciaries” with reduced compliance requirements.

Such exemptions would be consistent with global practice: for instance, GDPR permits reduced compliance obligations for small data volumes and uses a risk-based approach. Until notifications are issued, however, all entities including small merchants who are processing digital personal data,  remain subject to the Act.

Modes of Data Processing: Consent and Legitimate Uses

Under the DPDPA, the only lawful basis for processing personal data without consent is the limited set of “legitimate uses” specified under Section 7. Unlike earlier drafts of the Bill or international frameworks like the GDPR, “contractual necessity” or “contractual obligation” is not included as a legitimate use under the enacted DPDPA. This is a deliberate departure from global practice and means that entities cannot rely merely on contractual engagement to justify processing of personal data without consent.

Consent therefore becomes the primary lawful basis for most private-sector organisations, especially in non-financial sectors. Consent must meet the requirements of Section 6 and must be preceded by a detailed notice under Section 5. Withdrawal of consent must be as easy as its grant, placing significant obligations on data fiduciaries.

Legitimate uses under Section 7 remain narrow and apply primarily to scenarios such as compliance with law or judicial orders, medical emergencies, safeguarding individuals during disasters, and other notified public-interest functions. Most routine commercial operations in FMCG, real estate, healthcare, retail, and education do not fall within legitimate use and therefore require consent-based processing.

Applicability on Non-Financial Sector entities

Applicability in the FMCG Sector

FMCG companies, both digital-first and traditional, routinely collect and process large volumes of personal data, often through online portals, mobile applications, loyalty cards, e-commerce platforms, and promotional events. Customer names, phone numbers, addresses, behavioural data, purchase histories, and feedback form the core of their data-driven marketing strategy. Because “contractual necessity” is not a legitimate use under the DPDPA, almost all customer-facing processing requires consent, particularly marketing, profiling, analytics, and preference tracking

Additionally, FMCG entities store substantial employee personal data, which may be processed under legitimate uses for employment However, indefinite retention of customer data after fulfilment of the purpose is expressly prohibited under Section 9, mandating regular deletion or anonymisation.

FMCG entities must ensure:

  1. Clear and accessible privacy notices at all customer touchpoints
  2. Consent for marketing communications and behavioural profiling
  3. Data minimisation—avoiding excessive or persistent tracking
  4. Right to withdrawal and grievance redressal mechanisms
  5. Deploy consent banners for digital marketing
  6. Maintain opt-out mechanisms
  7. Train sales agents on data minimisation
  8. Delete customer data after loyalty programme completion

Applicability in the Real Estate Sector

The real estate sector handles sensitive personal data of prospective buyers, tenants, investors, and visitors, including identification documents, financial details, contact numbers, and biometric or CCTV data for access control in residential and commercial complexes. Most of this data is collected for contractual and compliance purposes under RERA, municipal laws, or verification procedures, placing it within the scope of legitimate uses. Yet, marketing of new projects, cold calling, and database sharing with brokers or partners require explicit consent.

A major compliance challenge in this sector is data retention, since developers often maintain personal records of customers long after project completion or sale. Section 9 makes it clear that data fiduciaries cannot retain personal data beyond the period necessary to satisfy the purpose for which it was collected, unless mandated by law. Real estate entities must therefore implement strict retention schedules and erasure policies.

Given that contractual obligation is not a legitimate use, real estate entities must:

  1. Obtain explicit consent for collection of identity documents and contact details
  2. Provide detailed notices explaining the purpose of collection of each category of data
  3. Securely store documentation, especially digital scans of IDs
  4. Establish retention and deletion policies for old applications, unconverted leads, or completed transactions
  5. Obtain consent before collecting identity proofs
  6. Encrypt storage of buyer documentation
  7. Delete lead data after reasonable time if unconverted
  8. Update customer agreements with DPDPA disclosures
  9. Ensure breach notifications and incident reporting mechanisms

Limited circumstances, such as government-required land/property registration processes, may fall under legitimate use.

Applicability in the Medical and Healthcare Sector

Healthcare providers including hospitals, clinics, diagnostic centres, telemedicine platforms, and wellness service providers process exceptionally sensitive categories of personal data, such as health records, medical histories, prescriptions, laboratory results, insurance information, and emergency contact details. While the DPDPA does not create a separate class of sensitive personal data (unlike GDPR’s Article 9), it indirectly imposes a heightened duty of care through Section 8, which mandates reasonable security safeguards for all personal data.

Most healthcare processing is covered under legitimate uses, particularly when it is necessary to provide medical treatment, respond to emergencies, or ensure patient safety. However, collecting personal data for promotional communication, wellness packages, and non-essential data analytics require explicit consent. Healthcare entities must also be mindful of strict deletion timelines under Section 9, ensuring that data is retained only for statutory medical record retention periods and not beyond.

Medical entities must:

  1. Implement the highest level of security safeguards mandated under the Rules
  2. Minimise collection of data not directly required for treatment
  3. Provide deletion rights once data retention laws (such as clinical establishment rules) permit deletion
  4. Ensure breach notifications and incident reporting mechanisms

Applicability to Other Non-Financial Sectors

A wide range of other sectors also fall fully under the Act’s scope. The hospitality industry collects personal data for guest registration, reservations, and government-mandated identity verification, and must ensure consent for digital marketing, loyalty schemes, or data sharing with travel partners. The e-commerce sector relies heavily on personal data for order fulfilment, logistics, and grievance redressal, but requires explicit consent for recommendation engines and personalised advertising. Educational institutions process student data for academic administration and compliance, requiring parental consent for processing of minors’ data under the DPDP Rules. Manufacturing and industrial entities may process limited personal data, but employee data, vendor contact details, CCTV surveillance footage, and visitor logs still bring them under the scope of the Act.

Processing of employee and vendor related data

Processing of employee and vendor personal data requires a nuanced understanding under the DPDPA, because the lawful bases and practical compliance mechanisms differ significantly for each category. In the case of employees, section 7(i) of the Act expressly recognises employment-related purposes as a legitimate use, thereby permitting employers to process the personal data of their employees including candidates, full-time staff, contractors, interns and potential employees without requiring explicit consent, so long as such processing is necessary for recruitment, attendance management, payroll, statutory compliance, or performance evaluation. However, any processing that goes beyond what is necessary for employment for instance, wellness programmes, optional benefits, behavioural analytics, or promotional features must still be based on consent.

However, in contrast, vendor employee related personnel data (names, email IDs, mobile numbers of points of contact) does not fall within any legitimate use category, and contractual necessity is not recognised as a lawful ground under the DPDPA. This leads to a practical challenge: vendors must supply personal data of their representatives for coordination and performance of commercial contracts, yet obtaining individual notices and explicit consent from each representative is often impracticable, and mere inclusion of consent language in the vendor contract does not satisfy the statutory requirement of explicit, informed consent.

To mitigate this, businesses can adopt a multi-layer compliance model. First, during vendor onboarding, companies can require the vendor entity to nominate authorised representatives, and mandate that the vendor obtain explicit consent from those individuals before sharing their information. The obligation can be placed contractually on the vendor to:

  1. inform its representatives of the purposes for which their data will be processed,
  2. provide them with the Data Fiduciary’s privacy notice, and
  3. obtain explicit, affirmative consent before disclosing the data. 

While the DPDPA requires explicit consent from the Data Principal, it does not prohibit consent being obtained through an authorised intermediary, provided the intermediary can demonstrate that the individual has indeed given such consent. Second, companies may maintain a publicly accessible privacy notice (e.g., on their website) that applies to all external stakeholders including vendor personnel setting out the purposes of processing, retention periods, rights, and grievance redressal mechanisms. Though a notice must still be “made available,” a standardised publicly available notice reduces the administrative burden of issuing individualised notices in every instance. Third, when communication is initiated with a vendor’s representative for the first time, companies should send a brief digital notice, via email or SMS, giving the individual access to the privacy notice and explaining that their data has been provided by their employer for coordination of contractual activities. This satisfies the obligation of informing the Data Principal even if consent was collected upstream by the vendor. Finally, systems must allow vendor personnel to request correction or deletion of their details, and a replacement representative can be nominated by the vendor entity, enabling ongoing compliance without business disruption.

Treatment of Corporate Data and Email IDs as “Personal Data”

The DPDPA’s definition of personal data applies strictly to natural persons, and therefore corporate data that does not identify an individual lies outside its scope. However, the boundary can be complex. Email addresses such as firstname.lastname@company.com or name@gmail.com clearly identify specific individuals and therefore may fall within the definition of personal data. Similarly, phone numbers, employee codes linked to individuals, or vendor representative names constitute personal data.

Conversely, generic email addresses such as info@company.com, support@business.com, or legal@gmail.com cannot be traced to a specific individual and therefore would not be considered personal data. This interpretation aligns closely with GDPR Recital 26, which clarifies that data relating to legal persons or generic organisational identifiers does not constitute personal data unless it directly identifies a natural person. Non-financial entities must thus carefully classify their corporate data based on identifiability to avoid over- or under-compliance.

Security Obligations, Data Principal Rights and Deletion Requirements

All non-financial entities qualifying as data fiduciaries must comply with Section 8’s mandate to implement reasonable security safeguards, including organisational policies, encryption standards, access controls, periodic audits, vulnerability assessments, and incident response mechanisms. Data breaches must be reported both to the Data Protection Board and to affected data principals in accordance with the DPDP Rules, 2025. Larger non-financial entities may be designated as Significant Data Fiduciaries under Section 10, requiring them to appoint Data Protection Officers, conduct Data Protection Impact Assessments, and undergo independent data audits.

Data principals are granted a suite of rights under Sections 11 to 15, including the right to access information about processing, seek correction or erasure of personal data, nominate a representative for emergency situations, and obtain a grievance resolution in a timely manner. These rights create substantial operational obligations for non-financial entities, which must set up dedicated channels and workflows to address such requests.

Retention and deletion are governed explicitly by Section 9, which requires that personal data be erased once the purpose has been fulfilled and no legal obligation justifies continued retention. This provision significantly impacts sectors that historically maintained extensive archives of customer and employee data with no defined deletion timeline. The DPDP Rules, 2025, require periodic data retention assessments and impose specific timelines for erasure following the withdrawal of consent or completion of purpose.

Conclusion

The DPDPA represents a transformative shift by imposing uniform obligations across all entities that process digital personal data, regardless of the industry in which they operate. Non-financial entities often overlooked in discussions of data protection engage in extensive personal data processing through their digital platforms, operational systems, and customer engagement mechanisms. As a result, they are equally bound by statutory requirements governing lawful processing, consent mechanisms, legitimate uses, security safeguards, erasure obligations, and individual rights. The DPDP Rules, 2025, further operationalise these requirements, placing significant compliance responsibilities on non-financial sectors that must now adopt structured governance frameworks, update internal policies, and strengthen technical safeguards.

As India moves closer to an integrated digital economy, the DPDPA’s application to non-financial sectors ensures that privacy protection becomes a universal standard rather than a sector-specific obligation, aligning the country’s data governance landscape more closely with global frameworks such as the GDPR, while addressing local needs through its own unique regulatory philosophy. 

As Justice D.Y. Chandrachud observed in the landmark judgment of K.S. Puttaswamy v. Union of India:

“In the digital economy, every entity that touches personal data becomes a gatekeeper of privacy.”

This statement has become a defining reality in today’s data-driven landscape.

Our other related resources: