Rule 8
8. Time period for specified purpose to be deemed as no longer being served.—
(1) A Data Fiduciary, who is of such class and is processing personal data for such corresponding purposes as are specified in Third Schedule, shall erase such personal data, unless its retention is necessary for compliance with any law for the time being in force, if, for the corresponding time period specified in the said Schedule, the Data Principal neither approaches such Data Fiduciary for the performance of the specified purpose nor exercises her rights in relation to such processing.
(2) At least forty-eight hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period, unless she logs into her user account or otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises her rights in relation to the processing of such personal data.
(3) In this rule, “user account” means the online account registered by the Data Principal with the Data Fiduciary, and includes any profiles, pages, handles, email address, mobile number and other similar presences by means of which she is able to access the services of such Data Fiduciary.
P.S:
8 (8) The purpose referred to in clause (a) of sub-section (7) shall be
deemed to no longer be served, if the Data Principal does not––
(a) approach the Data Fiduciary for the performance of the specified purpose;
and
(b) exercise any of her rights in
relation to such processing, for such time period as may be prescribed,
and different time periods may be prescribed for different classes of Data
Fiduciaries and for different purposes.
8(7) A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force,—
(a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and
(b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor.
THIRD SCHEDULE
[See
rule
8(1)]
|
S.
no. |
Class
of Data
Fiduciaries |
Purposes |
Time
period |
|
(1) |
(2) |
(3) |
(4) |
|
1. |
Data
Fiduciarywho
is an
e- commerce
entity
having
not less than
two crore registered
users
in India |
For
all
purposes,
except
for
(a) Enabling
the
Data
Principal
to access
her
user
account;
and
(b) Enabling
the
Data
Principal
to
access
any
virtual
token
that
is issued
by
or
on
behalf
of the
Data
Fiduciary,
is stored
on the
digital
facility
or
platform
of
such
Data
Fiduciary,
and
may
be
used
to
get
money,
goods
or services |
Three
years
from
the
date
on |
|
2. |
Data
Fiduciary |
For
all
purposes,
except
for
(a) Enabling
the
Data
Principal
to
access
her
user
account;
and
(b) Enabling
the
Data
Principal
to
access
any
virtual
token
that
is issued
by
or
on
behalf
of
the
Data
Fiduciary,
is stored
on
the
digital
facility
or platform
of such
Data
Fiduciary,
and
may
be
used
to get
money,
goods
or services |
Three
years
from
the
date
on |
|
3. |
Data
Fiduciary
who
is
a
social
media
intermediary
having
not
less than
two
crore registered
users
in India |
For
all
purposes,
except
forthe
following:
(a) Enabling
the
Data
Principal
to
access
her
user
account;
and
(b) Enabling
the
Data
Principal
to
access
any
virtual
token
that
is |
Three
years
from
the
date
onwhich
the
Data Principal
last approached
the
Data Fiduciary
for
the
performance
of
the
specified
purpose
or
exercise
of
her
rights,
or
the
commencement
of the
Digital
Personal
Data
Protection
Rules,
2025,
whichever
is |