Cessation of Processing
Plain English Translation
Under Section 6(6) of the Act, when a user withdraws consent, you must execute a complete cessation of processing DPDP mandates. This is not just about deleting a record; you must actively stop data processing for that individual across all your systems and instruct any third-party Data Processors to do the same. This data processing cessation must happen within a reasonable time. The only exception is if retention is strictly required by law; otherwise, all activities relying on that consent must halt immediately.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Manually flag users in the primary database as 'Do Not Process'.
- Email third-party vendors to stop processing specific user data.
- Stop sending marketing emails immediately.
Required Actions (scaleup)
- Automate the cease data processing requirements via API integration with key vendors.
- Implement a suppression list in the CRM to prevent accidental re-engagement.
- Log the timestamp of the cessation action.
Required Actions (enterprise)
- Full orchestration of data processing halt requirements across a hybrid cloud environment.
- Automated verification audits to ensure Processors have complied with the cessation order.
- Real-time lineage tracing to ensure all derived data usage is terminated.
Processing must cease within a reasonable time after the Data Principal withdraws her consent, as mandated by Section 6(6).
The Act specifies cessation must occur within a reasonable time. This implies acting without undue delay to stop the processing activities.
Data can be retained only if processing without consent is required or authorised under the Act or any other law for the time being in force (Section 6(6)).
Section 6(6) explicitly places the obligation on the Data Fiduciary to cause its Data Processors to cease processing the personal data.
While 'reasonable time' is not defined in days in the Act, it generally implies the time technically required to effect the change, without unjustified delay.
Yes, Section 6(6) allows continued processing if it is required or authorised under any other law for the time being in force in India.
Maintain logs of the withdrawal request timestamp and the system logs showing when the processing logic was disabled or the data was suppressed/deleted.
Continued processing after withdrawal is effectively processing without consent. Breach of Section 6 provisions can attract penalties, potentially falling under the general penalty for breach of provisions.
"If a Data Principal withdraws her consent to the processing of personal data under sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of this Act or the rules made thereunder or any other law for the time being in force in India."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
