Processor Erasure Verification
Plain English Translation
Under Section 8(7)(b) of the Act, you cannot simply delete data from your own systems and ignore the copies you sent to vendors. You have a legal duty to cause your Data Processors to erase any personal data shared with them once the purpose is served or consent is withdrawn. This means you must actively trigger the vendor data deletion DPDP process and validate that it actually happened. Passive reliance on contracts is insufficient; you need a robust processor audit DPDP mechanism to ensure your supply chain does not become a data graveyard that exposes you to liability. Operationally, teams typically need a vendor workflow to issue deletion instructions, collect proof (logs/certificates), and map that proof to DPDP controls—this is exactly what WatchDog’s Vendor Risk + Compliance evidence workflows are built to centralize.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Send manual email requests to vendors for data deletion.
- Track deletion requests, vendor confirmations, and evidence in a centralized vendor system (e.g., WatchDog Security's Free Vendor Manager).
- Include a basic data processor agreement erasure clause in contracts.
Required Actions (scaleup)
- Automate deletion requests for major processors via API.
- Require a certificate of destruction India format from physical data handlers.
- Conduct annual sampling to verify vendor deletion.
Required Actions (enterprise)
- Real-time orchestration of outsourcing data deletion across a complex supply chain.
- Automated third-party risk management DPDP dashboards showing live retention status.
- Forensic audits of processor logs to validate claims of erasure.
Yes, Section 8(1) holds the Data Fiduciary responsible for compliance regarding any processing by the Data Processor. This implies a duty to verify that the processor has actually erased the data as instructed under Section 8(7)(b).
Use a valid contract (Section 8(2)) to mandate deletion, send clear instructions when the purpose is served, and request a certificate of destruction India or similar evidence to verify compliance.
If a processor refuses, they are in breach of the contract and the Act. The Data Fiduciary is liable for this failure under Section 8(1) and must take immediate legal or contractual action to enforce erasure.
No, Data Processors process data only on behalf of the Data Fiduciary. They have no independent right to retain data once the Fiduciary's purpose is fulfilled or consent is withdrawn, unless a law specifically binds the Processor to retain it.
To satisfy the burden of proof, you should obtain a certificate of destruction, system logs showing the deletion, or a formal written confirmation from the processor stating the date and method of erasure.
Likely not. Section 8(7)(b) requires the Fiduciary to 'cause' the processor to erase data. This implies an active step beyond just having a contract clause, such as issuing a specific instruction and verifying its execution.
The Act penalizes the Data Fiduciary. Breach of observance of Data Fiduciary obligations (including Section 8) can attract penalties up to INR 250 crore. The Fiduciary may then seek indemnity from the Processor via their contract.
While the Act doesn't specify a frequency, audits should be part of monitoring data processors DPDP strategies. Risk-based auditing (e.g., annual or spot checks) is recommended to ensure ongoing compliance.
"cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
