The act in three sentences
The Digital Personal Data Protection Act, 2023 sets rules for how organisations collect, store, and use personal data of Indian residents. It introduces consent as the default basis for processing. It gives individuals enforceable rights to know, correct, and delete data held about them.
For HR teams, that means three concrete shifts. Offer letter clauses now need explicit consent language. Exit processes must include data-retention disclosures. Applicant tracking has tighter rules on how long resumes can be retained without renewed consent.
What changes for offer letters
Older offer-letter templates use vague employer-friendly language for data handling. Under DPDP, that language must specify what is collected, why, how long it is retained, and how the employee can withdraw consent. Our template library ships DPDP-compliant offer letters as the default.
The penalty for vague language is not just regulatory. It is also a candidate-experience signal: top candidates increasingly read the privacy clauses before signing.
What changes for exits
When an employee leaves, the company keeps payroll and tax records for the legally mandated retention period (usually seven years for TDS and PF). Beyond that retention, the data must either be deleted or held under explicit basis. DPDP makes the retention disclosure a documented step at exit.
Our F&F flow (covered in this companion post) now includes the retention notice as part of the exit packet.
Applicant data and the seven-day rule
If you reject a candidate, how long can you keep their resume? Under DPDP, you can hold it for the duration the candidate consented to, usually three to twelve months. Beyond that, you need renewed consent or you must delete. The default in our ATS is six months, with an automated reminder to the candidate to renew or delete.
What we cannot help with yet
DPDP includes a right-to-be-forgotten with a defined response window. Today, our automated deletion endpoint is on the roadmap; the manual process is documented but it is manual. We are honest about that. The trust centre tracks the gap and the timeline.