Digital Personal Data Protection Act 2023 (DPDPA)

What DPDPA requires of the Data Fiduciary at retirement

Section 8 of DPDPA 2023 requires the Data Fiduciary to ensure that personal data is erased upon withdrawal of consent or expiry of purpose. For retired enterprise IT containing customer or employee personal data, this translates operationally into: (1) identifying which retired assets contain personal data; (2) selecting a sanitisation method appropriate to the medium; (3) documenting the sanitisation in a form that can be produced to the Data Protection Board if inspected; (4) retaining that documentation for the lifetime of the purpose-related obligation. Maxicom's engagement protocol provides each of these: per-asset Certificate of Destruction citing the sanitisation standard, retention vault holding certificates for 7+ years (longer where the engagement specifies), regulator-acceptable manifest format.

How DPDPA composes with sector regulators

DPDPA 2023 sits alongside, not above, sector regulators. RBI IT-Risk circulars (for banking), SEBI Cyber Resilience guidance (for capital markets), IRDAI cyber circulars (for insurance), CERT-In incident-reporting rules, MeitY notifications, and CPCB E-Waste Rules 2022 each impose their own ITAD-relevant obligations. Maxicom certificates are written to satisfy all simultaneously — the BFSI back-office RFP that requires "DPDPA + RBI + CERT-In compliant destruction" is satisfied by one certificate format, not three. The Reuse-First disposition pattern is consistent with all of these regulators because each accepts software Purge as adequate for non-restricted data classifications, with physical destruction reserved for top-classified material.

Cross-border processing under DPDPA

DPDPA Section 16 permits cross-border transfer of personal data subject to government notification of restricted countries. As of 2026, the central government has not yet notified a restricted-country list — meaning cross-border processing is broadly permitted with standard contractual safeguards. For Maxicom, this means: post-sanitisation cross-border resale of non-data-bearing components (chassis, structurally-anonymous OEM hardware) is unrestricted; pre-sanitisation cross-border movement of data-bearing media is restricted by engagement contract regardless of regulatory permissibility, because most enterprise customers prefer in-jurisdiction sanitisation.

Penalties under DPDPA

DPDPA establishes the Data Protection Board of India (DPBI) with authority to impose penalties up to ₹250 crore (~USD 30M) for serious breaches. For ITAD-relevant findings, the most likely penalty triggers are: failure to evidence personal-data erasure on retired media (where a regulator inspects and the Data Fiduciary cannot produce a satisfactory certificate); breach due to negligent disposal (where retired media containing personal data was not properly sanitised and surfaces in the secondary market). Maxicom's engagement design pre-empts both: per-asset certificate retention closes the first gap; Reuse-First refurb economics with NIST 800-88 / IEEE 2883 sanitisation closes the second.

How Maxicom certificates evidence DPDPA conformance

Each certificate names: (1) the data classification at retirement under your information-classification taxonomy; (2) the sanitisation level and technique applied (Clear / Purge / Destroy under NIST SP 800-88 Rev. 1); (3) the verification step performed; (4) the operator name and witness signature where present; (5) the chain-of-custody reference. This format is admissible as evidence of compliance with DPDPA Section 8 erasure obligations. Sample certificates are available on NDA before engagement signing.