📞 +91 22 2222 2222 ✉ sales@maxicom.us
Free 2-Hour Quote — India
Get a Quote →
NIST 800-88 IEEE 2883-2022 DPDPA 2023-Aligned Data Destruction Per-Job Certificate of Destruction INR Settlement 2-Hour Quote SLA
the DPDPA 2023 · Section 24

the DPDPA 2023: Section 24 on retiring data-bearing media.

The Personal Data Protection Act 2012 obliges organisations to protect personal data with 'reasonable security'. When that data is held on retiring servers, drives, or laptops, 'reasonable security' has a specific shape. Here's what we deliver and how it maps to your evidence.

Get a 2-Hour Quote → Destruction Spec
No obligation · written INR response within 2 working hours
What DPDPA 2023 (security obligation) says

Reasonable security on disposal — what it means in practice.

Section 24 of the DPDPA 2023 requires organisations to protect personal data in their possession or control by making reasonable security arrangements to prevent unauthorised access, modification, disposal, or similar risks. On disposal of data-bearing media, this typically means: documented destruction, chain of custody from pickup to destruction, and evidence the destruction occurred.

The Data Protection Board of India (Personal Data Protection Commission of India) does not license or certify ITAD vendors. There is no DPDPA 2023-certification register for ITAD providers. What auditors look for is your evidence: did you choose a reasonable disposal method, did you document it, and can you produce the proof?

Evidence we deliver

What's in your DPDPA 2023 evidence pack

  • Asset list pre-pickup with serial numbers, makes, models — proves what was disposed.
  • Locked-transit log with GPS track and photo-confirmed transfers — proves chain of custody.
  • NIST SP 800-88 + IEEE 2883-2022 method citation per device — proves the destruction was reasonable.
  • Per-device wipe-log or shred batch ID — proves the destruction occurred.
  • Two-operator destruction with witness sign-off — proves the destruction was supervised.
  • Per-job Certificate of Destruction with DPDPA 2023 (security obligation) alignment statement.
  • Downstream recipient log: where any residual material went — proves no escape via the recycler chain.
Honest about cross-border

Cross-border data flows on disposal.

If your retiring kit will be refurbished and remarketed across the India, Section 26 (Transfer Limitation) and the Cross-Border Privacy Rules conversation apply. The simple rule: data must be destroyed before the kit crosses any border. We do destruction India-side, by default, on every job. The hardware that crosses borders has had its data destroyed; the data does not cross.

DPDPA 2023 (security obligation) in numbers

What it costs to get it wrong.

Rs1M
Maximum penalty
Per-breach financial penalty cap under Section 24 — applies to disposal-related failures as well as access-control failures.
Section 24
The Protection Obligation
Specific DPDPA 2023 section that creates the disposal-evidence requirement on data-bearing media.
PDPC
Regulator
Personal Data Protection Commission of India — administers the DPDPA 2023 and issues enforcement decisions.
2020
Breach-notification amendment
Mandatory breach notification became enforceable from the 2020 DPDPA 2023 amendments.
Section 24 — the actual text and the obligations it creates

Reading the DPDPA 2023 the way an auditor reads it.

Section 24 of the Personal Data Protection Act 2012 reads: ‘An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent (a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on which personal data is stored.’

The operative words for ITAD are ‘disposal,’ ‘loss of any storage medium,’ and ‘reasonable security arrangements.’ The obligation creates four practical expectations: (1) the organisation chose a destruction method that fits the data classification; (2) the destruction was actually performed; (3) the chain of custody between in-service and destruction was unbroken; (4) the organisation can produce evidence of all three on inspection.

Maximum financial penalty is currently INR 1 million per breach, with the Data Protection Board of India issuing decisions that have applied figures up to several hundred thousand India dollars on Section 24 failures involving disposed-of media. Enforcement decisions have specifically called out: media that was sold or disposed of without verification; destruction that was claimed but not evidenced; chain-of-custody gaps; and disposal documented but with the disposal method itself inadequate for the storage class (e.g. wipe applied to SSDs without cryptographic erase).

DPDPA 2023 evidence pack — what we hand over per job

Items in the file your internal compliance team retains

  • Pre-disposal asset list with serial numbers, makes, models, and data classifications.
  • Statement of Work — authorising the disposal, signed by both parties' authorised owners.
  • Locked-transit log — chain-of-custody between your facility and our destruction site.
  • GPS track + photographic evidence of each transfer of custody (pickup, vehicle changes, arrival).
  • Per-job Certificate of Destruction — naming method, standards, operator, witness, completion timestamp.
  • Per-asset wipe log or shred batch ID — proving the destruction itself occurred.
  • Standards citation — NIST SP 800-88 Rev. 1 + IEEE 2883-2022; DoD 5220.22-M if used.
  • DPDPA 2023 (security obligation) alignment statement — reference to the destruction as the protective control.
  • Downstream-recipient log — where any residual material went, with their licence reference.
  • Retention plan — how long each side retains the evidence (typically 5–7 years).
Data Protection Board of India enforcement decisions — common failure patterns

Where Section 24 cases have actually gone wrong.

The Data Protection Board of India publishes enforcement decisions; reading them is the most useful way to calibrate what ‘reasonable security on disposal’ actually means in practice. Three patterns recur in disposal-related decisions.

Sold-without-wiping. An organisation disposes of equipment to a second-hand dealer or via tender for second-hand sale, without first wiping or verifying that the dealer wiped it. The buyer or a downstream party recovers personal data from the storage. Decision: Section 24 breach, financial penalty.

Wipe-claimed-not-evidenced. An organisation's policy says retiring kit is wiped before disposal, but on inspection the policy isn't backed by per-device evidence — no wipe log, no certificate, no operator sign-off. When a related breach investigation begins, the wipe assertion cannot be substantiated. Decision: Section 24 breach by virtue of weak controls even if the wipe actually happened.

Wrong method for the storage class. An organisation uses a single-pass overwrite on SSDs without cryptographic erase. Forensic recovery later shows data was still recoverable. Decision: Section 24 breach because the method was inadequate for the storage class, even though some destruction did occur.

Avoiding all three is structurally simple: use methods that fit the storage class (NIST 800-88 decision matrix), document the destruction per-device, retain the evidence for the data-retention period.

At a glance

Visual reference.

India compliance map REGIMES, REGULATORS, AND WHAT EACH GOVERNS · CIRCA 2026 REGIME REGULATOR WHAT IT GOVERNS DPDPA 2023 PDPC Section 24 · Protection Obligation RBI IT-Risk Management framework MAS Notice FSM-N21 · Tech Risk Mgmt Cyber Hygiene MAS Notice FSM-N22 · Cyber Hygiene CERT-In Cyber Incident Reporting Directions CSA Critical Information Infrastructure DC Guidelines IMDA Cloud Services & Data Centres RSA 2019 NEA E-waste · EPR scheme Basel NEA CCMD Transboundary e-waste shipment
India ITAD regulatory landscape — regimes, regulators, scope
Related

Read next

Data destruction

Methods, evidence, and per-job Certificate of Destruction format.

Read more →

NIST 800-88

The destruction-method standard cited in DPDPA 2023-aligned evidence.

Read more →

Certificates

Sample Certificate format for auditor review.

Read more →
Continue reading

More on this topic

RBI IT-Risk Management framework
FSM-N21 / FSM-N22 evidence framework.
NIST 800-88
Clear / Purge / Destroy decision tree.
Data Destruction
NIST 800-88 + IEEE 2883-2022 with per-job certificate.
Banking & Finance ITAD
MAS-aware retirement for banks, insurers, fintechs.
Healthcare ITAD
PACS, EMR, modality-kit retirement with PHI discipline.
Certificate of Destruction
Per-job format walkthrough.
FAQs · 9 questions

DPDPA 2023 & IT-asset disposal — frequently asked

Are you a PDPC-approved vendor?

The Data Protection Board of India does not approve, license, or certify ITAD vendors. What we offer is DPDPA 2023-aligned destruction documentation, designed to support your Section 24 evidence. If anyone tells you they are PDPC-approved, ask to see the documentation — there isn't a register.

How long should we retain the Certificate of Destruction?

The DPDPA 2023 itself does not set a fixed retention period for disposal-evidence; in practice, retain it for as long as the underlying data was retained, typically 5–7 years. We retain a backup copy for the same period.

Does the DPDPA 2023 require destruction of data-bearing IT?

Section 24 of the Personal Data Protection Act 2012 obliges organisations to make ‘reasonable security arrangements’ to protect personal data including against unauthorised disposal. For data-bearing IT this means: documented destruction method appropriate to the storage class, chain-of-custody between in-service and destruction, evidence the destruction occurred, and retention of the evidence. Maximum financial penalty is currently INR 1 million per breach.

Is Maxicom India a PDPC-approved ITAD vendor?

The Personal Data Protection Commission (PDPC) does not maintain an approved-vendor register for ITAD or any other industry. There is no ‘PDPC-approved’ designation, and similarly no DPDPA 2023-certification register exists for ITAD providers. What Maxicom India offers is destruction documentation aligned with DPDPA 2023 (security obligation) obligations, supporting your evidence file for Data Protection Board of India inspection. Any vendor claim of Data Protection Board of India approval should be questioned — the designation does not exist.

How long should we keep Certificates of Destruction for DPDPA 2023 evidence?

DPDPA 2023 does not set a fixed retention period for disposal-evidence; in practice retain for as long as the underlying data was retained, typically 5–7 years for personal data. For sectors with longer retention (healthcare, insurance), match that retention. Maxicom India retains a counter-signed copy of every Certificate for at least 7 years to support cross-reference if your auditor or the Data Protection Board of India requests verification.

What does the DPDPA 2023 require for IT-asset disposal?

Section 24 of the Personal Data Protection Act 2012 (the Protection Obligation) requires ‘reasonable security arrangements’ on disposal of personal data including via storage media. Practical expectations: documented destruction method appropriate to the storage class, chain-of-custody between in-service and destruction, evidence the destruction occurred, retention of the evidence. Maximum financial penalty: INR 1 million per breach. Maxicom India provides a per-job Certificate of Destruction with DPDPA 2023 (security obligation) alignment statement that fits directly into the customer's compliance evidence file.

How long should we retain Certificates of Destruction for DPDPA 2023 compliance?

DPDPA 2023 does not set a fixed retention period for disposal-evidence; retain for as long as the underlying personal data was retained, typically 5-7 years for general personal data. For sectors with longer retention (healthcare, insurance), match that retention. Maxicom India retains a counter-signed copy of every Certificate for at least 7 years to support cross-reference if your auditor or the Data Protection Board of India requests verification. Long-term archival format (PDF/A) is delivered alongside the standard PDF for retention spanning years or decades.

Has the Data Protection Board of India issued enforcement decisions about IT disposal?

Yes. Disposal-related Data Protection Board of India decisions have applied financial penalties up to several hundred thousand INR on Section 24 failures. Common patterns: media sold or disposed without verification (data later recovered by buyer or downstream party); destruction claimed but not evidenced (no per-device wipe log when investigated); chain-of-custody gaps between in-service and destruction; wrong destruction method for the storage class (overwrite applied to SSDs without cryptographic erase). Avoiding all four is structurally simple with NIST 800-88-aligned destruction and per-device evidence.

Does DPDPA 2023 apply to disposal of company laptops in India?

Yes. Corporate laptops typically hold personal data (employee records, customer data accessed during work, email archives, document drafts). Section 24 applies on disposal. Practical implication: each laptop's storage media (SSD or HDD) must be destroyed to a method appropriate to the storage class with documented evidence per device. NIST 800-88 Purge via cryptographic erase (for SSDs) or Clear via overwrite (for HDDs) with per-device wipe log satisfies the obligation. Per-job Certificate of Destruction provides the audit-ready evidence.

Last reviewed · Maxicom India Editorial & Compliance Team · Suggest a correction

Still reading?

Get an INR-denominated quote within 2 working hours.

Send an asset list to sales@maxicom.us or call +91 22 2222 2222. No obligation; per-line residuals; DPDPA 2023-aligned destruction included.

Request a Quote →
Get started — it takes 2 minutes

Get a written INR quote within 2 hours.

No obligation. DPDPA 2023-aligned destruction documentation, NIST 800-88 + IEEE 2883-2022 standards, per-job Certificate of Destruction, settlement on uplift. Three ways to reach us.

Get a Quote 2-hour SLA · written response Call us +91 22 2222 2222
1 Send asset list. CSV / spreadsheet with serials, makes, models.
2 Get INR quote within 2 working hours, per-line residuals.
3 Locked uplift + NIST 800-88 destruction + INR settlement.
📞 +91 22 2222 2222 · Mon-Fri 08:30-18:00 IST · 📧 sales@maxicom.us · 📍 [Address TBD], Mumbai, Maharashtra [PIN TBD]