Overview
Bank of Baroda is a major public sector bank in India, serving millions of customers across various banking products like accounts, loans, and investments. Given the highly sensitive financial and personal data it manages (name, age, email, mobile, IP, demographic, transaction patterns), its privacy practices are crucial. Compliance with the DPDP Act is non-negotiable for a financial institution of this scale.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
The policy relies heavily on implied consent, which is a big red flag under the DPDP Act. You “agree” simply by using the website.
What the policy says: “By disclosing any information to us you agree and abide by the terms and conditions of this policy.” and “By continuing to browse this website, you consent to our use of cookies and agree to the Privacy Policy and Terms & Conditions.”
DPDP requirement: Consent (permission) must be free, specific, informed, and unambiguous. It needs to be given for a clear purpose and can be withdrawn anytime. Browsing a website doesn’t count as “freely given” consent for all data processing.
The problem: This is classic “take it or leave it” consent. There’s no way to give specific permission for different types of data use (e.g., allow basic banking but deny marketing). It’s a blanket agreement.
Section 7 — Certain Legitimate Uses 🔴
The policy lists multiple “lawful purposes” for using your data, including “improving services,” “personalization,” “marketing,” and “security purposes.”
What the policy says: “We use the information we collect about and from you for the relevant lawful purposes connected to our business as mentioned below.”
DPDP requirement: The DPDP Act (Section 7) has a very narrow list of “legitimate uses” where consent isn’t strictly needed (e.g., medical emergencies, state functions, voluntary provision for a specific service). Marketing and personalization are generally not on this list and require explicit consent.
The problem: Bank of Baroda claims a broad “lawful purpose” for many activities (especially marketing) that would require proper consent under DPDP.
Section 8 — Obligations of Data Fiduciary 🔴
The policy makes a general statement about security, but it’s extremely vague.
What the policy says: “We follow best security practices in the industry to help prevent unauthorized access to confidential information about you and assure you that we maintain strict security procedures to protect your information.”
DPDP requirement: A Data Fiduciary (the company collecting data, in this case, Bank of Baroda) must implement “reasonable security safeguards” to prevent data breaches. This usually means describing things like encryption, access controls, regular audits, etc.
The problem: This is a generic statement that provides no comfort or transparency on how they are actually securing your sensitive banking data. No details about specific measures are provided.
Section 9 — Data Retention 🔴
This is a critical missing piece in the policy. There is no mention of how long your data is kept.
DPDP requirement: Data shall be erased when consent is withdrawn or the purpose for which it was collected is fulfilled. The Data Fiduciary must ensure data is erased within a reasonable period.
The problem: Without any retention periods specified, a customer has no idea when their financial data (e.g., details from an old loan application) might be deleted, or if it ever will be. This is a massive compliance gap.
Section 11 — Rights of Data Principal 🔴
The policy does not mention any rights for you, the Data Principal (the individual whose data is collected).
DPDP requirement: As a Data Principal, you have specific rights under DPDP: the right to access your data, correct it, erase it, nominate someone to act on your behalf, and get grievance redressal.
The problem: Bank of Baroda’s policy completely omits any reference to these fundamental rights. A customer cannot easily understand how to exercise control over their own data.
Section 12 — Right of Grievance Redressal ⚠️
The policy provides a grievance portal, which is a good start, but it’s not aligned with DPDP requirements.
What the policy says: “In case of any complaint or grievance related to us or handling of user data and other information may be brought to our attention by contacting us via our grievance redressal portal https://www.bankofbaroda.bank.in/grievance-redressal. We will try to redress the grievances within reasonable time as may be provided in applicable laws.”
DPDP requirement: A Data Fiduciary must have a Grievance Officer whose contact details are clearly published. Crucially, the process should include escalation to the Data Protection Board of India if the internal grievance isn’t resolved. DPDP also implies specific response timelines (e.g., 30 days).
The problem: No specific Grievance Officer is named, there’s no mention of the Data Protection Board, and “reasonable time” is too vague for a binding legal framework.
Section 16 — Cross-Border Data Transfer 🔴
The policy is completely silent on whether your data is transferred outside India.
DPDP requirement: Cross-border transfer of personal data is only allowed to countries specifically notified by the Central Government. If a company transfers data abroad, they must disclose this and the safeguards in place.
The problem: Given Bank of Baroda’s international presence, it’s highly likely data is processed or stored outside India. The absence of this information is a significant disclosure gap and potential non-compliance with DPDP Section 16.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per instance under DPDP |
| Consent compliance | High | Implied consent could be invalid for core operations |
| Data retention | Critical | Indefinite retention of financial data = massive exposure |
| Data principal rights | High | Lack of rights mechanism invites regulatory scrutiny |
| Security safeguards | Critical | Vague security details erode customer trust, increase breach risk |
| Cross-border transfer | High | Undisclosed transfers violate Section 16 |
Recommendations
- Update for DPDP Act 2023: Explicitly reference and align the policy with the DPDP Act, moving away from older frameworks.
- Implement layered consent: Introduce clear, granular consent mechanisms for different data uses (e.g., one for service, one for marketing).
- Define specific retention periods: Clearly state how long different types of data are retained and when they will be purged.
- Detail security measures: Provide specifics on the “best security practices” to build trust and demonstrate compliance with Section 8.
- Publish Data Principal Rights: Clearly outline the rights of individuals (access, correction, erasure, nomination) and the simple process to exercise them.
- Enhance Grievance Redressal: Name a specific Grievance Officer, commit to a 30-day response, and include the Data Protection Board as an escalation path.
- Disclose Cross-Border Transfers: If data is transferred abroad, disclose which countries and the safeguards in place, aligning with DPDP Section 16.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.