A Project by Meridian Bridge Strategy
Book Consultation
Banking

HDFC Bank

Ready Score 45/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 20 Mar 2026

Executive Summary

HDFC Bank's privacy policy is detailed regarding data collection and security standards, notably its ISO 27001:13 compliance. However, it currently lacks explicit alignment with the Digital Personal Data Protection Act 2023. Key areas requiring immediate attention for DPDP compliance include a more granular and 'freely given' consent mechanism, specific data retention periods, comprehensive detailing of all Data Principal rights (including nomination), clear grievance escalation to the Data Protection Board, and transparent cross-border data transfer policies. As a major financial institution handling sensitive personal data, updating its policy to explicitly reflect DPDP requirements is crucial to mitigate regulatory and reputational risks.

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference, still relies on general legal compliance statements
  • Consent mechanism appears largely bundled with service terms, lacking 'freely given' and granular choice per Section 6
  • Vague data retention period — uses 'as long as required' language, without specific timelines or clear erasure triggers
  • Incomplete articulation of Data Principal rights under DPDP Act 2023, particularly omission of nomination rights (Section 14)
  • No explicit mention of Data Protection Board as a grievance escalation path
  • Grievance mechanism within the policy lacks specific details for data privacy officer/team and response timelines for privacy matters
  • Cross-border transfer provisions lack specificity on permitted jurisdictions and DPDP-mandated safeguards

✅ Strengths

  • Comprehensive data collection disclosure, clearly listing types of data and purposes for processing
  • Provides opt-out mechanism for direct marketing activities
  • Strong security posture indicated by ISO 27001:13 compliance for information security
  • Transparent about data usage for credit checks and sharing with credit reference agencies

Overview

HDFC Bank is one of India’s largest private sector banks, offering a wide range of banking and financial services. Given the sensitive nature and immense volume of personal and financial data it processes, adherence to India’s Digital Personal Data Protection Act 2023 (DPDP Act) is paramount. The current privacy policy, while comprehensive in certain aspects, requires significant updates to align with the specific provisions of the DPDP Act.

DPDP Readiness: Section-by-Section Analysis

DPDP Act 2023 Reference ⚠️

The HDFC Bank privacy policy for its India operations does not explicitly refer to the Digital Personal Data Protection Act 2023. While it generally mentions compliance with “any law binding or applying to it within or outside the Hong Kong Special Administrative Region existing currently and in the future”, this is a broad statement and lacks the specific, affirmative acknowledgment of India’s primary data protection legislation that would be expected. This absence suggests that the policy may not have undergone a thorough revision specifically for DPDP Act compliance, even though the Act has been notified and its rules operationalized.

Gap: No direct or explicit mention of the DPDP Act 2023 or the associated Rules as the governing data protection framework for Indian operations.

Section 6 — Consent & Notice ⚠️

HDFC Bank’s policy outlines various purposes for data collection and use. However, the consent mechanism appears largely bundled with the terms of service. The policy states, “Failure to supply such data may result in the Bank being unable to open or continue accounts and the establishment or continuation of banking facilities or provision of banking services”. This ‘take it or leave it’ approach may not meet the DPDP Act’s requirement for consent to be “freely given, specific, informed, and unconditional”. While the policy does mention a written consent (which includes an indication of no objection) and an opt-out right for direct marketing, the overall framework for obtaining consent for core processing activities needs more granularity and independence to align with DPDP.

What the policy says: “By using our services, you agree to the collection and use of your information in accordance with this policy.” (Implied from the necessity of providing data to avail services). “Withdrawal of consent may also impact certain Products or services being provided to you at the time.”

DPDP requirement: Consent must be free, specific, informed, and unconditional, given for a specific purpose, and can be withdrawn at any time. Notice must be clear, independent, and describe the personal data, purpose of processing, and means to exercise rights and complain to the Data Protection Board.

Gap: Consent for core banking services seems implicitly bundled, lacking the explicit, granular, and ‘freely given’ nature required by DPDP. The notice does not explicitly detail the means to make a complaint to the Data Protection Board.

Section 7 — Certain Legitimate Uses ✅

The policy lists various purposes for processing data, including the daily operation of services, credit checks, designing financial services, marketing, and compliance with legal obligations. Many of these purposes, such as contractual necessity for providing banking services and legal/regulatory compliance, align with the “certain legitimate uses” outlined in Section 7 of the DPDP Act (e.g., voluntary provision by the data principal, state functions, legal obligations). The policy’s explicit mention of credit checks and compliance with legal requirements falls well within these legitimate uses.

Strength: The stated purposes for data processing largely align with legitimate uses under the DPDP Act, particularly for contractual performance and legal compliance.

Section 8 — Obligations of Data Fiduciary ✅

HDFC Bank states that it is “ISO 27001:13 compliant”. This certification indicates a commitment to establishing, implementing, maintaining, and continually improving an information security management system, which generally covers reasonable organizational, technical, and administrative measures to protect personal data. While the specific Indian policy does not detail technical safeguards, the ISO certification provides a strong foundation for meeting the “reasonable security safeguards” requirement of Section 8.

Strength: ISO 27001:13 compliance demonstrates a commitment to robust information security safeguards.

Section 9 — Data Retention 🔴

The policy uses vague language regarding data retention: “We will keep the Data we collect on our systems or with third parties for as long as required for the purposes set out above or even beyond the expiry of transactional or account based relationship with you: (a) as required to comply with any legal and regulatory obligations to which we are subject, or (b) for establishment, exercise or defence of legal claims, or (c) as specified in this Privacy Policy, or (d) in accordance with specific consents”. This formulation of “as long as required” is a critical gap against the DPDP Act, which mandates erasure when the purpose is fulfilled or consent is withdrawn, within a reasonable period. The DPDP Rules also specify certain minimum retention periods for specific purposes, and prior notice before deletion.

DPDP requirement (Section 9): Data shall be erased when consent is withdrawn or the purpose is fulfilled. The Data Fiduciary must ensure data is erased within a reasonable period, and specific retention rules exist.

Gap: No specific retention timelines are provided, relying on generic “as long as required” language. No clear automated deletion triggers or adherence to DPDP’s erasure mandates.

Section 11 — Rights of Data Principal ⚠️

The HDFC Bank privacy policy mentions certain rights related to credit reference agencies, such as instructing the bank to delete account data under specific conditions. However, it lacks a comprehensive section detailing all Data Principal rights as mandated by the DPDP Act, including:

  • The general right to access information about personal data.
  • The comprehensive right to correction and erasure.
  • The right to grievance redressal.
  • Critically, there is no mention of the right to nominate another person to exercise rights in case of death or incapacity (Section 14).

Partial compliance: While some rights are implicitly or partially covered, the policy does not provide a complete and accessible articulation of all Data Principal rights under the DPDP Act.

Section 12 — Right of Grievance Redressal ⚠️

The main privacy policy for India does not explicitly name a dedicated Data Protection Officer or provide specific contact details for a privacy team within the policy itself. While customer service channels exist, the DPDP Act requires readily available means of grievance redressal provided by a Data Fiduciary. Furthermore, there is no mention of the Data Protection Board as an escalation path for grievances, which is a key component of the DPDP framework. Response timelines, as expected under DPDP, are also not specified for privacy-specific complaints.

Gap: Lack of explicit mention of a Data Protection Officer or dedicated privacy grievance contact within the policy. No reference to the Data Protection Board as an escalation body or specific response timelines for privacy complaints.

Section 16 — Cross-Border Data Transfer ⚠️

The policy mentions sharing data with “other third parties to comply with legal requirements”, which could implicitly include international transfers. While some of HDFC Bank’s other privacy notices (e.g., for EU users) state that personal data is stored on secure systems within HDFC Bank premises in India, the main Indian policy’s general terms for sharing do not specifically address the DPDP Act’s requirements for cross-border data transfer. Under DPDP Section 16, transfer of personal data outside India is only permitted to such countries or territories as may be notified by the Central Government.

Gap: The policy lacks specificity regarding cross-border data transfers, failing to explicitly state adherence to DPDP Act Section 16 requirements concerning transfer to notified jurisdictions and the safeguards applied.

📖 Related Compliance Guides

city DPDP Consulting in Agra: What Local Businesses Need to Know city DPDP Consulting in Gangtok: Protecting Sikkim's Growing Digital Economy city DPDP Consulting in Lucknow

What Should You Do Next?

🔍 Check Your Own Score

Take the free 60-second DPDP audit. 16 questions, instant risk report.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation