Overview
Indian Bank is a major public sector bank in India. This specific privacy policy, titled “Privacy Policy – IB Merchant App”, focuses on data collected from merchants using its IB Merchant App. Given that it handles financial data (business details, transaction records, personal info of merchants), robust privacy practices and DPDP compliance are absolutely critical.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
The policy doesn’t describe how consent is actively obtained. It implies that by using the app, merchants agree to the policy’s terms, which is a “take it or leave it” approach.
What the policy says: “The bank or its contractors may hold & process merchant’s personal information… in connection with IB Merchant App services as well as for statistical analysis and credit scoring.”
DPDP requirement: Consent (from the Data Principal, here the merchant) must be free, specific, informed, and unconditional. It needs to be given for each distinct purpose and can be withdrawn anytime.
The problem: The policy lacks any description of a granular consent mechanism. Merchants can’t, for example, agree to payment processing but opt out of data used for “advising about products.” This bundled consent does not meet DPDP’s “freely given” standard.
Section 7 — Certain Legitimate Uses ⚠️
The policy lists purposes for data processing, some of which go beyond what DPDP considers “legitimate uses” without explicit consent.
What the policy says: “The bank or its contractors may hold & process merchant’s personal information… for statistical analysis and credit scoring.” and “to advise merchants about the Bank’s products, services and other safeguards.”
DPDP requirement: Section 7 defines “Legitimate Uses” very narrowly (e.g., voluntary provision, state functions, medical emergencies). Marketing and broad statistical analysis are generally not included unless specific consent is given.
The problem: While “credit scoring” might be necessary for providing financial services, processing data for “statistical analysis” and “to advise merchants about products” (marketing) would require explicit consent under DPDP, not a claim of legitimate use.
Section 8 — Obligations of Data Fiduciary ✅
The bank makes a general promise to keep data safe and has some internal controls.
What the policy says: “The bank will safeguard, securely and confidentially, any information that the merchants share with the Bank.” It also states, “The bank will give access to merchant information to only those employees who are authorized to handle the merchant information.”
DPDP requirement (Section 8): A Data Fiduciary (Indian Bank) must implement “reasonable security safeguards” to protect personal data from breaches and ensure its accuracy.
The strength: The policy shows a clear commitment to confidentiality and security, including internal access controls. It also requires contractors to adhere to its privacy standards. However, it lacks specifics on how these safeguards are implemented (e.g., encryption, technical details).
Section 9 — Data Retention 🔴
This policy is critically missing information about how long merchant data is kept.
What the policy says: (Nothing explicit about retention periods. It only states, “The bank or its contractors may hold & process merchant’s personal information…”)
DPDP requirement (Section 9): Data Fiduciaries must ensure data is erased once its original purpose is fulfilled or consent is withdrawn. Data cannot be kept indefinitely.
The problem: This is a major compliance gap. Without defined retention timelines, Indian Bank faces significant risk for holding onto merchant financial data longer than necessary, violating a core DPDP principle.
Section 11 — Rights of Data Principal 🔴
The policy barely mentions the Data Principal’s (merchant’s) rights, focusing only on data accuracy.
What the policy says: “The bank will exercise due diligence about ensuring the accuracy of the information collected.”
DPDP requirement (Section 11): Data Principals have rights including the right to access their data, correct it, erase it, and in some cases, nominate another person to exercise these rights (Section 14).
The problem: The policy fails to address most DPDP-mandated rights. Merchants have no clear guidance on how to request their data, ask for its deletion, or even correct inaccuracies in a formal manner. The critical right to nominate is also absent.
Section 12 — Right of Grievance Redressal 🔴
The policy for the IB Merchant App does not provide a specific mechanism for privacy-related complaints.
What the policy says: (The policy text provided does not mention a specific Grievance Officer or a privacy complaint process.) The broader bank website has a general “Lodge a Complaint” section, but it’s not specific to privacy or DPDP.
DPDP requirement (Section 12): Data Fiduciaries must appoint a Grievance Officer whose contact details are easily accessible, and provide a clear process for data principals to lodge complaints, including escalation to the Data Protection Board.
The problem: The absence of a dedicated privacy grievance redressal mechanism and a clear escalation path to the Data Protection Board is a severe omission.
Section 16 — Cross-Border Data Transfer 🔴
The policy is completely silent on whether merchant data might be transferred outside India.
What the policy says: The policy mentions sharing with “external organizations” and “clearing house centres” but doesn’t specify if these entities are located abroad.
DPDP requirement (Section 16): Personal data can only be transferred outside India to countries specifically notified by the Central Government.
The problem: For a large bank, the likelihood of some data processing or storage occurring cross-border is high. The lack of any mention or safeguards for cross-border data transfer creates a significant, undeclared risk under DPDP.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per instance for non-compliance |
| Consent compliance | High | Invalid consent could expose bank to widespread legal challenges |
| Data retention | Critical | Indefinite retention of financial data is a major violation |
| Data principal rights | High | Inability for merchants to exercise rights creates liability |
| Grievance redressal | High | Lack of clear process leads to direct Data Protection Board complaints |
| Cross-border transfer | Medium | Undeclared transfers could be illegal under DPDP |
| Policy scope | High | Narrow policy leaves other bank services exposed |
Recommendations
- Develop a comprehensive DPDP Policy: Create a bank-wide policy that covers all data processing activities, not just a single app.
- Implement explicit, granular consent: For any data processing beyond strict necessity, obtain clear, specific, and affirmative opt-in consent from merchants.
- Define specific data retention periods: Clearly state how long each category of merchant data will be retained and establish an automated erasure process.
- Detail Data Principal Rights: Clearly outline merchants’ rights to access, correct, erase data, and nominate, along with simple instructions for exercising these rights.
- Establish a clear DPDP Grievance Redressal: Appoint a dedicated Grievance Officer for privacy concerns and detail the process, including escalation to the Data Protection Board.
- Address Cross-Border Data Transfer: If data is transferred abroad, explicitly state the permitted jurisdictions and the safeguards in place, adhering to DPDP Section 16.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.