A Project by Meridian Bridge Strategy
Book Consultation
Banking

Kotak Mahindra Bank

Ready Score 34/100
Critical Risk vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 29 Mar 2026

Executive Summary

Kotak Mahindra Bank's privacy policy is geared towards traditional legal frameworks, not India's new DPDP Act, 2023. With vast amounts of sensitive financial data, the policy critically lacks DPDP-mandated granular consent, specific data retention timelines, and explicit data principal rights, creating significant regulatory risks.

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference — still relies on implied consent frameworks
  • Consent mechanism bundled with policy acceptance, not 'freely given' or granular
  • No specified data retention period — a significant compliance gap
  • Absence of explicit Data Principal rights (access, correction, erasure)
  • No mention of Data Protection Board grievance escalation path
  • Cross-border data transfer details are vague or absent
  • Broad legitimate uses claimed for marketing and third-party sharing

✅ Strengths

  • Grievance Officer contact clearly published
  • Mentions 'reasonable measures' for security and confidentiality
  • Cookie policy provides some details on data collected via cookies

Overview

Kotak Mahindra Bank is a major Indian financial institution offering a wide range of banking and financial services. It handles highly sensitive Customer Information (your personal data) including account details, transaction history, KYC documents, and potentially even call logs and SMS data as stated in their policy. For a bank, robust privacy practices aligned with the new DPDP Act (Digital Personal Data Protection Act, 2023) are paramount to protect customers and avoid hefty fines.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Kotak’s policy largely relies on implied consent and bundled terms.

What the policy says: “By divulging any information to us you agree to the terms and conditions of this Policy.” And “By visiting the website, you acknowledge, accept and expressly authorize us for the placement of cookies on your computer or hand held device.”

DPDP requirement: Consent must be free, specific, informed, unconditional, and unambiguous. A Data Principal (the individual whose data is collected) must be able to clearly understand and agree to each specific purpose for which their data is processed. It also must be freely given, meaning there’s a genuine choice.

The problem: This is a classic “take it or leave it” approach. You can’t use Kotak’s services without agreeing to all data processing terms, which isn’t “freely given.” There’s no granular option to consent to banking services but opt-out of, say, marketing or sharing with affiliates.

Section 7 — Certain Legitimate Uses 🔴

The policy claims broad uses of data under a general agreement framework, many of which would not qualify under DPDP’s narrower definition of “legitimate uses.”

What the policy says: “We may use the Customer Information for, among other things, customer verification, provision of products and services, for personalization of products or services, marketing or promotion of our financial services or related products or that of our associates and affiliates; for creation of Statistical Information, statistical analysis or credit scoring…”

DPDP requirement: The Act defines “certain legitimate uses” very narrowly. These generally include voluntary provision by the Data Principal, state functions, medical emergencies, employment, or legal compliance – without requiring separate consent. Marketing and personalization for non-essential services usually require explicit consent.

The problem: Kotak lists “personalization,” “marketing,” and sharing with “associates and affiliates” as part of its general use. Under DPDP, these would typically require specific, opt-in consent, rather than being treated as “legitimate uses” that don’t need additional permission.

Section 8 — Obligations of Data Fiduciary ⚠️

The policy mentions security but lacks specific details required by the DPDP Act.

What the policy says: “We have taken reasonable measures to protect security and confidentiality of the Customer Information and its transmission through the World Wide Web.” And “The Bank will give access to Customer Information to only authorised employees.”

DPDP requirement: A Data Fiduciary (the company collecting your data) must implement reasonable security safeguards to prevent data breaches, including technical and organisational measures. This often means describing specific controls like encryption, access management, and regular audits.

The problem: While “reasonable measures” are mentioned, the policy is vague. It doesn’t detail what these measures are (e.g., specific encryption standards, breach response plans, data protection impact assessments), making it hard to assess compliance.

Section 9 — Data Retention 🔴

This is a critical missing piece in Kotak’s privacy policy. There is no mention of how long your data is retained.

DPDP requirement: Data shall be erased when the purpose for which it was collected is fulfilled, or when the Data Principal withdraws consent, within a reasonable period. The Data Fiduciary must specify clear data retention periods.

The problem: The policy is completely silent on how long customer data is kept. This means a customer has no idea when their financial and personal data will be purged, which is a significant DPDP violation.

Section 11 — Rights of Data Principal 🔴

Kotak’s policy does not explicitly outline the rights granted to you under the DPDP Act.

DPDP requirement: The Act grants several rights to Data Principals, including the right to:

  • Access information about their data processing.
  • Correct or complete their personal data.
  • Update their personal data.
  • Erase their personal data (Right to Erasure).
  • Nominate another person to exercise these rights in case of death or incapacity (Section 14).

The problem: These crucial rights are not explicitly mentioned in the policy. While banks typically have processes for data correction, the DPDP Act requires these to be clearly communicated as rights. The right to erasure and nomination are completely absent.

Section 12 — Right of Grievance Redressal ⚠️

A grievance officer is named, which is a good step, but the process is incomplete by DPDP standards.

What the policy says: “Grievances For discrepancies and grievances pertaining to processing of information, please get in touch with our Grievance Officer, Mr. P Balgi at [email protected].”

DPDP requirement: Every Data Fiduciary must appoint a Grievance Officer, provide their contact details, and commit to responding within a specified timeframe (typically 30 days). Crucially, the policy must also inform the Data Principal about their right to appeal to the Data Protection Board of India if their grievance is not resolved internally.

The problem: While an officer is named, there’s no mention of a response timeline. More importantly, there’s no reference to the Data Protection Board as the next step for unresolved grievances.

Section 16 — Cross-Border Data Transfer 🔴

The policy has broad clauses for sharing data but does not address cross-border transfers explicitly with DPDP in mind.

What the policy says: “We may disclose Customer Information to any of our associates and affiliates, without any limitation and you hereby give your consent for the same.” And “We may disclose the Customer Information to third parties for following, among other purposes… For advertising. or For facilitating joint product promotion campaigns.”

DPDP requirement: Cross-border data transfer (sending your data outside India) is only permitted to countries notified by the Central Government, and with specific safeguards in place. The Data Fiduciary must be transparent about where data might be transferred and what protection it receives.

The problem: The policy allows broad sharing with affiliates and third parties “without any limitation.” This could easily involve transferring data abroad, but the policy offers no transparency on the countries involved or the safeguards implemented, making it non-compliant with DPDP Section 16.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to ₹250 Cr per instance under DPDP
Consent complianceCriticalBundled consent invalidates processing for many purposes
Data retentionCriticalNo deletion timelines = indefinite data holding, major non-compliance
Data principal rightsHighFailure to provide basic DPDP rights exposes the bank to complaints
Cross-border transferHighBlanket sharing without specified safeguards or locations
Grievance redressalMediumIncomplete escalation process for users

Recommendations

  1. Implement layered and granular consent — Provide clear, separate opt-in checkboxes for different data processing purposes (e.g., core banking, marketing, third-party sharing).
  2. Define specific data retention periods — Clearly state how long different types of data are kept and when they are deleted.
  3. Explicitly outline Data Principal Rights — Add a section detailing rights like access, correction, erasure, and nomination, along with mechanisms to exercise them.
  4. Update grievance process — Add a commitment to a 30-day response time and clearly state the Data Protection Board of India as the escalation path.
  5. Be transparent about cross-border transfers — If data is transferred abroad, specify the categories of data, the countries, and the safeguards in place.
  6. Review “legitimate uses” — Ensure that uses like marketing and personalization are backed by explicit consent, not just broad policy agreement.

How Does Your Policy Compare?

Not sure if your company’s privacy policy has similar gaps? Run a free instant check:

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

📖 Related Compliance Guides

city DPDP Consulting in Agra: What Local Businesses Need to Know city DPDP Consulting in Gangtok: Protecting Sikkim's Growing Digital Economy city DPDP Consulting in Lucknow

What Should You Do Next?

🔍 Check Your Own Score

Take the free 60-second DPDP audit. 16 questions, instant risk report.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation