What DPDP actually says about retention
The DPDP Act 2023 does not hand you a number. Its retention rule lives in Section 8(7), which requires a Data Fiduciary to erase personal data once the purpose for which it was collected is no longer being served, unless retention is necessary to comply with another law. Read alongside Section 8’s general obligation to process for a specified, lawful purpose and Section 5’s notice requirement, the structure is simple: you stated a purpose, you collected data for it, and when the purpose ends, so does your right to keep the data.
That is a purpose-tied model, not a calendar one. There is no “keep monitoring data for X years” clause to point a regulator to. The flip side is that “we might need it someday” is not a purpose, and indefinite retention is the posture hardest to defend in a Data Protection Impact Assessment. The Act’s text governs; precise wording and any forthcoming Rules should be confirmed against the current statute. Verify with counsel.
Why is there no single retention period under DPDP?
Because retention is tied to purpose, the same organisation can correctly keep one data type for a day and another for seven years. The trick is to stop asking “how long can we keep monitoring data?” as one question and instead ask it once per data category. A live productivity dashboard needs only recent data to render — the underlying raw activity stream often has no purpose past a short rolling window. An attendance record, by contrast, may feed payroll and be subject to labour, PF/ESI, tax and limitation-period minimums that keep it alive for years.
Two forces bracket every category: the upper bound (“no longer than the purpose needs”, from DPDP Section 8(7)) and the lower bound (“no shorter than any law requires”, from statutes that mandate minimum retention for specific records). Your defensible schedule is the overlap. Where the two conflict — a statute forces you to keep something you would rather delete — the statutory minimum wins, and you note it in your schedule. Verify the applicable minimums with counsel.
Retention by data category: a worked schedule
The table below is an illustrative starting point, not legal advice. Periods marked “statutory” are governed by laws outside DPDP and must be confirmed for your entity, sector and state; periods marked “purpose-set” are choices you justify and document. The principle holds: shorter is safer, and what you never collect, you never have to retain.
| Data category | Typical stated purpose | Illustrative retention | What sets the limit |
|---|---|---|---|
| Raw activity/event logs | Render live productivity dashboard | Days to a few weeks (rolling) | Purpose-set (DPDP 8(7)) |
| Aggregated productivity metrics | Trend reporting, appraisals input | Current + prior review cycle | Purpose-set |
| Attendance / timesheet records | Payroll, statutory compliance | Statutory minimum (often years) | Labour/tax/PF-ESI law |
| Screenshots / screen recordings | Avoid if possible; narrow exception only | Shortest window a genuine purpose supports | Purpose-set (high risk) |
| Keystroke logs | Rarely defensible for productivity | Prefer none collected | Purpose-set (highest risk) |
| Investigation / legal-hold data | Active dispute or legal hold | Duration of hold + limitation | Statutory / legal hold |
| Consent & notice records | Demonstrate DPDP compliance | While processing + reasonable tail | Accountability evidence |
Vendor and statutory specifics change — confirm current minimums and any sector rules for your organisation before adopting any figure here. Verify with counsel.
How long can you keep monitoring data after an employee leaves?
Exit is a trigger for review, not a signal to delete everything or to keep everything forever. Walk the same category map. Data with a surviving statutory purpose — final settlement, PF/ESI, tax records, an open dispute, or anything under legal hold — stays for that purpose’s window. Data whose only purpose was day-to-day productivity visibility usually has no surviving purpose the moment the person is no longer being managed, and should be deleted on schedule rather than archived “for reference”.
Key figures for the file — the most serious DPDP violations carry monetary penalties up to INR 250 crore as prescribed in Schedule 1 of the DPDP Act 2023; for India exporters serving EU customers, the EU AI Act separately treats AI systems used to evaluate or monitor workers as high-risk, with their own logging and record-keeping duties. Both regimes are fact-specific and the figures are statutory maximums, not typical outcomes — verify exposure with counsel.
The cleanest exit posture is decided before anyone leaves: a documented schedule that says, per category, what survives exit and for how long, with deletion automated where possible so it actually happens. Verify with counsel.
Writing a retention schedule you can actually defend
A defensible schedule is short, specific and enforced. For each data category, record five things: the data type, its single stated purpose, the retention period that purpose (and any statutory minimum) justifies, the deletion method, and the owner accountable for it. Resist the urge to keep “everything for the longest period any category needs” — that over-retention is precisely what a DPIA flags.
- Inventory what you collect. You cannot set retention for data you have not catalogued. List every capture category your tooling produces.
- Attach one purpose to each. If a category has no purpose, stop collecting it — that is the biggest single retention win.
- Set the period from the purpose. Upper bound from DPDP 8(7); lower bound from any statute. Document both.
- Automate deletion. A schedule enforced by code, not memory, is the one that survives an audit.
- Review annually and on change. Re-run the schedule whenever you change what you collect or why.
Reducing the capture surface is the highest-leverage move: a platform that scores productivity from outcome signals — calendar, repo, ticket and focus artefacts — rather than screenshots and keystrokes simply has fewer categories to retain, shorter notices to write, and a far smaller breach blast radius. Verify with counsel.
Build your retention schedule before the next audit
Score your current monitoring stack against the DPDP retention and capture-surface criteria, then see how a privacy-first design shrinks what you have to keep. Free, instant verdict, no email to score.
Frequently asked questions
How long can employers keep employee monitoring data under DPDP?
The DPDP Act 2023 does not set a fixed retention period for employee monitoring data. Section 8(7) requires that personal data be erased once the purpose it was collected for is no longer being served and retention is not required by law. In practice this means you set a defensible schedule per data category tied to its purpose — for example, attendance and timesheet records may map to a payroll or statutory limitation period, while raw activity logs used only for live dashboards often need only days or weeks. There is no single legal number; document the purpose and the schedule. Verify with counsel.
Does DPDP give a specific number of days or years to keep monitoring data?
No. Unlike some sector rules, the DPDP Act 2023 expresses retention as a principle, not a fixed figure. Section 8(7) ties erasure to the purpose ending; other statutes — such as labour, tax, PF/ESI and limitation laws — may impose minimum retention for specific records like attendance or payroll. Your schedule is the overlap of 'no longer than the purpose needs' and 'no shorter than any law requires'. Verify the applicable statutory minimums with counsel.
What happens to monitoring data when an employee leaves?
Exit triggers a review, not automatic deletion of everything. Data still needed for a live statutory purpose — final settlement, PF/ESI, tax records, an open dispute or legal hold — is retained for that purpose's window. Data whose only purpose was day-to-day productivity visibility generally has no surviving purpose after exit and should be deleted on schedule. Map each category to a purpose before you decide. Verify with counsel.
Can we keep screenshots and keystroke logs indefinitely 'just in case'?
'Just in case' is not a purpose under the DPDP Act 2023, so indefinite retention of high-sensitivity capture like screenshots or keystroke logs is among the hardest postures to defend. Section 8 requires a specified, lawful purpose and Section 8(7) requires erasure once it ends. The lower-risk design is to avoid collecting such content at all, or to keep it for the shortest window a genuine purpose supports. Verify with counsel.
How do I write a defensible monitoring data retention schedule?
Build a category-by-category table: name each data type, its single stated purpose, the retention period justified by that purpose (and any statutory minimum), the deletion method, and the owner. Keep it short, keep it honest, and make deletion automatic where possible so the schedule is enforced rather than aspirational. Review it at least annually and after any change to what you collect. Verify with counsel.
Do the EU AI Act or GDPR change our retention period for India staff?
They can, if you serve EU customers or process EU residents' data. GDPR's storage-limitation principle (Article 5(1)(e)) mirrors DPDP's purpose-tied approach, and the EU AI Act adds record-keeping and logging duties for workplace AI systems classed as high-risk. For Indian IT services and GCCs with EU exposure, the practical schedule is the strictest of the regimes that apply. Verify cross-border obligations with counsel.
Disclaimer: This article is general information, not legal advice. The DPDP Act 2023 expresses retention as a purpose-tied principle and statutory minimums vary by sector, entity and state; EU AI Act and GDPR obligations are fact-specific. Penalty figures cited are statutory maximums, not typical outcomes. Verify retention periods, classification and penalties with qualified counsel before acting.