“The blockchain won’t let me delete your data.” That is not a legal answer under Indian law.
Arjun resigned from his employer and asked them to erase his personal data. His HR team apologised — the data was on their blockchain-based verification system and, they said, could not be deleted.
Under Section 12(3) of the DPDP Act, 2023, every Data Principal has a statutory right to erasure. The Data Fiduciary must comply — unless retention is necessary for a specified purpose or legal obligation. The DPDP Act creates no exception for immutable ledgers.
Furthermore, Section 8(1) places non-derogable liability on the Data Fiduciary. An organisation cannot transfer that liability to its technology architecture.
IS Audit 3.0 by ICAI identifies legal and compliance uncertainty as a primary blockchain risk. Before the DPDP Act, that uncertainty was structural. Today, the law is clear.
The compliance design choices are not complicated — but they must be made at the architecture stage, not after deployment:
→ Store personal data off-chain. Record only a hash on the ledger. Delete the off-chain data on erasure request. → Alternatively, encrypt personal data before writing to the chain. On erasure request, delete the encryption key. The block remains — but it is unreadable. → For permissioned chains, build node-level governance with erasure-triggering protocols.
Arjun’s employer had an immutable ledger. However, they did not have an erasure plan. Those are two different problems — and only one of them was a technical constraint.
The DPDP Act compliance deadline is 13 May 2027. Blockchain architectures processing personal data today need an erasure design now.
Disclaimer
The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.
The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.
Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.
The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.
Authors: This article has been co-authored by CA. Sunil Elayadath and CA. Karthik Narayanan S, Partners of Karthik & Sunil, together with Mr. Dhanesh P. K., Designated Partner, DSK Sustainability Tech.
Suresh runs the technology operations of a growing e-commerce company in Chennai. Two lakh registered customers. Three cloud vendors — one handles transactions and payments, one runs the analytics and recommendation engine, and one powers the customer support chatbot.
Each vendor has a copy of customer personal data. Some overlap. Some don’t. Suresh has never mapped exactly which data lives where.
One afternoon, a customer sends a formal email invoking her right to erasure under the DPDP Act. She has deleted her account. She wants confirmation that all her personal data has been erased.
Suresh opens his systems. He can delete her record from the primary database. He can see her in the analytics platform. He thinks she might be in the support chatbot’s conversation history. He is not sure whether the payment processor retains her card data or whether the analytics engine has derived any insights about her that are stored independently.
He has 48 hours before he must confirm erasure. He does not know where to start.
The multi-cloud erasure problem under DPDP
Section 8(7)(b) of the DPDP Act, 2023 creates the cascade obligation: when erasure is triggered — whether by purpose completion, consent withdrawal, or Data Principal request under Section 12 — the Data Fiduciary must erase the personal data and cause its Data Processors to erase the personal data made available to them.
The word “cause” is important. The obligation is not to request. It is to cause — to ensure that erasure actually occurs across every downstream processor. Suresh cannot discharge this obligation by sending an email to three vendors and hoping they comply. He must have a contractual mechanism — and a technical verification mechanism — that confirms the data has been erased.
IS Audit Module 6 identifies multi-tenancy as a specific cloud privacy risk: in a shared cloud environment, data from different customers may be commingled, creating scenarios where erasure of one customer’s data requires careful isolation to avoid affecting other tenants’ data — and equally, to ensure complete deletion rather than merely marking a record as inactive.
The Data Processor contract that Suresh does not have
Rule 6(1)(f) of the DPDP Rules requires the contract between the Data Fiduciary and every Data Processor to include appropriate provisions for taking reasonable security safeguards — which, by extension of the Act’s overall framework, includes the ability to execute erasure on instruction.
Suresh’s three vendor agreements are standard subscription contracts. None of them include a clause that obligates the vendor to erase personal data on a specific Data Principal’s request within a specified timeframe. None of them include an API endpoint for automated erasure triggering. None of them require the vendor to confirm deletion with an audit record.
Without these contractual provisions, Suresh’s erasure obligation is practically unenforceable against his own vendors. He is accountable to the Data Principal — and he has no mechanism to discharge that accountability.
The technology architecture Suresh needed to build
A DPDP-compliant multi-cloud environment for a Data Fiduciary requires a data mapping inventory — a live register of which personal data categories sit with which Data Processor, updated as the technology stack evolves. Without this map, Suresh cannot identify all the locations that must be cleared when an erasure request arrives.
It requires Data Processor contracts that include specific erasure API or webhook obligations — technical hooks that allow the Data Fiduciary’s erasure workflow to send a deletion instruction directly to each processor’s system and receive a timestamped confirmation.
It requires an erasure orchestration layer — a workflow engine that receives the Data Principal’s erasure request, identifies every processor in the data map holding that individual’s data, dispatches deletion instructions simultaneously, collects confirmations, and generates an audit trail of the completed erasure.
IS Audit Module 6 identifies cloud migration risks including insufficient planning and processes as a leading cause of cloud security failures. Suresh’s situation is exactly this: the cloud architecture was expanded incrementally without a corresponding expansion of data governance. Each new vendor added a compliance obligation that was never mapped, never contracted for, and never operationalised.
What the customer actually has the right to
Under Section 12 of the DPDP Act, Suresh’s customer has the right to erasure of her personal data unless retention is required by law. Under Section 11, she has the right to know the identities of all Data Processors with whom her data was shared. She does not need to know that Suresh has three cloud vendors — but she is legally entitled to find out.
Under Rule 8(3), personal data and processing logs must be retained for at least one year — so complete immediate erasure across all systems is not always possible. But the customer’s primary profile data, her transaction history shared with analytics, and her support conversations must be erased on schedule, with the one-year minimum applying only to logs.
The distinction between what must be retained for compliance and what must be erased on request requires data classification — another element of governance Suresh has not yet built.
The cloud is not one system. Neither is the compliance obligation.
Every Data Processor your organisation engages creates a branch of the same compliance obligation. Consent. Security safeguards. Breach notification. Erasure on instruction. Data Principal rights access. Each branch must be contractually formalised, technically implemented, and operationally testable.
The cloud makes personal data processing faster, cheaper, and more scalable. The DPDP Act ensures that those efficiencies do not come at the cost of Data Principal rights — regardless of how many cloud vendors the efficiency requires.
Sources: DPDP Act 2023 | ICAI IS Audit 3.0 Course
Disclaimer
The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.
The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.
Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.
The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.
Authors: This article has been co-authored by CA. Sunil Elayadath and CA. Karthik Narayanan S, Partners of Karthik & Sunil, together with Mr. Dhanesh P. K., Designated Partner, DSK Sustainability Tech.
Income Tax Return of FY 2018-19 – The last date for filing extended to 30-06-2020. Interest rate for delayed payment reduced to 9% till 30-06-2020.
Delayed deposit of TDS – Interest rate reduced to 9% from 18%
Aadhar PAN linking extended 30-06-2020
Vivad Se Viswas – The date without additional 10% extended till 30-06-2020
All due dates extended till 30-06-2020 – This includes, notices, orders, statements, returns, time limit for buying tax saving investment etc will be extended till 30-06-2020
As per rule 12A of the Companies (Appointment and Qualification of Directors)Rules 2014, “every individual who has been allotted a Director Identification Number (DIN) as on 31st March of a financial year, has to file Form DIR-3 KYC. The due date for filing the form was 30th April of the immediate next financial year.
As per notification issued by Ministry of Corporate Affairs ( G.S.R. 339(E) dated 30th April, 2019), the due date was extended to 30th June of the immediate next financial year
CBDT issued an order ( F. No. 225/105/2019/ITA.IIdated 30th April, 2019) specifying the Income Tax authority for furnishing information in respect of assessees to the Nodal officer, GSTN.
The text of the order is given below:
Order
In exercise of powers conferred under section 138(1)(a) of the Income tax Act, 1961 (‘Act’), for purposes of sub-clause (i) of section 138(1)(a) of the Act, the Central Board of Direct taxes (‘CBDT’) hereby directs that Principal Director General of Income-tax (Systems) or Director General of Income-tax (Systems), New Delhi shall be the specified income-tax authority for furnishing information respecting assessees to the Nodal Officer, Goods and Services Tax Network (‘GSTN’).
2. The data/information to be furnished by the specified income-tax authority shall be:
(a) Request based exchange of data, wherein, important financial fields which are captured in the Income Tax Returns (ITRs) such as (i) status of filing of ITR; (ii) turnover; (iii) gross total income, (iv)turnover ratio; (v)GTI range; (vi) turnover range and (vii) any other field, the modalities of which shall be decided by the concerned specified authorities.
(b) Spontaneous exchange of data, the modalities of which shall be decided by the concerned specified authorities.
(c) Automatic exchange of data, the modalities of which shall be decided by the concerned specified authorities.
While furnishing the information, the specified income-tax authority shall form an opinion that sharing of such information is necessary for the purposes of enabling the specified authority in GSTN to perform its functions under the Goods and Services Tax.
3. To facilitate the process of furnishing information, Principal Director General of Income-tax (Systems) or Director General of Income-tax (Systems) would enter into a Memorandum of Understanding (‘MoU’) with nodal officer, GSTN, which inter-alia would include modalities of exchange of data, maintenance of confidentiality, mechanism for safe preservation of data, weeding out after usage etc. The time line for furnishing information shall also be decided by Pr. Director General of Income-tax (Systems) or Director General of Income-tax (Systems) in consultation with concerned nodal officer and included in the said MoU.
4. A copy of MoU shall be forwarded to this division for record purposes.
5. This issues with the approval of Chairman, CBDT.
A similar order is expected from CBIC also in the near future,
The government has extended the deadline for uploading photos of business premises to June 15, giving corporates more time to comply with a provision aimed at spotting shell companies.
“It has been decided to extend the date to June 15,” confirmed a corporate affairs ministry official. The same is reported in Economic Times.
This new electronic form INC 22A, which is also known as e-Form ACTIVE (Active Company Tagging Identities and Verification), was notified as part of the Companies (Incorporation) Amendment Rules, 2019 in February. If the form is filed within the due date, there is no fee, while late filing will attract a fine of Rs 10,000.
Ministry of Corporate Affairs, issued notifications regarding extension of due date for filing Form Active (INC-22A) and also changing the date of filing without any payment of fees and till 15-06-2019 and with payment of Rs.10,000/- for filing on or after 16-06-2019, by amending Companies (Incorporation) Rules, 2014 and Companies (Registration offices and Fees) Rules, 2014. Both the notification were issued on 25th April, 2019.
Ministry of Corporate Affairs had made a clarification post (not by way of Notification or Circular) in their website http://www.mca.gov.in regarding the annual filing of DIR-3 KYC for those Directors who had already filed the form and for those DIN allotted post 31-03-2018.
The clarification states that the DIR-3 KYC e-form presently available on the portal does not cater for the following:
(i) Filing on annual basis, and
(ii) Filing in respect of DINs allotted post 31 March 2018. It presently caters only to those individuals who were allotted DINs as on 31st March 2018 and whose DINs have been marked as ‘Deactivated due to non-filing of DIR-3 KYC’.
It is also clarified that, the form is presently being modified to enable pre-filling of data & information so that annual filings can be done by DIN holders in a simple and user friendly manner. The revised form, which will be shortly deployed, can be filed without any fee within a period of 30 days from the date of deployment.
GST COUNCIL 34th Meet – GST Rate on Real Estate Sector
Decisions taken by the GST Council in the 34thmeeting held on 19thMarch, 2019 regarding GST rate on real estate sector
Posted On: 19 MAR 2019 5:41PM by PIB Delhi
GST Council in the 34th meeting held on 19th March, 2019 at New Delhi discussed the operational details for implementation of the recommendations made by the council in its 33rd meeting for lower effective GST rate of 1% in case of affordable houses and 5% on construction of houses other than affordable house. The council decided the modalities of the transition as follows.
Option in respect of ongoing projects:
2. The promoters shall be given a one -time option to continue to pay tax at the old rates (effective rate of 8% or 12% with ITC) on ongoing projects (buildings where construction and actual booking have both started before 01.04.2019) which have not been completed by 31.03.2019.
3. The option shall be exercised once within a prescribed time frame and where the option is not exercised within the prescribed time limit, new rates shall apply.
New tax rates:
4. The new tax rates which shall be applicable to new projects or ongoing projects which have exercised the above option to pay tax in the new regime are as follows.
(i) New rate of 1% without input tax credit (ITC) on construction of affordable houses shall be available for,
(a) all houses which meet the definition of affordable houses as decided by GSTC (area 60 sqm in non- metros / 90 sqm in metros and value upto RS. 45 lakhs), and
(b) affordable houses being constructed in ongoing projects under the existing central and state housing schemes presently eligible for concessional rate of 8% GST (after 1/3rd land abatement).
(ii) New rate of 5% without input tax creditshall be applicable on construction of,-
all houses other than affordable houses in ongoing projects whether booked prior to or after 01.04.2019. In case of houses booked prior to 01.04.2019, new rate shall be available on instalments payable on or after 01.04.2019.
all houses other than affordable houses in new projects.
commercial apartments such as shops, offices etc. in a residential real estate project (RREP) in which the carpet area of commercial apartments is not more than 15% of total carpet area of all apartments.
Conditions for the new tax rates:
5. The new tax rates of 1% (on construction of affordable) and 5% (on other than affordable houses) shall be available subject to following conditions,-
Input tax credit shall not be available,
80% of inputs and input services (other than capital goods, TDR/ JDA, FSI, long term lease (premiums)) shall be purchased from registered persons. On shortfall of purchases from 80%, tax shall be paid by the builder @ 18% on RCM basis. However, Tax on cement purchased from unregistered person shall be paid @ 28% under RCM, and on capital goods under RCM at applicable rates.
Transition for ongoing projects opting for the new tax rate:
6.1 Ongoing projects (buildings where construction and booking both had started before 01.04.2019) and have not been completed by 31.03.2019 opting for new tax rates shall transition the ITC as per the prescribed method.
6.2 The transition formula approved by the GST Council, for residential projects (refer to para 4(ii)) extrapolates ITC taken for percentage completion of construction as on 01.04.2019 to arrive at ITC for the entire project. Then based on percentage booking of flats and percentage invoicing, ITC eligibility is determined. Thus, transition would thus be on pro-rata basis based on a simple formula such that credit in proportion to booking of the flat and invoicing done for the booked flat is available subject to a few safeguards.
6.3 For a mixed project transition shall also allow ITC on pro-rata basis in proportion to carpet area of the commercial portion in the ongoing projects (on which tax will be payable @ 12% with ITC even after 1.4.2019) to the total carpet area of the project.
Treatment of TDR/ FSI and Long term lease for projects commencing after 01.04.2019
7. The following treatment shall apply to TDR/ FSI and Long term lease for projects commencing after 01.04.2019.
7.1 Supply of TDR, FSI, long term lease (premium) of land by a landowner to a developer shall be exempted subject to the condition that the constructed flats are sold before issuance of completion certificate and tax is paid on them. Exemption of TDR, FSI, long term lease (premium) shall be withdrawn in case of flats sold after issue of completion certificate, but such withdrawal shall be limited to 1% of value in case of affordable houses and 5% of value in case of other than affordable houses. This will achieve a fair degree of taxation parity between under construction and ready to move property.
7.2 The liability to pay tax on TDR, FSI, long term lease (premium) shall be shifted from land owner to builder underthe reverse charge mechanism (RCM).
7.3 The date on which builder shall be liable to pay tax on TDR, FSI, long term lease (premium) of land under RCM in respect of flats sold after completion certificate is being shifted to date of issue of completion certificate.
7.4 The liability of builder to pay tax on construction of houses given to land owner in a JDA is also being shifted to the date of completion. Decisions from para 7.1 to 7.4 are expected to address the problem of cash flow in the sector.
Amendment to ITC rules:
8. ITC rules shall be amended to bring greater clarity on monthly and final determination of ITC and reversal thereof in real estate projects. The change would clearly provide procedure for availing input tax credit in relation to commercial units as such units would continue to be eligible for input tax credit in a mixed project.
9. The decisions of the GST Council have been presented in this note in simple language for easy understanding. The same would be given effect to through Gazette notifications/ circulars which alone shall have force of law.