Axis Bank ↗

Overview

Axis Bank is one of India’s largest private sector banks, handling a vast amount of sensitive personal and financial data for millions of customers. This includes everything from bank account details and credit card information to health data (for insurance or specific products) and biometric data. For a Data Fiduciary like Axis Bank (that’s the company deciding how and why your data is processed), strict adherence to the DPDP Act 2023 is non-negotiable.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

Axis Bank’s policy relies on implied consent and broad authorizations, which is a major red flag under DPDP.

What the policy says: “The User authorizes Axis Bank to exchange, share, part with all information related to the details and transaction history of the User to its Affiliates / banks / financial institutions / credit bureaus / agencies… for customary practice, credit reporting, statistical analysis and credit scoring, verification or risk management…” Also, “By using our website user/s agree that these types of cookies can be placed on his/her device.”

DPDP requirement: Consent must be free, specific, informed, unconditional, and unambiguous. It must be for a specific purpose and can be withdrawn at any time by the Data Principal (that’s you, the individual whose data is collected).

The problem: This is bundled consent. You’re agreeing to broad data sharing just by using the services or website. There’s no granular option to consent to banking services but opt-out of “statistical analysis” or certain third-party sharing. This doesn’t meet the “freely given” standard.

Section 7 — Certain Legitimate Uses ⚠️

The policy uses broad terms for processing, which might not align with DPDP’s narrower scope of “legitimate uses” where consent isn’t strictly needed.

What the policy says: “Information is collected and used for specific business purposes or for other related purposes designated by the Bank or for a lawful purpose to comply with the applicable laws and regulations… to provide the User with the best possible services/products as also to protect interests of Axis Bank.”

DPDP requirement: DPDP Section 7 specifies limited scenarios for processing without consent, such as state functions, medical emergencies, or employment. “Providing the best possible services” or “protecting interests” for general data processing usually requires explicit consent.

The problem: Axis Bank’s interpretation of “lawful purposes” and “best possible services” could be too broad, potentially encompassing activities (like certain types of marketing or analytics) that would require explicit consent under DPDP.

Section 8 — Obligations of Data Fiduciary ✅

The policy outlines general security measures, which is a good start.

What the policy says: “The security of personal information is a priority and is protected by maintaining physical, electronic, and procedural safeguards that meet applicable laws. The Bank shall take reasonable steps and measures to protect the security… from misuse and loss, unauthorized access, modification or disclosure.” It also mentions “extant standard encryption norms.”

DPDP requirement: A Data Fiduciary must implement reasonable security safeguards to prevent data breaches.

Strength: The bank acknowledges its responsibility for data security and mentions multiple safeguard types and encryption. However, it lacks details on specific DPDP obligations like data protection impact assessments or breach notification timelines.

Section 9 — Data Retention 🔴

This is a critical missing piece in Axis Bank’s policy.

What the policy says: Nothing at all about how long they keep your data.

DPDP requirement: Data Fiduciaries must erase data once the purpose for which it was collected is fulfilled, or if the Data Principal withdraws consent, within a reasonable period. They must define specific data retention periods.

The problem: Without a clear data retention policy, customers have no idea when their sensitive financial and personal data will be purged. This exposes the bank to significant risk and violates a core DPDP principle.

Section 11 — Rights of Data Principal 🔴

The policy is largely silent on the explicit rights granted to individuals under the DPDP Act.

What the policy says: There is no specific section detailing your rights to access, correct, erase, or port your data, or to nominate someone to exercise these rights on your behalf. It only provides a general “Contact Information To seek clarification or raise concerns” link.

DPDP requirement: Data Principals have rights including the right to access information, right to correction and erasure, and the right to grievance redressal. Section 14 also introduces the right to nominate a person to exercise these rights.

The problem: A general support link is not sufficient to inform individuals about their statutory rights or provide clear mechanisms to exercise them.

Section 12 — Right of Grievance Redressal 🔴

While there’s a contact point, it doesn’t meet DPDP standards for grievance redressal.

What the policy says: “Contact Information To seek clarification or raise concerns with the Bank, kindly visit: https://www.axis.bank.in/support”

DPDP requirement: Data Fiduciaries must appoint a Grievance Officer whose contact details are clearly published. There must also be a clear path to escalate unresolved grievances to the Data Protection Board of India.

The problem: No mention of a dedicated Grievance Officer, contact details, or the crucial escalation route to the Data Protection Board. This is a fundamental oversight.

Section 16 — Cross-Border Data Transfer ⚠️

The policy’s broad authorization for data sharing implies potential cross-border transfers without DPDP safeguards.

What the policy says: “The User authorizes Axis Bank to exchange, share, part with all information related to the details and transaction history of the User to its Affiliates / banks / financial institutions / credit bureaus / agencies/participation in any telecommunication or electronic clearing network…”

DPDP requirement: Data can only be transferred to countries or territories specifically notified by the Central Government as permissible.

The problem: This blanket authorization for sharing with “Affiliates / banks / financial institutions / credit bureaus / agencies” does not specify their locations or confirm adherence to DPDP’s cross-border transfer rules, which are critical for financial institutions.

Risk Assessment

Recommendations

1. Update Policy to DPDP Act 2023: Explicitly refer to the DPDP Act and align all sections with its provisions.
2. Implement Granular Consent: Separate consent for different data processing purposes (e.g., core banking, marketing, third-party analytics), allowing users to opt-in/out.
3. Define Clear Data Retention Periods: State how long each type of data will be kept and when it will be securely deleted, in line with legal and business needs.
4. Detail Data Principal Rights: Clearly list all rights (access, correction, erasure, nomination) and provide intuitive mechanisms (e.g., self-service portal, specific forms) for exercising them.
5. Appoint and Publish Grievance Officer Details: Provide direct contact information for a dedicated Grievance Officer and outline the escalation path, including the Data Protection Board.
6. Clarify Cross-Border Transfers: Specify which countries data may be transferred to and the safeguards in place, aligning with government notifications.

How Does Your Policy Compare?

Not sure if your company’s privacy policy has similar gaps? Run a free instant check:

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.