Bajaj Finserv ↗

Overview

Bajaj Finserv is a financial powerhouse handling some of the most sensitive data an Indian citizen owns—PAN cards, bank statements, credit scores, and even facial biometrics from their branches.

As a Data Fiduciary (the company that decides how and why your data is used), Bajaj has a massive responsibility. If you are a Data Principal (the person the data belongs to), you should know that their policy is a mix of high-tech security and old-school “we-own-your-data” clauses.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice ⚠️

Bajaj uses a “bundled” approach. When you use their app or website, they assume you agree to everything—from loan processing to receiving marketing calls and being tracked by AI cameras in their stores.

What the policy says: “By using our website/application… User consents to… Communications relating to marketing & business promotions… Consent for usage of AI Cameras at Branches.”

What the law requires: Consent must be specific and clear. You should be able to say “Yes to the loan” but “No to the marketing calls.”

The problem: You can’t opt-out of the “extras” without losing access to the service. Under the DPDP Act, consent for marketing shouldn’t be a condition for getting a loan.

Section 7 — Certain Legitimate Uses ⚠️

Bajaj claims they can process your data for “evaluation of existing products” and “developing services.”

What the policy says: “Information collected… may be used… to promote the products/services of BFL… for evaluation of existing BFL products.”

What the law requires: Section 7 is very narrow. It allows companies to skip consent only for things like medical emergencies, legal duties, or if you voluntarily gave your data for a specific purpose.

The problem: Using your private financial data to “develop new products” for their own profit doesn’t usually count as a “legitimate use” under the new law. They should be asking for your explicit permission for this.

Section 8 — Obligations of Data Fiduciary ✅

This is where Bajaj shines. They treat data security with the seriousness a bank should.

What the policy says: “BFL complies with Information Security certifications such as ISO27001… and PCIDSS… security of such data is ensured using data encryption and masking.”

What the law requires: Companies must take “reasonable security safeguards” to prevent data breaches.

The problem: While their tech is strong, the DPDP Act also requires companies to notify the Data Protection Board and the user of any breach. Bajaj mentions they will notify you, but the policy doesn’t explicitly mention the Board.

Section 9 — Data Retention ⚠️

Bajaj provides a helpful table, which is a rare and good thing. However, they leave a backdoor open.

What the policy says: “BFL shall retain/store User’s Information… as long as it is required for business purpose.”

What the law requires: Once the purpose of the data is over (e.g., you paid off your loan), the company must delete it unless a law requires them to keep it.

The problem: “Business purpose” is a massive loophole. It allows them to keep your data indefinitely by claiming they might need it for “analysis” or “future offers.”

Section 11 — Rights of Data Principal ✅

Bajaj is ahead of many competitors here by actually providing a button in their app to request data deletion.

What the policy says: “Customers can raise a request to erase their personal data… via: Service > Your Account > Manage Account and Data.”

What the law requires: You have the right to access, correct, and erase your data.

The problem: They state that requests will be “evaluated” by them to see if you are “eligible.” While they have to follow RBI rules for financial records, the DPDP Act makes it clear that once the legal requirement is over, they have no right to say “no” to an erasure request.

Section 12 — Right of Grievance Redressal 🔴

If you have a problem, Bajaj points you to a general “Reach Us” page.

What the policy says: “…we welcome you to easily reach out to us through multiple contact options displayed on [link].”

What the law requires: You must have a clear way to complain to a Grievance Officer, and if they don’t fix it, a clear path to the Data Protection Board of India.

The problem: Their policy doesn’t mention the Data Protection Board at all. It feels like a customer service link rather than a legal rights channel.

Section 16 — Cross-Border Data Transfer ⚠️

What the policy says: Bajaj mentions records of transactions “both domestic and international.”

What the law requires: Data can only be sent to certain countries approved by the Indian government.

The problem: The policy is silent on where your data actually goes if it leaves India. As a financial giant, they likely use global cloud servers, but they haven’t clarified if these meet the new Section 16 standards.

Risk Assessment

Recommendations for Your Business

1. Don’t bundle your “I Agree” button. If you offer a service and a newsletter, give the user two checkboxes. Don’t force them to take both.
2. Be like Bajaj—use a table. If you keep data, tell people exactly how long. Don’t just say “as long as necessary.”
3. Create a “Right to Erase” path. Whether it’s an email address or a button in your app, give your users a clear way to ask for their data back.
4. Update your Grievance section. Mention that users have the right to approach the Data Protection Board of India if they aren’t satisfied with your response.

How Does Your Policy Compare?

Not sure if your company’s privacy policy has similar gaps? Run a free instant check:

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.