A Project by Meridian Bridge Strategy
Archived analysis

This page is old. BSNL (Bharat Sanchar Nigam Limited) was reviewed on 2026-05-06.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Telecommunications

BSNL (Bharat Sanchar Nigam Limited)

Ready Score 42/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 6 May 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

BSNL’s digital privacy framework is currently bifurcated. While newer project-specific policies (like NWRC WiFi) show early adoption of DPDP Act 2023 standards, the master privacy policy remains dangerously outdated. For a state-owned enterprise handling the metadata and PII of millions of citizens, the lack of granular consent, missing 'Right to Nominate,' and English-only notice creates a high risk of non-compliance and potential penalties under the 2023 Act.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-05-06
  • Company: BSNL (Bharat Sanchar Nigam Limited)
  • Readiness score: 42/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Primary policy still references legacy IT Act 2000 framework without explicit DPDP Act 2023 terminology
  • Lacks multilingual notice capability — DPDP Section 5 requires notices in English and 22 languages of the 8th Schedule
  • Retention period defined as 'as long as necessary' rather than 'fulfillment of purpose' per Section 9
  • No mechanism for the Right to Nominate (Section 14) or Right to Erasure (Section 12)
  • The 'Notice without notice' clause for policy changes contradicts Section 5 transparency requirements
  • No mention of Data Protection Board (DPB) for secondary grievance escalation

✅ Strengths

  • Explicit commitment to non-disclosure of billing data to third-party agencies except under legal warrant
  • Strong internal protocols for employees and contractors regarding data confidentiality
  • Clear categorization of personal information use cases (Verification, Credit worthiness, Identity)
  • Service-specific compliance observed in newer PDF policies (e.g., NWRC WiFi) indicating a phased transition

Overview

Bharat Sanchar Nigam Limited (BSNL), as a state-owned telecommunications giant, processes massive volumes of personal data including call detail records (CDR), KYC documents, location data, and financial transactions. Under the Digital Personal Data Protection (DPDP) Act 2023, BSNL qualifies as a Significant Data Fiduciary (SDF) due to the volume of data it handles and its impact on public order and state security.

DPDP Readiness: Section-by-Section Analysis

Section 5 — Notice 🔴

BSNL’s current notice is provided solely in English. The DPDP Act mandates that every notice must be available in English or any of the 22 languages specified in the Eighth Schedule to the Constitution.

Gap: There is no language selector for the privacy policy. Furthermore, the policy contains a clause stating BSNL can modify the policy “at any time without notice,” which directly violates the Section 5 requirement to inform Data Principals of any change in the processing activities.

Section 6 — Consent ⚠️

BSNL relies on an “implicit consent” model. The policy states: “BSNL shall ask you to provide certain information… it will only be used in accordance with this privacy statement.”

DPDP requirement: Consent must be free, specific, informed, unconditional, and signified by an affirmative action.

Gap: BSNL bundles consent for identity verification with consent for “promotional and marketing material” via telemarketing and SMS. Under DPDP, these must be granular; a user should be able to opt-out of marketing without losing access to core telecom services.

Section 8 — Obligations of Data Fiduciary ✅

BSNL performs strongly in its commitment to data security. The policy mandates that all employees and contractors act consistently with legal requirements.

Strength: The policy explicitly states that personal information will never be shared with other cellular service providers or banks to prevent “invasion of privacy.” This aligns with the Fiduciary’s duty to protect data.

Section 9 — Processing of Personal Data of Children 🔴

The master policy is silent on the processing of children’s data.

DPDP requirement: Fiduciaries must obtain verifiable parental consent before processing data of individuals under 18 and are prohibited from tracking or behaviorally monitoring children.

Gap: BSNL provides services (like Fiber-to-the-Home) used by entire households, yet lacks a verification mechanism for parental consent as required by Section 9.

Section 11 to 14 — Rights of Data Principal ⚠️

The current policy recognizes basic access and correction: “You undertake to intimate us in case there is any change.” However, it fails to address the expanded rights under DPDP:

  • Right to Erasure: The policy does not specify a process for a user to request the deletion of their data once they port out of the network.
  • Right to Nominate (Section 14): There is no provision for a Data Principal to nominate another person to exercise their rights in case of death or incapacity.
  • Withdrawal of Consent: There is no “readily available” digital mechanism to withdraw consent for marketing while maintaining the service.

Section 13 — Right of Grievance Redressal ⚠️

BSNL has an extensive “Three-Tier” grievance mechanism (Call Centers, Nodal Officers, and Appellate Authority) as per TRAI regulations.

Gap: This mechanism is optimized for service/billing complaints, not data privacy breaches. The policy does not mention the right to approach the Data Protection Board of India (DPB) if a privacy grievance is not resolved within the prescribed timeline.

Risk Assessment

CategoryRisk LevelDPDP Compliance Note
Consent ArchitectureHighLacks granularity and affirmative action triggers.
Notice TransparencyHighEnglish-only; “No notice for changes” clause is illegal under Section 5.
Data RetentionMediumVague timelines; needs specific “erasure on fulfillment” triggers.
Rights FulfillmentHighNo “Right to Nominate” or automated “Right to Erasure.”
Security ControlsLowStrong internal protocols and PSU-grade security audits.

Recommendations

  1. Multilingual Deployment: Immediately translate the privacy notice into all 22 scheduled languages to meet Section 5(3) requirements.
  2. Consent Manager Integration: Provide an interface for users to manage and withdraw consents through a specialized “Consent Manager” platform.
  3. Update Amendment Clause: Remove the “without notice” clause and replace it with a 30-day advance notice period for any policy changes.
  4. DPO Appointment: Publicly name a dedicated Data Protection Officer (DPO) distinct from the general Grievance Officer, as required for Significant Data Fiduciaries.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida guide DPDP Data Breach Notification Compliance

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call