Overview
Delhivery is one of India’s largest integrated logistics and supply chain services companies. They handle a vast amount of personal data for both senders and receivers, including names, addresses, phone numbers, email IDs, and even details about the parcels themselves. Given the sheer volume and operational necessity of handling this data, their approach to privacy is critical under the new DPDP Act.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
Delhivery’s policy implies consent through the act of using their services. This “implied” or bundled consent for various purposes (delivery, marketing, analytics) doesn’t meet the DPDP Act’s standard of “freely given, specific, informed, and unconditional.”
What the policy says (hypothetical, common for such services): “By using our website or availing our logistics services, you agree to the terms of this Privacy Policy and the collection and use of your personal information as described herein.”
DPDP requirement: Consent must be clearly sought for each specific purpose. Users must have the option to accept some processing while declining others, and consent should be withdrawable.
Gap: A user booking a delivery might unintentionally consent to data sharing for marketing or profiling, without a clear, separate option to opt-out of non-essential uses.
Section 7 — Certain Legitimate Uses ⚠️
The policy likely cites purposes such as “improving our services,” “personalizing user experience,” and “conducting analytics” as legitimate reasons for processing data. While essential for business, DPDP Section 7 defines “legitimate uses” very narrowly (e.g., medical emergencies, state functions, employment). Many operational improvements or personalization activities would likely require explicit consent, not just legitimate interest, if they involve user data.
Gap: Delhivery would need to review if these broad “legitimate uses” truly fall within DPDP’s limited exceptions or if they require explicit, granular consent from the Data Principal (the individual whose data is being processed).
Section 8 — Obligations of Data Fiduciary ✅
The policy typically outlines measures to protect data. For a large logistics company like Delhivery, this likely includes:
- Security Safeguards: Mention of encryption, access controls, firewalls, and secure servers.
- Data Accuracy: Steps to ensure collected data is accurate and complete.
- Breach Notification: A commitment to notify affected individuals and authorities in case of a data breach.
Strength: Given their operational scale, Delhivery likely has robust internal security protocols to protect the Data Principal’s information. The policy states: “We employ reasonable security practices and procedures to protect your information from unauthorized access, use or disclosure.”
Section 9 — Data Retention 🔴
This is a critical area of concern for many companies. Delhivery’s policy, like many others, probably uses generic language for data retention.
What the policy says (hypothetical): “We retain your personal information for as long as necessary to provide you with our services, fulfill the purposes outlined in this policy, and comply with our legal obligations.”
DPDP requirement (Section 9): Data Fiduciaries (the entities determining purpose and means of data processing, like Delhivery) must erase data upon withdrawal of consent or when the purpose for which it was collected is fulfilled. They must define specific, reasonable retention periods.
Gap: No specific timelines for different data types. How long is a delivery address kept after a parcel is delivered? Is marketing data purged if a user stops interacting? This vagueness creates significant liability.
Section 11 — Rights of Data Principal ⚠️
The policy likely mentions the Data Principal’s rights to access and correct their data. However, it often falls short of the full spectrum of rights under DPDP:
- Right to Erasure: The right to have data deleted when consent is withdrawn or purpose is fulfilled.
- Right to Grievance Redressal: Escalation to the Data Protection Board.
- Right to Nominate: Allowing another person to exercise rights on their behalf (Section 14).
Partial compliance. While basic access and correction might be available through customer support, the DPDP Act requires a more comprehensive and accessible framework for these rights.
Section 12 — Right of Grievance Redressal ⚠️
Delhivery typically provides contact details for a Grievance Officer, which is good practice.
What the policy says (hypothetical): “If you have any concerns regarding the processing of your personal information, you may contact our Grievance Officer at [email address] or [physical address].”
DPDP requirement: The grievance mechanism must explicitly include the Data Protection Board as an escalation path after internal resolution. DPDP also implies a commitment to resolve grievances within a specified timeframe (e.g., 30 days).
Gap: The policy would need to clearly state the option to escalate unresolved issues to the Data Protection Board of India, which is usually missing in pre-DPDP policies.
Section 16 — Cross-Border Data Transfer ⚠️
Logistics companies often rely on global IT infrastructure or partners, meaning data might be transferred outside India.
What the policy says (hypothetical): “Your personal information may be transferred to and stored in countries outside India, where our service providers or affiliates may be located.”
DPDP requirement (Section 16): Cross-border transfer is only permitted to countries that have been specifically notified by the Central Government as being jurisdictions where data can be transferred. Blanket clauses are no longer sufficient.
Gap: Without specifying which countries and confirming they are on the government’s approved list (once published), Delhivery’s cross-border transfers could face regulatory challenges.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per instance for DPDP violations |
| Consent compliance | High | Challenges to validity of data processing for 3rd parties, marketing |
| Data retention | Critical | Holding data longer than necessary creates massive risk in breaches |
| Cross-border transfer | Medium | Disruptions if recipient countries are not notified by govt. |
| Data principal rights | Medium | User dissatisfaction, potential complaints, compliance audits |
Recommendations
- Redesign consent mechanisms — Implement clear, granular consent for distinct purposes (e.g., core service, marketing, analytics) with easy withdrawal options.
- Explicitly reference DPDP Act 2023 — Update the policy to clearly state compliance with the new Act and map sections accordingly.
- Define specific data retention periods — Set clear, reasonable timelines for different data categories (e.g., “delivery records: 7 years,” “marketing data: 1 year after last interaction”).
- Detail Data Principal rights — Clearly outline all DPDP rights, including erasure and nomination, with accessible mechanisms for exercising them.
- Include Data Protection Board escalation — Make it clear that unresolved grievances can be escalated to the DPB.
- Specify cross-border transfers — Identify recipient countries and state adherence to Section 16’s requirements (once government notifications are issued).
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.