Overview
Federal Bank is a prominent Indian private sector bank, handling a vast amount of sensitive personal and financial data for its customers. From KYC details like PAN and Aadhaar to bank account numbers and transaction histories, the bank’s privacy practices are under intense scrutiny, particularly with the new DPDP Act.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
Federal Bank’s policy uses a bundled consent model, typical of older privacy frameworks. This means users accept the entire policy simply “By sharing your information with us.”
What the policy says: “By sharing your information with us, users acknowledge and accept the terms of this Privacy Policy…”
What the law requires: The DPDP Act, Section 6, requires consent to be free, specific, informed, and unconditional for a particular purpose. Users should be able to grant or deny consent for different data uses (e.g., banking vs. marketing).
The problem: A single ‘take it or leave it’ acceptance doesn’t meet DPDP’s high bar for “freely given” consent. It lacks granularity, making it difficult for users to understand and control specific data uses.
Section 7 — Certain Legitimate Uses ⚠️
The bank states it processes data based on “lawful grounds including consent, contractual necessity… compliance with legal or regulatory obligations, or other legitimate purposes permitted under applicable law.”
What the policy says: “Customer Information may be processed on lawful grounds including consent, contractual necessity for providing banking/financial services, compliance with legal or regulatory obligations, or other legitimate purposes permitted under applicable law.”
What the law requires: DPDP Section 7 defines legitimate uses narrowly, such as providing services, fulfilling legal obligations, or for medical emergencies. While “contractual necessity” and “legal obligations” are valid, “other legitimate purposes” is vague.
The problem: The policy mentions using data for “customization of products or services, marketing or promotion of financial products/ services.” If these aren’t based on specific, explicit consent, they might fall outside DPDP’s narrower legitimate uses framework.
Section 8 — Obligations of Data Fiduciary ✅
Federal Bank outlines a strong commitment to data security, aligning well with the DPDP Act’s requirements for reasonable security safeguards.
What the policy says: “Federal Bank has implemented robust security measures to protect customer data against unauthorized access, loss, misuse, alteration, or disclosure. These include, but are not limited to: Role-based access control… Data encryption in transit and at rest. Network segmentation and firewalls… Regular vulnerability assessments and penetration testing…”
What the law requires: Section 8 mandates a Data Fiduciary (the company holding your data) to implement reasonable security safeguards to prevent data breaches.
Strength: The policy details specific technical and organizational measures, including employee training, incident management, and penetration testing, which demonstrates a robust security posture.
Section 9 — Data Retention 🔴
This section is a critical gap. The policy uses very broad language about how long it retains data, without giving specific timelines.
What the policy says: “We will keep the data we collect from you on our systems or with third parties for as long as required for the purposes set out in this Policy or even beyond the expiry of transactional or account based relationship with you: (a) as required to comply with any applicable legal and regulatory obligations, or (b) for establishment, exercise or defense of legal claims…”
What the law requires: DPDP Section 9 mandates that personal data must be erased as soon as the purpose for which it was collected is fulfilled, or consent is withdrawn. The Data Fiduciary must specify the period for which data will be retained.
The problem: No specific retention periods are mentioned. Users have no clarity on when their sensitive financial data will be purged. Relying on “as long as required” or “beyond the expiry of transactional relationship” is too vague and risks non-compliance.
Section 11 — Rights of Data Principal 🔴
The policy generally refers to “data protection rights under applicable data privacy laws” but does not explicitly list the key rights granted to a Data Principal (the individual whose data is collected) under the DPDP Act.
What the policy says: “Users have the right to accessible grievance redressal mechanisms for any concerns relating to the Bank’s handling of their personal data or the exercise of their data protection rights under applicable data privacy laws.”
What the law requires: DPDP Section 11 clearly outlines rights like the right to access information, right to correction and erasure, and right to grievance redressal. Section 14 adds the right to nominate.
The problem: By not explicitly stating these rights, the policy makes it difficult for a common person to understand what they can actually do. There’s no clear process for a customer to request data access, correction, or deletion.
Section 12 — Right of Grievance Redressal ⚠️
Federal Bank does identify a Chief Data Protection Officer (DPO) and provides an email for concerns, which is a good start.
What the policy says: “The Bank has a dedicated privacy governance structure with a Chief Data Protection Officer and team responsible for addressing such grievances. To raise a concern, Users may contact us at dpo@federalbank.co.in.”
What the law requires: DPDP Section 12 requires a Data Fiduciary to have an accessible grievance redressal mechanism. Importantly, it also establishes the Data Protection Board (DPB) as an escalation authority if the internal mechanism fails.
The problem: While a DPO is named, the policy doesn’t mention the DPB as the ultimate escalation path. It also lacks a clear commitment to a specific response timeline (e.g., 30 days) for grievances.
Section 16 — Cross-Border Data Transfer 🔴
The policy is vague about where customer data might be transferred.
What the policy says: “Federal Bank may disclose Customer Information to any of the Federal Bank’s associates and affiliates, without any limitation and the User / Client hereby give consent for the same.”
What the law requires: DPDP Section 16 states that cross-border transfer of personal data is only permitted to countries that have been notified by the Central Government. This aims to ensure data is sent to jurisdictions with adequate data protection.
The problem: The policy offers “without any limitation” consent for transfer to affiliates or third parties, which could be located anywhere in the world. This is a blanket approach that directly contradicts DPDP’s requirement for a specific list of permitted countries.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per instance under DPDP |
| Consent compliance | High | Bundled consent invalidation for millions of users |
| Data retention | Critical | Undefined retention for sensitive financial data = huge exposure |
| Data principal rights | Critical | Absence of explicit rights framework prevents user control |
| Cross-border transfer | High | Transfer to non-notified jurisdictions is non-compliant |
Recommendations
- Update Policy with DPDP References: Explicitly state compliance with the DPDP Act 2023 and update terminology.
- Implement Granular Consent: Introduce clear, separate consent options for different data uses (e.g., essential banking, marketing, personalization) instead of bundled acceptance.
- Define Specific Retention Periods: Clearly state how long different categories of data (e.g., transaction logs, marketing data, KYC documents) will be retained, in line with the “Preservation of Records Policy.”
- Clearly List Data Principal Rights: Detail all rights under DPDP Sections 11 and 14 (access, correction, erasure, nomination) and explain how users can exercise them.
- Include Data Protection Board: Inform users about their right to escalate grievances to the Data Protection Board after internal resolution.
- Specify Cross-Border Transfers: Clearly state which countries (or types of countries) data may be transferred to, in line with future government notifications on permitted jurisdictions.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.