Overview
Infosys is a global leader in IT services and consulting. This means they handle a massive amount of personal data, not just from website visitors but also from job candidates, employees, investors, and vendors globally. For an Indian company with such a wide reach, its privacy policy needs to be watertight under the new Digital Personal Data Protection (DPDP) Act, 2023.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
Infosys mentions processing data with consent and that this consent is revocable. However, the initial consent mechanism for many processing activities isn’t explicitly detailed to be “freely given, specific, informed, and unambiguous” as required by the DPDP Act.
What the policy says: “We process your Personal Information with your consent. Where we process Personal Data based on consent, your consent is revocable at any time…”
DPDP requirement: Consent must be free, specific, informed, unconditional, and given through a clear affirmative action for a specific purpose. It must be easy to withdraw.
Gap: While revocability is mentioned, the policy doesn’t clearly describe how consent is initially obtained to meet the “freely given” and “specific” criteria across all data types and purposes, particularly beyond marketing communications.
Section 7 — Certain Legitimate Uses 🔴
Infosys extensively relies on “legitimate interest” as a legal basis for processing data, for things like “understanding your usage of our website,” “optimizing processes,” and “marketing.”
What the policy says: “We process your Personal Information when it is necessary for the purposes of a legitimate interest pursued by us or a third party (when these interests are not overridden by your data protection rights), e.g., when we need to understand your usage of our website and interaction with the same, for generating your secure login credentials, or to optimize our processes.”
DPDP requirement: The DPDP Act Section 7 defines “certain legitimate uses” very narrowly (e.g., voluntary provision by the Data Principal, state functions, medical emergencies, employment). It does not include broad business interests like website optimization or marketing without specific consent.
The problem: Infosys’s broad interpretation of “legitimate interest” is a major mismatch with the DPDP Act’s strict definition. Relying on this for general business purposes, especially for marketing and analytics, could lead to non-compliance.
Section 8 — Obligations of Data Fiduciary ✅
The policy broadly states that Infosys implements security controls to protect personal information. This aligns with the DPDP Act’s requirement for reasonable security safeguards.
What the policy says: “Infosys adopts reasonable and appropriate security controls, practices and procedures including administrative, physical security, and technical controls in order to safeguard your Personal Information.”
DPDP requirement: A Data Fiduciary (the company collecting and controlling your data) must implement “reasonable security safeguards” to prevent data breaches.
Strength: The general commitment to security measures, including administrative, physical, and technical controls, is a good start.
Section 9 — Data Retention ⚠️
Infosys uses vague language regarding how long they keep your data.
What the policy says: “Personal Information will not be retained for a period more than necessary to fulfill the purposes outlined in this privacy statement unless a longer retention period is required by law or for directly related legitimate business purposes.”
DPDP requirement: Data must be erased upon withdrawal of consent or when the purpose for which it was collected is fulfilled, within a reasonable period. The policy should ideally specify retention periods or clear criteria.
The problem: “Not more than necessary” and “legitimate business purposes” are too broad. They don’t give a clear timeframe or criteria for data deletion, which is a key DPDP requirement for Data Fiduciaries.
Section 11 — Rights of Data Principal ⚠️
Infosys acknowledges various data subject rights, but the framework isn’t fully aligned with DPDP.
What the policy says: “Subject to the laws of your country, you may have certain rights as a data subject (including but not limited to right to information, access, rectification, erasure, object, restriction of processing, right to complain), relating to your Personal Information that we process.”
DPDP requirement: A Data Principal (the individual whose data is collected) has rights including access, correction, erasure, and the right to nominate another person to exercise these rights on their behalf (Section 14).
Partial compliance: While many common rights are mentioned, the crucial right to nomination under DPDP Section 14 is absent. The blanket “subject to the laws of your country” also lacks specificity for Indian users.
Section 12 — Right of Grievance Redressal ⚠️
Infosys provides contact details for a Data Privacy Office and a contact person, which is good. However, it misses a critical DPDP component.
What the policy says: “If you are unhappy with how we safeguard your personal data, depending on the laws of the countries where you reside, you have the right to bring a complaint to your local data protection authority.” And provides an email privacy@infosys.com.
DPDP requirement: The Data Principal has the right to complain to the Data Protection Board of India (DPBI) if their grievance isn’t resolved by the Data Fiduciary.
The problem: While internal contact is available, there’s no mention of the DPBI as the official escalation body for Indian users. This is a significant gap under the DPDP Act.
Section 16 — Cross-Border Data Transfer ⚠️
Infosys mentions transferring data globally, including to countries with different data protection standards.
What the policy says: “We may transfer Personal Information to countries outside of your country of residence… including to countries which have different data protection standards… Our service providers are located globally; however, the primary locations are in USA, Canada, Australia, Singapore, Hong Kong, India, and UK.”
DPDP requirement: Section 16 states that cross-border transfer of personal data is only permitted to countries that are notified by the Central Government. This will be a “whitelist” approach.
The problem: Infosys’s current policy allows transfers to any country, which will clash with DPDP’s future “whitelisted countries” approach. This section needs specific mention of adhering to the Central Government’s notifications.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr per instance for serious non-compliance |
| Consent validity | High | Broad consent could be challenged, affecting data processing |
| Legitimate use claims | Critical | Major conflict with DPDP’s narrow definitions |
| Data retention | High | Lack of clear timelines creates ongoing exposure |
| Data Principal rights | Medium | Incomplete rights framework needs update for DPDP |
| Grievance redressal | Medium | Missing DPBI escalation path for Indian users |
| Cross-border transfer | High | Non-compliance with future notified countries list |
Recommendations
- Explicitly reference DPDP Act 2023 and outline how the policy aligns with it.
- Redefine “legitimate interest” to align strictly with DPDP’s “certain legitimate uses” or secure specific consent for those activities.
- Implement layered consent with granular options, especially for marketing, analytics, and third-party sharing.
- Define specific data retention periods for different data categories, stating when data will be deleted (e.g., “marketing data deleted within 30 days of consent withdrawal”).
- Clearly outline all DPDP Data Principal rights, including the right to nomination (Section 14).
- Add the Data Protection Board of India (DPBI) as the official escalation path for grievances not resolved internally.
- Update cross-border transfer clauses to reflect adherence to the Central Government’s upcoming list of permitted jurisdictions under DPDP Section 16.