Overview
Persistent Systems is a global Tier-1 IT services provider headquartered in Pune, India. Unlike many Indian firms that still rely on the outdated IT Act 2000 framework, Persistent has proactively updated its privacy notice to include terminology specific to the Digital Personal Data Protection (DPDP) Act 2023. As a Data Fiduciary for its employees and a Data Processor for its global clients, its compliance level is critical for maintaining cross-border data flow trust.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
Persistent’s policy provides a detailed list of what data is collected (Name, Email, IP address, etc.), but it falls short of the “itemized” notice requirement.
What the policy says: “By providing personal information to us, you understand we will collect, hold, use, and disclose your personal information in accordance with this privacy policy.”
DPDP requirement: Consent must be free, specific, informed, unconditional, and unambiguous with an affirmative action.
Gap: The “notice” is not always presented in the same view as the consent request. Furthermore, the policy uses a single agreement for multiple purposes (service delivery, marketing, and recruitment), which violates the requirement for granular, purpose-specific consent.
Section 7 — Certain Legitimate Uses 🔴
Persistent claims “legitimate business interest” for marketing and promotional campaigns.
Gap: Under DPDP Section 7, “Legitimate Uses” are restricted to voluntary provision by the data principal for a specific purpose, state functions, or medical emergencies. “Legitimate Business Interest”—a staple of GDPR—is not a valid ground for processing under the DPDP Act for marketing purposes. This creates a significant regulatory risk.
Section 8 — Obligations of Data Fiduciary ✅
Persistent excels here, referencing its ISO 27701 and ISO 27018 certifications. It describes technical and organizational measures (TOMs) including encryption at rest and in motion, and periodic Data Protection Impact Assessments (DPIAs).
Strength: The policy explicitly mentions maintaining the accuracy of data, which is a core obligation under Section 8(3) of the Act.
Section 9 — Data Retention & Erasure ⚠️
The policy states: “Personal Data will not be retained for a period more than necessary to fulfil the purposes… unless a longer retention period is required by law.”
DPDP requirement: Section 9(1) requires the Data Fiduciary to erase personal data as soon as the purpose of processing is fulfilled or the Data Principal withdraws consent.
Gap: While the intent is clear, there are no defined “retention schedules” or automated deletion triggers mentioned. For a B2B service provider, the lack of a “deletion-by-default” timeline remains a compliance risk.
Section 11 & 14 — Rights of Data Principal ✅
This is Persistent’s strongest section. It explicitly lists:
- Right to access and rectification
- Right to withdraw consent
- Right to Nominate: “You have the right to nominate any individual who shall, in the event of death or incapacity, exercise the rights on your behalf.”
Strength: Including the Right to Nominate demonstrates that Persistent has specifically audited its policy against the DPDP Act 2023, rather than just relying on its existing GDPR templates.
Section 12 — Right of Grievance Redressal ⚠️
The policy identifies the Data Protection Officer (DPO) in Pune, Maharashtra, with a dedicated email address (privacyofficer@persistent.com).
Gap: Section 12 of the DPDP Act requires the Data Principal to exhaust the fiduciary’s grievance process before approaching the Data Protection Board of India. Persistent’s policy does not name the Board or provide the specific escalation timeline (e.g., acknowledging that the Board is the ultimate statutory authority for disputes).
Section 16 — Cross-Border Data Transfer ✅
Persistent acknowledges it may transfer data outside the country of residence. Since the Indian government has not yet notified a “negative list” of restricted countries, Persistent’s current reliance on “reasonable security and contractual controls” is sufficient for the moment.
Risk Assessment
| Category | Risk Level | DPDP Section | Analysis |
|---|---|---|---|
| Consent Basis | High | Section 6 | Bundled consent and “implied” agreement from website usage are non-compliant. |
| Legal Basis | High | Section 7 | Relying on “Legitimate Interest” for marketing is a major DPDP gap. |
| Principal Rights | Low | Section 11/14 | Excellent; one of the few firms to include Nomination rights. |
| Grievance | Medium | Section 12 | Needs to mention the Data Protection Board as the final arbiter. |
| Security | Low | Section 8 | Best-in-class; ISO 27701 certification provides a strong defense. |