DPDPA Compliance for Fintechs in Delhi

Fintechs process some of the most sensitive personal data in India — Aadhaar/PAN KYC, bank details, credit and transaction history. DPDPA stacks on top of RBI directions, not instead of them.

Delhi context: A dense services and trading hub where consumer-data and lead-generation practices draw early enforcement attention. The obligations below apply to fintech and lending companies operating in Delhi, Delhi — there is no local exemption and no turnover threshold under the DPDP Act.

DPDPA applies in full. Many fintechs will also approach Significant Data Fiduciary thresholds given data volume and sensitivity, triggering DPIA, audit and DPO duties.

• Aadhaar / PAN / KYC documents
• Bank account & UPI data
• Credit and repayment history
• Income and employment data
• Device and location data

• Over-collection of KYC beyond purpose
• Sharing data with lending partners/DSAs without contracts
• Retaining KYC after the relationship ends
• Recovery agents accessing personal data without controls

• Granular consent per processing purpose
• Strict purpose limitation and retention caps
• Processor contracts with every lending/recovery/credit partner
• Strong security safeguards and audit trails
• Likely Significant Data Fiduciary duties (DPIA, DPO, audit)
• Breach notification to Board and data principals

• Blanket consent for all future products
• KYC data shared across group entities silently
• No erasure after loan closure

• Map every partner that touches customer data
• Set KYC retention to the regulatory minimum
• Separate marketing consent from KYC consent
• Assess Significant Data Fiduciary status

Does DPDPA replace RBI data norms?

No. DPDPA is an additional layer. You must satisfy both RBI directions and the DPDP Act.

Are we a Significant Data Fiduciary?

Possibly. Volume and sensitivity of financial data are key factors. Run the SDF screener to check and document your conclusion.