A core data protection principle under the DPDP Act 2023 requiring that personal data be processed only for the specific, lawful purpose for which consent was obtained or for which it is deemed lawful. Data Fiduciaries cannot collect data for one purpose and use it for an entirely different purpose without obtaining fresh consent. In banking, this means KYC data collected for loan processing cannot be used for unrelated marketing without separate consent. The Data Fiduciary must also erase personal data once the purpose for which it was collected has been served, unless retention is required by law.
Purpose limitation under Section 6 of the DPDP Act 2023 is the principle that data may be used only for the specific lawful purpose for which it was collected. In lending, this draws a hard line: KYC and financial data gathered to assess and service a loan cannot be repurposed for unrelated marketing or cross-selling without fresh consent. The Act also pushes toward erasure once the collecting purpose is served, unless a law requires retention — which forces institutions to define clear retention triggers rather than holding data indefinitely. Practically, compliance means mapping each dataset to its stated purpose and policing internal access so that, for example, the recovery team or a group company does not tap origination data for a different objective. Getting this wrong is a common and avoidable contravention: silent repurposing of borrower data is exactly the kind of conduct a data principal complaint targets. Well-advised institutions document the purpose for every collection and re-seek consent before any new use.
For specific advice on how Purpose Limitation applies to your debt recovery matter, consult Advocate Subodh Bajpai — LLM, MBA (XLRI Jamshedpur). 8+ years of exclusive banking and debt recovery practice across DRT, SARFAESI, IBC, and NI Act.
Defined by Advocate Subodh Bajpai, Senior Partner, Unified Chambers and Associates