Can CA firms keep old ITR files, PAN copies and bank statements forever under DPDPA?

1833 views 5 replies
User Avatar

7 Points Posted on 02 June 2026

Most CA firms are sitting on years of old client data.

ITR files, PAN copies, Aadhaar copies, bank statements, Form 16, GST records, TDS workings, payroll files, KYC documents, audit papers and financial statements are often stored across Gmail, Google Drive, WhatsApp, desktops, laptops, pen drives, hard disks and physical files.

This has been normal practice for years.

The reason is understandable.

A CA firm may need old records for tax notices, reassessment, audit reference, client queries, professional defence, continuity of service and future assignments.

So the instinct is simple:

Keep everything. Delete nothing. We may need it someday.

But DPDPA creates a conflict.

If personal data was collected for a specific purpose, can it be kept forever after that purpose is over?

If a client has moved to another consultant, should all old PAN, Aadhaar, bank statements and WhatsApp attachments still remain with the previous CA firm?

If an article assistant or employee had access to old client folders and later leaves the firm, who is responsible for that data?

If old client documents are lying in personal phones, shared drives, email attachments and backup disks, is a privacy policy enough protection?

This is the real struggle for CA firms.

On one side, we have statutory, audit, and professional retention requirements.

On the other side, we have DPDPA expectations around purpose, consent, reasonable safeguards, data principal rights and responsible handling of personal data.

So the practical question is not whether CA firms should delete everything.

That would be unrealistic.

What should be retained, for how long, where, by whom, and under what control?

The resolution may be a basic retention and deletion framework for CA firms.

At a minimum, every firm may need to define:

1. Which client documents must be retained due to tax, audit, or professional requirements
2. Which personal data is no longer required after the assignment is completed
3. How long should PAN, Aadhaar, bank statements, salary slips, and KYC documents should be kept
4. Whether old WhatsApp and email copies should be deleted after moving documents to a controlled folder
5. Who in the firm can access old client records
6. What happens when staff, interns, or article assistants leave
7. How ex-client records should be reviewed
8. How physical files, hard disks, and backups should be destroyed or archived
9. Whether retention terms should be included in engagement letters
10. How client correction, deletion, or access requests should be handled

This is not only a legal compliance issue.

It is also an internal control, client trust, and professional risk management issue.

A CA firm may have a privacy policy, but if old client data is lying indefinitely across Gmail, WhatsApp, Google Drive, laptops, and physical files without retention logic, the real risk remains.

So I wanted to ask fellow professionals:

How are CA firms practically handling old client data under DPDPA?

Are firms:

- Keeping all records permanently?
- Defining retention periods?
- Cleaning old client folders?
- Reviewing ex-client data?
- Deleting WhatsApp copies after use?
- Restricting access to old records?
- Adding retention clauses in engagement letters?
- Waiting for more clarity?

Would appreciate practical views from CAs, tax consultants, audit firms and compliance professionals.

0 Reply Share Follow
On 02 June 2026 at 10:45 Report
Replies (5)
Quick Summary
CA firms often retain client records for tax, audit, and legal purposes, but DPDPA requires data to be kept only for valid purposes and with safeguards. Firms should implement retention policies, restrict access, securely archive records, and delete unnecessary data after retention periods expire.

User Avatar

Finance Compliance Consultant
1111 Points Posted on 02 June 2026

DPDPA does not require CA firms to delete everything — it requires them to retain data with a legal basis, for a defined period, with proper safeguards, and delete it after the purpose/statutory period ends. The firms most at risk are those with no retention policy at all — not those with defined, legally backed retention schedules.

1 Reply
On 02 June 2026 at 12:28
User Avatar

Practical Finance Training
122 Points Posted on 03 June 2026

Absolutely, client data should not be stored "just in case" for all eternity in CA firms. The principles of the Digital Personal Data Protection (DPDP) indicate that the storage of personal data should be limited to the duration necessary to fulfill the purpose for which it has been collected or to meet legal and/or professional obligations. If there is no specific purpose in retaining the data, this indefinite retention can present compliance challenges.

 Simultaneously, companies are not expected to delete everything right after the end of an assignment. Records are required to be held for tax assessment, audit, litigation, defence, regulation and for servicing clients. It's important that there is a retention policy, a set of rules that defines what, how long, who, and when, and it is documented.

One method for achieving this would be:

  •  Have a retention schedule in place for ITRs, audit files, KYC papers and working papers.
  • Limit access to previous client information.
  •  Delete unnecessary copies from WhatsApp, personal devices or email attachments after appropriate archival.
  •  Add data retention and privacy statement to engagement letters.
  • Review and safely dispose of records that no longer need to be stored on a regular basis. 

 It's not really about holding on to data, it's about holding on to data forever with no legitimate legal or professional reason, and no proper safeguards.

1 Reply
On 03 June 2026 at 11:38
User Avatar

7 Points Posted on 12 June 2026

DPDPA compliance for CA firms is not a legal research project.

It is a client-document control project.

The firms that start early do not need to build a complex privacy department. They need to answer basic questions:

What data do we collect?

Where do we store it?

Who can access it?

How long do we keep it?

Who do we share it with?

How do we delete or archive it?

What do we do if something goes wrong?

That is the foundation.

For firms that want to self-check their current gaps, SaralPrivacy has created a free DPDPA readiness assessment for Indian businesses: https://saralprivacy.com/industries/ca-firms

Reply
On 12 June 2026 at 09:36
User Avatar

Accountant
24 Points Posted on 12 June 2026

Can CA firms legally retain clients' ITR copies, bank statements, IPO, and other financial documents indefinitely under the DPDPA, or must they delete them once the purpose is fulfilled? How do data retention requirements under tax laws interact with the DPDPA's storage limitation principles?

Reply
On 12 June 2026 at 10:14
User Avatar

7 Points Posted on 13 June 2026

Retain what is legally or professionally required. Delete or archive what is no longer necessary for the purpose for which it was collected.

DPDPA does not mean that CA firms must delete tax, audit or compliance records immediately after filing an ITR. If a document is required for income-tax proceedings, audit working papers, professional defence, regulatory compliance, contractual obligations or pending client work, the firm can retain it on that legal/professional basis.

But “we may need it someday” is not a sound retention policy.

The practical approach should be:

  1. Classify client records into tax, audit, KYC, payroll, advisory and working-paper categories.
  2. Define retention periods based on applicable tax, audit, professional and contractual requirements.
  3. Restrict access to old records on a need-to-know basis.
  4. Remove access of ex-staff, article assistants and vendors.
  5. Delete duplicate copies from WhatsApp, Gmail downloads, personal laptops and uncontrolled folders.
  6. Maintain an archive/deletion log.
  7. Mention retention principles in the engagement letter or privacy notice.

So the answer is not “retain everything forever” and not “delete everything immediately”.

The compliant answer is:

Retain only what has a continuing legal, professional or business purpose, keep it under control, and delete or securely archive the rest.

I think for CA firms, DPDPA compliance will depend less on having a privacy policy and more on having a defensible retention and access-control process.

Reply
On 13 June 2026 at 14:08


CCI Pro
Join CAclubindia WhatsApp Finance Community & stay updated with the latest TAX news, compliance alerts and important updates all in one place!

Leave a Reply

Post Reply

Your are not logged in . Please login to post replies

Click here to Login / Register  

Recent Topic

More recent discussions | Post

Related Topics
Loading

Latest Job Openings

View all
Company
Featured 28 May 2026
SEMI QUALIFIED/ CA DROPOUTS/ ARTICLES

T R SOOD & CO

New Delhi

CA Inter

View Details
Company
29 May 2026
Accounts assistant

Shubh Consultancy

Mumbai

Graduate (Any)

View Details
Company
26 May 2026
Senior Accountant cum purchase Manager

Vardhaman Group of India

Pimpri Chinchwad

CA Inter

View Details
Company
Featured 15 June 2026
Senior Auditor

N. Dhawan & Co

New Delhi

CA Inter

View Details
Company
Featured 26 May 2026
Account Executive

SMJ global advisors pvt ltd

New Delhi

B.Com

View Details
Company
26 May 2026
Education Content Creator

Adyayam Education LLP

Bengaluru

CA Foundation

View Details
Company
26 May 2026
CA / MBA (Finance) / CMA / M.Com (Finance)

Sri Aurobindo Gnostic Centre of Education

New Delhi

CA

View Details
Company
ARTICLESHIP 28 May 2026
Accounts, Audit & Compliance Executive

Shyam Joshi & Associates

Pune

B.Com

View Details