Confidential Dispatch

Can a business legally ask for and store your documents?

At a glance

A business can ask for your documents only where the task genuinely needs them, and it can keep them only as long as that purpose lasts — after which it must delete them. Under India’s DPDP Act it also has to tell you why it’s collecting them and keep them secure. So “give us a copy for our records” isn’t a free pass: you can refuse documents that aren’t needed, and ask a business to delete ones it’s holding for no ongoing reason.

Educational resource only. This explains your rights around businesses asking for and storing your documents under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.

On this page

The situation

A gym wants a photocopy of your ID, a rental broker keeps your documents “on file,” an online service asks you to upload an identity document — your Aadhaar, PAN, passport, driving licence, or Voter ID — before it’ll talk to you. Handing over a document feels routine — but a copy of your ID sitting on someone else’s system, indefinitely, is exactly where leaks and misuse begin. The law gives you more say over this than most people realise.

Can a business ask for your documents at all?

Yes — but only for documents a specific, stated purpose genuinely needs, not “for records” as a habit. A document you share is personal data, and the business holding it is a Data Fiduciary with duties to you. Two of those duties frame everything here: it must give you a clear notice of why it wants the document (Section 5), and its collection is limited to what that stated purpose actually needs (Section 6).

That makes the request purpose-bound. A regulated lender doing KYC genuinely needs identity proof; a shop issuing a loyalty card doesn’t need a copy of your Aadhaar. The honest test is the same every time: does the thing they’re doing for me actually require this document? If it doesn’t, the request is over-collection — collected out of habit or for marketing, not necessity.

Can it keep copies — and for how long?

Only as long as the purpose lasts — once that’s over, the document should be deleted, not archived indefinitely. This is the part most businesses get wrong. Collecting a document lawfully doesn’t buy the right to keep it forever. Under the DPDP Act, a Data Fiduciary must keep your data secure and erase it once the purpose it was collected for is finished (Section 8). Storage is tied to need, exactly like collection is.

So a copy taken to verify you at sign-up shouldn’t still be sitting on a system years after you’ve left. While a business does hold your documents, it also has to protect them with reasonable security — a stack of ID photocopies in an unlocked drawer or an open shared folder is a breach of that duty, not just bad practice.

  • Keep while needed — for the active service, or where another law sets a specific retention period (some KYC and tax records).
  • Keep “just in case” — holding documents with no ongoing purpose is exactly what the erasure duty rules out.
  • Store insecurely — unprotected copies are a security failure the business is liable for.

What can you refuse?

You can refuse any document that isn’t genuinely needed for the service — your consent has to be unconditional. The DPDP Act requires consent to be free, specific, informed, unconditional and unambiguous. “Unconditional” is the load-bearing word: a business can require the documents it truly needs, but it can’t make an unrelated document demand the price of service.

Where some proof of identity is genuinely required, you usually still have a lighter option — a masked Aadhaar (which hides the first eight digits) rather than a full copy, or a secondary document. The line is necessity for the stated purpose, not the business’s preference for having more on file.

How to share a document safely when you must

When a document is genuinely needed, share the least-exposing version and mark it for that use only. These are practical habits, not DPDP Act rules — but they stop a legitimate request from becoming a future leak.

  1. Self-attest and mark the purpose. Sign across the copy and write what it’s for, e.g. “For KYC with [name] only.” A purpose-marked copy is far harder to reuse elsewhere.
  2. Share the masked or minimal version — a masked Aadhaar, or only the pages actually needed (not your entire document set).
  3. Use a secure channel. Avoid sending ID copies over WhatsApp, ordinary email, or to unverified callers; prefer the business’s proper upload route.
  4. Ask what happens next — where it’s stored, for how long, and who can see it. A business that can’t answer is a flag.

What to do if a business hoards or leaks it

Ask what it holds, ask it to delete what it no longer needs, and escalate if it won’t.

  • Ask what they have. You can ask a business what personal data and documents it holds about you and why (your right of access).
  • Ask for deletion. Where a document is no longer needed for the purpose you gave it, you can ask for its erasure — and request written confirmation.
  • Escalate over-collection or hoarding. If a business made an unnecessary document a condition of service, or refuses to delete copies it has no reason to keep, raise a grievance with its contact, then complain to the Data Protection Board of India.
  • Act fast on a leak. If your documents were exposed in a breach, the business owes you notice — and you can take the same grievance route if it stays silent.

FAQ

Can a gym or shop legally keep a photocopy of my ID? Only if it’s genuinely needed for the service, and only for as long as that purpose lasts. A copy kept “for records” with no ongoing reason should be deleted, and you can ask for that.

How long can a business hold my documents? As long as the purpose they were collected for continues — or a specific period another law requires (some KYC/tax records). Beyond that, the DPDP Act’s erasure duty says they should be deleted.

Can I refuse to give a document a business asks for? Yes, if it isn’t necessary for the service — your consent must be unconditional, so an unrelated document can’t be made a condition. Where some proof is genuinely required, you can often give a masked or minimal version.

Can I make a business delete documents it’s holding about me? Yes. Once a document is no longer needed for its purpose, you can request erasure and ask for confirmation it’s been done.

What if my documents leak from a business’s systems? The business must keep your documents secure and is liable if it doesn’t. On a breach it owes you notification — and you can raise a grievance, escalating to the Data Protection Board of India if it doesn’t respond.

Reviewed by Confidential Dispatch Editorial Team

Last updated 14 July 2026

Not legal advice.