Questions to DPO of HDFC Bank

Posted on March 31, 2026 by Vijayashankar Na

I have recently raised an issue about non receipt of NOC for an Auto loan closed in 2018. The brief description of the incident is as follows:

I am placing these in public domain as it indicates that even a Bank like HDFC Bank is currently not ready for DPDPA Compliance by 13th may 2027.

Everybody is running behind Consent forgetting that handling  Data Principal access requests is a key element of compliance and cannot be fulfilled without a wholesale revision of the product policies.

Quote:

Dear Sir

For the last few days, I have been corresponding with your loan products department and customer services department and am unable to get resolution of my problem. I am therefore bringing this to your notice for redressal as a “Grievance” and “Data Principal Right”.
The incident is briefly described below.

1. I had availed an auto loan in 2013 which closed in 2018.

2.On closure of the loan I was under the assumption that the Bank has ceased to be the hypothecatee of the vehicle since the “Consent” was terminated automatically. It was therefore a duty of the Bank to have taken measures to inform the RTO and delete the hypothecation clause. The RC certificate/card with me was not indicative of any hypothecation and hence I was not aware that the Bank was still actively placing a restrictive hold on the asset which should have been free. 

3. Recently I tried to put my car on sale and invited bids from intended buyers. I got some offers which were good enough for me to accept. However I was told by the buyer that since there was a hypothecation on the vehicle, it needs to be removed. I then submitted a request for NOC. Given that I am a customer for decades and on my customer account the loan also is on record, I thought that the issue of NOC should be quick.

4. I got a message from Bluedart courier that a consignment was being delivered and assumed that it should be the NOC. But I found after a few days that there was no delivery of the letter and my commitment to submit the letter to the buyer by a certain date was frustrated.

5. On calling the Blue Dart courier, I was told that they could not deliver  and they had noted that “Addressee was not available at the given address”.  When  I enquired how they marked such a note which was a “Lie”,

6. Even after raising the issue with the Bank, I am yet to see resolution.

In this context my questions to you as the DPO of the bank is as follows.

1.You have the account details under my customer ID which also has the loan details. My address is updated on this account page. Hence the claim of Bluedart that a truncated address was only available with them (They claim that the name was simply mentioned as “Nagaraj”) should be false. I would like to know from your records what is the address given to Bluedart for the delivery of the consignment and why it was not given correctly is their statement is true?. This may be considered as a request under Section 11 of DPDPA 2023. (As part of Section 43A read with DPDPA as the Due diligence requirement).
2. Why do the courier say they did not have my phone number to contact? Was it not given by HDFC Bank? If Not  why?

3. Non availability of the NOC has frustrated the sale of the vehicle to a preferred buyer and has perhaps inflicted a financial loss of Rs 75000/- since I have to now sell it to another buyer and after March 31st. Please let me know why I cannot claim this as a compensation either as deficiency of service or under Section 46 of ITA 2000.

4. I was disappointed that HDFC Bank has failed to maintain the simple courtesy of removing the hypothecation after a loan closure which should have been a customer service move. Why this is not a SOP? Why do you expect the customer to complete it himself under  these circumstances of service deficiency? I am told by many that this is a common problem of many.

5. I was told by your help center that NOCs can  only be obtained by physically visiting one of the  three designated branches in Bangalore (Not the nearest Branch). Why is HDFC bank not able to deliver the NOC electronically?

6. Has your Bank initiated any steps for DPDPA Compliance so far? …It appears that you will not be ready by May 13 2027 and will be exposed to penalties under DPDPA.  Has this risk been flagged by your CFO under disclosures under Clause 49 of listing requirements and SEBI regulations?

For the education of the public, I will be placing these questions in the public domain through www.naavi.org

Looking forward to your response.

End Quote

I will be  happy to receive your comments.

Naavi

Posted in Privacy | Leave a comment

Questions to the DPO of BlueDart Express Courier

Posted on March 31, 2026 by Vijayashankar Na

BlueDart is one of the respected courier agencies in India. I have used their services and have been a satisfied customer in many instances.

I am however bringing this incident to public notice for general awareness since Blue Dart has not tried to resolve my grievance and tried to hide behind technicalities to cover their suspected deficiency of service.

We are aware that many delivery persons donot make a proper attempt to locate the delivery address and report “Address Not found” or “Address changed address” etc and claim charges for their visit. This is cheating the consignor besides adversely affecting the consignee with delayed delivery. This practice is not expected of Blue Dart. I am sure that the company would vehemently deny this.

But I suspect that this happened during a recent document sent by HDFC Bank which was not delivered to me under the excuse “C’Nee shifted from the given address”.

This is a blatant lie since the consignment was addressed to me and I have not shifted from the address for several decades.

On enquiry the company stated excuses  “Name was not clear, PIN Code was not proper and Bank had not given your phone number”. They washed their responsibility in the incident.

I have now raised the following questions to the DPO of Blue  Dart through the customer service department.

Quote:
Please treat this as a notice under Section 43A of ITA 2000 read with DPDPA 2023. I am exercising my right to seek information from you as a data fiduciary. This complaint may be forwarded to your Data Protection officer and Grievance redressal officer under copy to me for further processing since this is no longer a simple service deficiency.
1. I want to know what was the address mentioned in the  communication by HDFC Bank to you and why you accepted delivery without the contact phone number of the consignee?
2. In my conversation with your representative I was told that the name was mentioned as “Nagaraj” and the PIN code was not “560050”. My full name  was Vijayashankar Nagarajarao and no sane  person truncates it to only “Nagaraj”. My address is No 37, “Ujvala”, 20th Main, BSK first stage Bangalore 560050. Since you have mentioned that the “C’Nee Shifted From The Given Address”, I have already informed you that this is a “False Statement”.  Please show me cause why I should not presume that you have not made an attempt to deliver the document and returned it to the Bank charging them for the consignment. Will this not amount to “Cheating” the Bank.
3. Since you have mentioned that I have “Shifted” from “a” address, please let me know which is the address which was on the delivery list?
4. Your representative said that my phone number was not given  by the Bank. Please let me know why you accepted the consignment  with incomplete information? 
5. I am aware that normally you collect the phone number when a document is delivered from the consignee. I presume it is for verification purpose. But is that practice only a collection of personal information for the purpose of your marketing?
6. As a result of your deficiency of service, I am not able to get the document even today. This has resulted in a possible loss of Rs 75000/- to me. Please let me know why I should not take action in a consumer court for deficiency of service?
7. I am expecting an immediate reply to this email along with the photo of the cover mentioning my address and your delivery person’s note.
8. I will be placing this complaint in public domain through www.naavi.org to increase the awareness of the public on such malpractices of couriers.
Unquote
I am not sure if I will get a reply. But I am optimistic.
I am separately taking this up with HDFC Bank also and will place that also in public domain. 
This is to expose how big companies are yet to understand the impact of DPDPA on their services and what compliance measures they need to initiate.
DPDPA is not child’s play. It requires understanding  and effort to comply. 
The legal questions that arise here are
1. Since DPDPA 2023 will be fully implemented with its penalty sections only after 13th May 2027, is this complaint maintainable with the Adjudicator of ITA 2000 as a complaint under Section 43A read with the rules of 2011 and interpreted with DPDPA as a reasonable security practice and expected  due diligence 
2. How this  incident represents the right of a data principal under sections 11,12,13 of DPDPA 2023?
3. What is the status of  Blue Dart?…Is it a Data Fiduciary ? or Is it a Data Processor?. If it is a “Data Processor”, ,is it obliged to present the instructions of the Data fiduciary such as the address given to them in the above case?
4. Will this complaint sustain in a Consumer Court as “Deficiency of Service”?
It is time we learn from such mistakes…..Your comments are welcome
Naavi
Posted in Privacy | Leave a comment

NHRC ups the ante on DPDPA

Posted on March 27, 2026 by Vijayashankar Na

While the Supreme Court is hearing the petitions  on challenging DPDPA (where FDPPI has filed an  intervention petition to oppose the Challenge  and defend DPDPA), NHRC has issued notices to the Government on why action has not been initiated on implementation of provisions to protect the Privacy of Children.

Refer article here for details

The National Human Rights Commission (NHRC) has taken cognisance of alleged violations of the Digital Personal Data Protection Act (DPDP Act), particularly concerning the absence of systems for tracking children’s data transfers and grievance redressal mechanisms across major digital platforms.

It is expected to strengthen the Government of India in its defence  at the  Supreme Court.

Let us wait and see how it develops.

Naavi

Posted in Privacy | Leave a comment

Update on DPDPA Challenge in Supreme Court

Posted on March 24, 2026 by Vijayashankar Na

The petitions filed on March 12th including the one which has asked for the scrapping of  DPDPA and DPDPA Rules came up for hearing on 23rd March 2026 at the Supreme Court. The Union of India which had been asked to file it’s reply sought time to file a reply and a further time of 4 weeks have been granted. Afterwards 2 weeks time have been given for rejoinder affidavits to be filed and the next hearing is fixed for May 13, 2026.

In the meantime the intervention petition filed by FDPPI defending the DPDPA and DPDPA Rules was admitted and will also be heard on the next hearing day.

This petition is numbered IA No.85635/2026 and is being represented by Dr. Mahendra L., Adv., Dr. Tushar Mandlekar, Adv., Mr. Alok Sharma, Adv., Mr. Raghvendra Kumar, AOR and Mr. Devvrat Singh, Adv

The copy of the order  of the day is available here.

Further updates when available will be posted.

Naavi

Posted in Privacy | Leave a comment

Re-iterating the Responsibility of Data Processors to grow up with its own compliance framework

Posted on March 18, 2026 by Vijayashankar Na

While most of us are happy that Data Processors are not covered directly under DPDPA,  if some of the data processor really wants to enhance its trust with their clients and create a competitive edge.

DGPSI-Data Processor is  a framework specially created for the purpose.

Request professionals to study it and send their views.

Naavi

Posted in Privacy | Leave a comment

Posted on March 17, 2026 by Vijayashankar Na

Posted in Privacy | Leave a comment