AI Summary: This article examines the intersection of India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and the TRAI-mandated 160-series numbering framework for BFSI voice calls. Every outbound call from a 1601xxxxxxx number involves a customer’s personal data. The DPDP Act governs that processing independently of TCCCPR obligations. BFSI entities must establish a valid lawful basis for each call type. They must also maintain auditable consent records aligned with the Digital Consent Acquisition (DCA) framework and document data retention policies for call recordings and Call Detail Records (CDRs). FreJun’s 160-series calling infrastructure integrates DLT template management, CDR logging, and consent audit trails into a single compliance-ready platform.
Key Facts at a Glance
| Item | Detail |
|---|---|
| Primary telecom regulation | TCCCPR, 2018 (Second Amendment, 12 Feb 2025) |
| Primary data regulation | Digital Personal Data Protection Act, 2023 (DPDP Act) + DPDP Rules, 2025 (notified 13 Nov 2025) |
| Governing bodies | TRAI / DoT (telecom); MeitY / Data Protection Board of India (data) |
| Applies to | All BFSI entities regulated by RBI, SEBI, PFRDA, IRDAI making outbound voice calls |
| Relevant number series | 1601xxxxxxx (financial entities); 160xxxxxxx (all Principal Entities) |
| TCCCPR first-violation penalty | Rs 2,00,000 |
| DPDP Act maximum penalty | Rs 250 crore (failure to implement reasonable security safeguards) |
| DPDP Rules full compliance deadline | 13 May 2027 (phased rollout from Nov 2025) |
| 160-series migration deadlines | Mutual Funds and AMCs: 15 Feb 2026; Qualified Stockbrokers: 15 Mar 2026 |
- Every outbound call from a 160-series number involves a customer’s personal data. The DPDP Act, 2023 governs that processing independently of TCCCPR obligations.
- BFSI entities must establish a valid lawful basis under Section 4 of the DPDP Act for each call type. Transactional calls use contractual necessity; service and collection calls require granular consent.
- Call recordings, CDRs, and consent logs all constitute personal data. Each carries its own retention, security, and deletion obligation under the DPDP Act and the DPDP Rules, 2025.
- The DPDP Act places primary liability on the Data Fiduciary even when a BPO or recovery agency makes the call. Vendor contracts must include binding data-processor clauses.
- Penalties under the two regimes stack independently. A single non-compliant call campaign can attract TRAI financial disincentives, a one-year telecom blacklist, and a DPDP Act penalty from the Data Protection Board of India.
Quick Answer: Every BFSI outbound call on a 160 series number processes personal data and triggers obligations under the Digital Personal Data Protection Act, 2023. Entities must document a lawful basis per call type, align consent records with the DCA framework, and apply purpose limitation. They must also retain CDRs and recordings within policy and govern vendor processors through written contracts. Penalties under TRAI and the DPDP Act apply independently.
Table of Contents
- Key Facts at a Glance
- Key Summary
- Why Every 160 Series Call Triggers the DPDP Act
- What Is the Lawful Basis for Each Type of Outbound Call?
- How Does Consent Under TCCCPR Align With the DPDP Act?
- Are Call Recordings and CDRs Personal Data Under the DPDP Act?
- What Are the Retention and Deletion Rules for Call Data?
- Who Bears Liability When a BPO or Recovery Agency Makes the Call?
- Can TRAI and DPDP Penalties Apply to the Same Call?
- How FreJun Helps BFSI Entities Manage the Dual Compliance Layer
- Frequently Asked Questions
- Key Takeaways
- Compliance Disclaimer
- References and Sources
Definition: DPDP Act and 160 Series Crossover: The Digital Personal Data Protection Act, 2023 (DPDP Act) governs the collection, processing, storage, and deletion of digital personal data in India. When a BFSI entity calls from a 1601xxxxxxx or 160xxxxxxx number, it uses the customer’s phone number, account reference, and call content. All three items are personal data. The DPDP Act therefore applies to that call independently of TRAI’s TCCCPR regime.
Most BFSI compliance teams treat the 160-series migration and the DPDP Act as two separate workstreams. In practice, they share the same data, the same customer, and often the same enforcement window. Speak with FreJun’s legal team to map both obligations onto your existing calling infrastructure.
Why Every 160 Series Call Triggers the DPDP Act
Every outbound call from a 160 series number involves the processing of personal data. The customer’s mobile number, account reference, and call content all qualify as personal data. Section 2(t) of the Digital Personal Data Protection Act, 2023 (DPDP Act) defines personal data broadly. Processing that data makes the BFSI entity a Data Fiduciary under Section 2(i) of the DPDP Act.
Furthermore, the DPDP Act applies to all digital personal data processed within India. Outbound calling infrastructure processes data digitally at every stage: dialer configuration, CRM lookup, call initiation, and CDR generation. Therefore, no BFSI entity can claim its 160-series calling programme falls outside the DPDP Act’s scope.
Two Regimes, One Call: How TCCCPR and the DPDP Act Overlap
The Telecom Commercial Communications Customer Preference Regulations, 2018 (TCCCPR) govern the consent, template registration, and permitted content of voice calls. The Second Amendment, dated 12 February 2025, updated the regime significantly. Separately, the DPDP Act governs how the personal data behind those calls must be handled. That obligation applies before, during, and after each call. Neither statute replaces the other. Together, they create a two-layer compliance obligation on every single outbound call.
Additionally, the TCCCPR’s Digital Consent Acquisition (DCA) framework and the DPDP Act’s consent architecture overlap. However, they do not duplicate each other. The DCA framework registers subscriber communication preferences on the Distributed Ledger Technology (DLT) platform. The DPDP Act requires that the same consent event be documented as the lawful basis for personal data processing. Compliance teams must therefore ensure one consent capture event satisfies both standards at the same time.
In my practice advising telecom-industry clients, this dual-layer obligation is the most consistently underestimated compliance risk I encounter. Most compliance programmes address TCCCPR registration and DLT onboarding. However, few have documented the DPDP lawful basis for each call type in their outbound calling matrix.
What Is the Lawful Basis for Each Type of Outbound Call?
Section 4 of the DPDP Act requires every instance of personal data processing to rest on a lawful basis. Two options exist: consent, or a legitimate use listed in Schedule I of the Act. For BFSI outbound calls, the applicable basis varies by call type. Identifying the correct basis for each call type is the first and most critical step. It forms the foundation of any DPDP-compliant calling programme.
Transactional and OTP Calls: Legitimate Use
OTP delivery, transaction confirmation, and account-alert calls fall under Schedule I(b) of the DPDP Act. That schedule permits processing for the performance of a contract to which the Data Principal is a party. Consequently, these calls do not require separate consent. However, the entity must document that the call is genuinely necessary to fulfil the contractual obligation. The DPDP Rules, 2025, notified by MeitY on 13 November 2025, require Data Fiduciaries to maintain records establishing the lawful basis for each processing activity.
Additionally, the TCCCPR Second Amendment, 2025 imposes a strict 30-minute window on transactional calls. Any call made more than 30 minutes after the triggering customer action loses its transactional classification under TCCCPR. That reclassification simultaneously weakens the DPDP lawful basis. Contractual necessity is harder to argue once the immediate transaction context has passed.
Service Calls, EMI Reminders, and Collection Calls: Consent Required
Service calls made outside the 30-minute transactional window do not automatically qualify as contractual-necessity processing under Schedule I(b). The same applies to EMI reminders and collection follow-ups. These calls are made to influence customer behaviour. They do not merely fulfil a transaction already initiated. Therefore, they require explicit, freely given, informed, and specific consent under Section 6 of the DPDP Act.
Moreover, that consent must be granular. A customer who consented to receive account statements by call has not necessarily consented to receive EMI reminders by call. Purpose limitation under Section 6(3) requires separate consent for each distinct processing purpose. Generic omnibus consent, commonly embedded in loan application forms, is unlikely to satisfy this standard.
In practice, this means a mapping exercise for your compliance team. First, list every outbound call type your organisation makes. Next, identify the DPDP lawful basis for each. Then document that basis in a processing register. Finally, verify that the corresponding TCCCPR template and DLT registration are consistent with the documented purpose.
How Does Consent Under TCCCPR Align With the DPDP Act?
Notably, consent under the TCCCPR and consent under the DPDP Act serve different statutory purposes. Nevertheless, they must coexist without contradiction. Understanding this relationship is essential before your organisation builds or upgrades its consent infrastructure.
TCCCPR Consent Rules: The Telecom Layer
Under the TCCCPR Second Amendment, 2025, explicit consent for a specific purpose is valid for only 7 days. Once a subscriber opts out, the entity cannot contact that subscriber for 90 days on the same purpose. The DCA framework on the DLT platform records and enforces these preferences. Every consent event must carry a timestamp and a template reference.
Furthermore, implicit consent for service or transactional calls is valid only for the duration of the underlying contract. Once the contract ends, implicit consent lapses. Once the contract terminates, implicit consent lapses. The entity must obtain fresh explicit consent before resuming contact.
DPDP Act Consent Requirements: The Data Layer
Section 6 of the DPDP Act requires consent to be free, specific, informed, unconditional, and unambiguous. The DPDP Rules, 2025 require that the consent notice disclose the personal data being collected. It must also state the specific purpose of processing and the mechanism for withdrawing consent. Additionally, Data Fiduciaries must issue a retrospective notice for personal data processed before the Act came into effect. This obligation applies if that processing continues after the Rules’ commencement date.
Consequently, an entity calling customers for EMI reminders based on a bundled loan-agreement clause must now review its historical consent. The question is whether that consent meets the DPDP standard. If it does not, the entity must obtain fresh consent or rely on an alternative lawful basis. Either way, the chosen basis must be documented explicitly in the DPDP processing register.
Building a Unified Consent System That Satisfies Both Frameworks
In practice, the right step is to design one consent capture event that satisfies both frameworks simultaneously. The notice must describe the calling purpose specifically enough to meet the DPDP Act standard. That same event must feed into the DCA registration on the DLT platform. The timestamp and purpose reference from the DLT platform must then flow back into the DPDP processing register. This creates the evidence trail for the lawful basis.
Achieving this requires your dialer, CRM, and DLT integration to share a common consent-token architecture. Most existing systems store consent in the CRM alone. As a result, the DLT platform and the DPDP register hold different records for the same consent event. That gap is exactly what auditors look for during regulatory inspections.
If your consent capture process was designed only for TCCCPR compliance, it likely does not meet the DPDP Act’s specificity and documentation requirements. FreJun’s team can show you what a unified consent architecture looks like in practice. They can also show you how to implement it without rebuilding your CRM workflows from scratch.
Are Call Recordings and CDRs Personal Data Under the DPDP Act?
Yes, both call recordings and Call Detail Records (CDRs) are personal data under the DPDP Act, 2023. A call recording contains the customer’s voice and the content of their communication. A CDR contains the customer’s phone number, the call time and duration, and the originating entity’s number. All of these fields identify a natural person and therefore qualify as personal data.

What Does CDR Data Actually Contain?
Specifically, a typical CDR from a 160-series outbound call contains six core fields. These are: the originating 1601xxxxxxx number, the called mobile number, the call start time, the call duration, the DLT Template ID invoked, and the disposition code. Additionally, where a cloud dialer routes the call, the CDR may contain the agent ID, the campaign ID, and a recording reference. Each field, individually or combined, can identify a natural person. Therefore, the entire CDR dataset constitutes a personal data store that the DPDP Act governs.
In practice, most BFSI entities I work with have not formally classified their CDR datasets as personal data stores. Specifically, few have assigned a Data Fiduciary classification to their CDR databases or documented the retention justification for each field. This gap becomes material once the Data Protection Board exercises its audit powers. Chapter VI of the DPDP Act grants the Board wide inquiry and inspection authority.
Security Obligations That Apply to Call Data
Indeed, Section 8(5) of the DPDP Act and Rule 6 of the DPDP Rules, 2025 require Data Fiduciaries to implement reasonable security safeguards. The goal is to prevent personal data breaches. For call recordings and CDRs, this means at minimum: encryption at rest and in transit, and access controls limiting who can retrieve or export call data. It also means audit logs tracking every access event, and a breach response plan covering the notification timeline under Rule 7.
Moreover, Rule 7 requires Data Fiduciaries to notify the Data Protection Board of a personal data breach without delay. They must also notify the affected Data Principals. A breach involving call recordings, which contain voice content and financial discussion, will likely receive high-severity treatment requiring expedited notification. The practical step for your compliance team is clear: classify call recording storage as a critical personal data asset. Then apply your organisation’s highest security tier to it.
What Are the Retention and Deletion Rules for Call Data?
Overall, call data retention sits at the intersection of multiple regulatory frameworks. The most restrictive standard governs. BFSI entities must hold CDRs and recordings for as long as the most demanding requirement dictates. However, they must delete them no later than the earliest permissible end point under the DPDP Act.
Retention Minima from Sectoral Regulators
Specifically, RBI’s Master Direction on Outsourcing of Information Technology Services dated 10 April 2023 requires banks and NBFCs to maintain records. Those records must support audit, grievance resolution, and supervisory review. For customer communication records, this generally means retention for the duration of the customer relationship plus a post-closure period. That post-closure period varies by account type and product. SEBI’s record-keeping norms for stockbrokers and mutual funds impose similar requirements for investor-communication logs.
Additionally, RBI’s Storage of Payment System Data circular dated 6 April 2018 requires payment-related data to remain on India-hosted servers. No exceptions apply without a compliant cross-border transfer protocol. Call recordings that contain discussion of EMI amounts, payment transactions, or account numbers may fall within this circular’s scope. Therefore, your call recording storage vendor must be India-hosted. If it is not, you must document a compliant cross-border transfer protocol.
DPDP Act Deletion Obligations: Purpose Limitation in Practice
Furthermore, Section 8(7) of the DPDP Act requires a Data Fiduciary to delete personal data once the collection purpose is no longer served. This duty arises automatically and does not require the Data Principal to request deletion. Rule 8 of the DPDP Rules, 2025 operationalises this rule. Rule 8 deems the specified purpose to be no longer served once the Data Principal has not initiated contact for a prescribed period. This creates an automatic trigger for deletion workflows. Furthermore, where a Data Principal withdraws consent, deletion must occur promptly unless a separate legal obligation requires retention.
The practical tension here is clear. RBI may require you to retain a collection-call recording for several years. Meanwhile, the DPDP Act requires deletion once the customer relationship ends and no other legal obligation applies. Section 8(5) of the DPDP Act acknowledges this by permitting longer retention where any law in force requires it. Consequently, your retention policy must document, record by record, which specific legal obligation justifies each retention period. A blanket policy is not sufficient.
Notably, Rule 8 of the DPDP Rules, 2025 requires Data Fiduciaries to notify the Data Principal at least 48 hours before planned deletion. This gives the Data Principal a chance to seek preservation. This gives the Data Principal an opportunity to seek preservation. That notification obligation adds a process step that most current call-data management systems do not yet have.
Who Bears Liability When a BPO or Recovery Agency Makes the Call?
Importantly, the BFSI entity remains the Data Fiduciary even when an outsourced BPO, recovery agency, or telemarketer makes the actual call. Section 8(3) of the DPDP Act places primary liability on the Data Fiduciary. That liability covers any processing its Data Processors carry out. This mirrors the TCCCPR position, under which the Principal Entity bears vicarious liability for its agents’ conduct.
Data Processor Contracts: What They Must Now Include
Specifically, Section 8(3) requires Data Fiduciaries to engage Data Processors only through a valid written contract. That contract must bind the processor to process data solely for the purpose the fiduciary specifies. In the calling context, the contract must explicitly state that the vendor may process customer call data only for the authorised calling purpose. Any broader use is prohibited. Vendor analytics, training datasets, and cross-client profiling are all prohibited uses.
Additionally, the contract must include audit rights and breach notification obligations. It must also include data return or deletion provisions on contract termination, plus restrictions on sub-contracting. The RBI Master Direction on Outsourcing of Information Technology Services dated 10 April 2023 imposes broadly similar requirements. Therefore, existing vendor contracts likely need updating to satisfy both frameworks at the same time rather than sequentially.
Recovery Agents: DPDP Act Obligations Beyond IIBF Certification
For context, recovery agents must hold a valid IIBF certification obtained after the prescribed 100-hour training programme under RBI’s Fair Practices Code. However, that certification does not address data protection obligations under the DPDP Act. Specifically, recovery agents handle customer personal data including phone numbers, outstanding balances, and call recordings. The BFSI entity remains liable for how that data is handled, even after the agent’s engagement ends.
In practice, this means off-boarding procedures for recovery agents must now include a data return or certified deletion step. Any CDR or recording the agency holds on behalf of the bank must be returned or deleted. The data processor contract specifies the exact procedure and timeline. Failure to enforce this step creates a residual data breach risk. That risk sits entirely with the BFSI entity as Data Fiduciary.
Can TRAI and DPDP Penalties Apply to the Same Call?
Yes. Notably, the penalties under the TCCCPR and the DPDP Act apply independently. A single non-compliant outbound calling campaign can simultaneously trigger TRAI financial disincentives and a one-year telecom blacklist. It can also attract a DPDP Act penalty from the Data Protection Board of India. The two regimes do not share a common penalty pool. A penalty paid under one does not reduce or discharge liability under the other.
TCCCPR Penalty Structure Under the Second Amendment, 2025
Under the TCCCPR Second Amendment dated 12 February 2025 (source: TRAI Gazette PDF), graded financial disincentives apply per violation instance. The scale rises with each repeat offence. The first instance attracts Rs 2,00,000. The second instance attracts Rs 5,00,000. The third and subsequent instances each attract Rs 10,00,000. Furthermore, 5 valid complaints in any rolling 10-day period trigger the blacklist mechanism. The maximum blacklist duration is one year. It applies across all telecom resources of the entity and with all Telecom Service Providers simultaneously.
Notably, the blacklist penalty is not merely financial. For a BFSI entity, a one-year blacklist means OTPs cannot be delivered and customer service calls cannot be made. Collection operations also cease entirely. The operational cost of a blacklist episode vastly exceeds the financial disincentive amount.
DPDP Act Penalty Caps: What the Data Protection Board Can Impose
The DPDP Act, 2023 empowers the Data Protection Board of India to impose penalties up to defined caps. Specifically, the Board can impose up to Rs 250 crore for failure to implement reasonable security safeguards under Section 33(2)(a). It can impose up to Rs 200 crore for failure to notify a personal data breach under Section 33(2)(b). Additionally, it can impose up to Rs 150 crore for breach of Significant Data Fiduciary obligations under Section 33(2)(c). These are maximum caps; the Board sets the actual penalty based on the nature, gravity, and circumstances of the breach.
Most large banks, NBFCs, insurers, and payment aggregators will likely receive Significant Data Fiduciary (SDF) designation. This will occur once the Central Government notifies the applicable criteria. The data volumes and sensitivity in BFSI operations typically meet the threshold. SDF status brings several additional obligations. These include appointing a DPO based in India, conducting annual DPIAs, appointing an independent data auditor, and sharing significant observations with the Data Protection Board periodically.
Sectoral Regulator Action: A Third Layer of Exposure
Beyond TRAI and the Data Protection Board, the BFSI entity’s sectoral regulator can also act independently. It operates under its own statutory mandate regardless of penalties other regulators have already imposed. RBI may take supervisory action under Section 35A of the Banking Regulation Act, 1949. It may also impose a monetary penalty under Section 46 or 47A. IRDAI may act under Sections 102 to 105B of the Insurance Act, 1938. SEBI may impose a penalty under Section 15HB of the SEBI Act, 1992. PFRDA may act under Section 28 of the PFRDA Act, 2013.
Importantly, each regulator acts under its own statutory mandate. None of them is constrained by penalties another regulator has already levied for the same conduct. This means a single non-compliant calling campaign can trigger simultaneous regulatory responses from four different bodies.

How FreJun Helps BFSI Entities Manage the Dual Compliance Layer
FreJun’s platform addresses the technical compliance layer that the DPDP Act and TCCCPR together impose on BFSI outbound calling. Most compliance failures originate from managing DLT template registration, CDR logging, consent records, routing segregation, and call recordings across a fragmented vendor stack. FreJun eliminates that fragmentation. FreJun consolidates these into a single auditable environment.
Technical Compliance Features Relevant to the DPDP Act
Specifically, FreJun provides full CDR logging with Template ID mapping for every 160-series call. This means each CDR can be reconciled against its DLT registration on demand. Call recordings go to India-hosted infrastructure, addressing RBI’s data localisation requirements. Consent event logging captures the timestamp, purpose, and DCA registration reference for each consent interaction. Routing-level segregation keeps 140-series promotional traffic and 160-series transactional traffic on separate dialer instances at all times.
Additionally, FreJun integrates directly with HubSpot, Zoho CRM, Salesforce, and LeadSquared. Consent records flow from your CRM into the calling platform without manual re-entry. This integration also supports automated opt-out enforcement. When a customer opts out on any channel, the opt-out propagates to the dialer. This happens within the 90-day lockout window the TCCCPR requires.
Ultimately, the trust signal here is straightforward. FreJun’s platform gives your legal team a complete audit trail. They can present it to TRAI, RBI, or the Data Protection Board on demand. Your legal team can then focus on substantive obligations rather than extracting records from disconnected systems under regulatory time pressure.
If you are mapping your 160-series migration alongside your DPDP Act readiness programme, reach out to FreJun’s legal team. They can walk you through the platform in a 30-minute session tailored to your entity type. No credit card needed, no complex setup.
Frequently Asked Questions
160 series vs 140 series: what is the difference for data protection compliance?
Specifically, the 160 series is exclusively for service and transactional calls by verified Principal Entities. The 140 series covers promotional and telemarketing calls only. For data protection, the lawful basis differs between the two series. Transactional 160-series calls can rely on contractual necessity, while promotional 140-series calls require explicit consent. Mixing the two series, or their call types, creates simultaneous TCCCPR and DPDP Act exposure for the entity.
What penalty can the Data Protection Board impose on a BFSI entity for a call data breach?
The Data Protection Board of India can impose penalties up to Rs 250 crore for failure to implement reasonable security safeguards. It can also impose up to Rs 200 crore for failure to notify a personal data breach. These are maximum caps; the Board sets the actual penalty based on the nature and gravity of the breach. Notably, TRAI penalties for the same non-compliant conduct apply independently. The two regimes do not offset each other.
How does a BFSI entity apply for or obtain a 160 series number?
In practice, a BFSI entity obtains a 1601xxxxxxx number through its Telecom Service Provider (TSP). The TSP must verify the entity’s eligibility as a Principal Entity regulated by RBI, SEBI, PFRDA, or IRDAI before allocation. The entity must then undertake, in writing, to use the number exclusively for service and transactional calls under TCCCPR, 2018. TRAI’s Direction dated 19 November 2025 (PRID 2191647) sets the phase-wise deadlines for mandatory adoption by entity type.
Does the DPDP Act apply to call recordings stored by an outsourced BPO?
Yes. The BFSI entity remains the Data Fiduciary for call recordings regardless of storage location. It does not matter who operates the storage infrastructure. Section 8(3) of the DPDP Act requires a written data processor contract with the BPO. That contract must specify the permitted processing purposes. The BPO acts as a Data Processor. The BFSI entity is liable for any DPDP Act breach arising from the BPO’s handling of the recordings.
How long must a BFSI entity retain call recordings and CDRs under DPDP Act rules?
The DPDP Act requires deletion once the processing purpose is no longer served, unless a specific law requires longer retention. RBI regulations typically require customer communication records for the contract duration plus a post-closure period. Your retention policy must document, for each CDR and recording field, which specific legal obligation justifies the retention period. A blanket retention policy without per-category justification is unlikely to satisfy the DPDP Rules, 2025.
Can a customer demand deletion of their call recording under the DPDP Act?
Indeed, a Data Principal can request deletion of their personal data once the processing purpose is no longer served. However, if a regulatory obligation such as an RBI record-keeping requirement applies, the BFSI entity may retain the data. Retention continues for the duration of that obligation, even after a withdrawal request. The entity must communicate the retention justification to the Data Principal. It must also document the legal basis within its DPDP processing register.
What is a Significant Data Fiduciary and will most BFSI entities qualify?
A Significant Data Fiduciary (SDF) is an entity notified by the Central Government. The notification criteria consider data volume, sensitivity, risk to individuals, and use of new technologies. Most large banks, NBFCs, insurers, payment aggregators, and stockbrokers are expected to qualify once the Central Government issues the notification. SDF status brings mandatory DPO appointment and annual DPIAs. It also requires independent data audits and carries enhanced penalties up to Rs 150 crore under Section 33(2)(c) of the DPDP Act.
Key Takeaways
- Every BFSI outbound call on a 160 series number involves the processing of personal data. The DPDP Act, 2023 applies independently of TCCCPR obligations. Both regimes must be satisfied simultaneously.
- The lawful basis under the DPDP Act varies by call type. OTP and transaction-confirmation calls can rely on contractual necessity. EMI reminders, collection calls, and service calls outside the 30-minute window require specific, granular consent under Section 6 of the DPDP Act.
- Call recordings and CDRs are personal data. They require encryption, access controls, a documented retention period, a deletion workflow, and a breach notification protocol under the DPDP Rules, 2025.
- The BFSI entity remains the Data Fiduciary when a BPO or recovery agent makes the call. Vendor contracts must include purpose-limitation clauses, audit rights, and certified deletion on contract termination.
- Penalties under TRAI and the DPDP Act stack independently. A non-compliant calling campaign can attract a TRAI blacklist, a Rs 10,00,000 per-instance TCCCPR disincentive, and a DPDP Act penalty up to Rs 250 crore, all arising from the same conduct.
- Most large BFSI entities will likely receive Significant Data Fiduciary designation. This brings DPO appointment, annual DPIA, independent audit, and enhanced SDF penalty exposure on top of standard DPDP obligations.
- A unified consent architecture that satisfies both the DCA framework on the DLT platform and the DPDP Act’s specificity requirements is the most important infrastructure investment a BFSI outbound calling programme can make in 2026.
Compliance Disclaimer
Disclaimer: This article is published for informational purposes only and represents FreJun’s understanding of the relevant legal and regulatory position based on its own independent research and interpretation of publicly available materials. It should not be construed as legal advice, legal opinion, or regulatory guidance. Readers are encouraged to seek independent legal counsel before taking any action based on the information herein. Consulting the appropriate regulatory authorities is also advisable. Reasonable efforts have been made to ensure accuracy and completeness. However, laws, regulations, interpretations, and enforcement positions may evolve or vary based on specific facts and circumstances. FreJun does not warrant that the contents are free from inaccuracies, omissions, or inadvertent errors. FreJun shall not be responsible or liable for any misinformation or reliance placed upon the contents of this article.
References and Sources
- DoT Press Release, 30 May 2024 (PRID 2022249): pib.gov.in
- TRAI Direction, 19 Nov 2025 (PRID 2191647): pib.gov.in
- TRAI Direction, 16 Dec 2025 (PRID 2205350): pib.gov.in
- TCCCPR Second Amendment, 12 Feb 2025: trai.gov.in (PDF)
- Digital Personal Data Protection Act, 2023: meity.gov.in
- DPDP Rules, 2025 (notified 13 Nov 2025): pib.gov.in (PDF)
- RBI Master Direction on Outsourcing of IT Services, 10 Apr 2023: rbi.org.in
- Mondaq: TRAI 1600 Series Mandate, DPDP Crossover: mondaq.com
- FreJun BFSI Communication Compliance Guide 2026: frejun.com
- FreJun TCCCPR 2018 Compliance Guide: frejun.com
- FreJun 160 Series vs 140 Series: frejun.com
