Collecting only the personal data that is strictly necessary and adequate for the stated processing purpose.
Data minimisation requires Data Fiduciaries to collect only the minimum personal data necessary to fulfil the stated purpose. You must not collect data "just in case" or for potential future use without a current, specific purpose. This principle applies at the point of collection and throughout the data lifecycle — if data is no longer needed for its stated purpose, it must be erased. Rules 2025 reinforce this with security safeguard requirements proportionate to data volume.
Every additional data field you collect increases your compliance burden, breach exposure, and penalty risk. Collecting only what you need reduces storage costs, simplifies compliance, and limits damage in case of a breach.
A Gurugram food delivery app requesting Aadhaar number, date of birth, and marital status for a simple food order violates data minimisation. Only name, delivery address, phone number, and payment details are necessary for that purpose.
Collecting optional fields "for a better experience" still requires a stated purpose and consent. If you cannot articulate why you need a field, you should not collect it.
DPDPA Shield automates Data Inventory & RoPA. See how →