Legal Suvidha is a registered trademark. Unauthorized use of our brand name or logo is strictly prohibited. All rights to this trademark are protected under Indian intellectual property laws.
Legal Suvidha
Goods & Service Tax (GST)

Data retention policies in e-invoicing

Data retention policies in e-invoicing must cover the original invoice JSON, the IRP-signed payload, IRN, QR code, cancellations and linked e-way bills. In India, Section 35 of the CGST Act requires retention for at least 72 months from the annual return due date, the Income-tax Act expects six assessment years, and the Companies Act eight financial years. The Digital Personal Data Protection Act, 2023 adds purpose limitation, security and data-principal rights requirements on top.

Mayank WadheraMayank Wadhera
Published: 28 Jun 2023
Updated: 16 May 2026
4 min read
Data retention policies in e-invoicing
1
2
3
4
5
6
7
8
9

Build a 2026-ready data retention policy for GST e-invoicing in India that aligns with CGST, income-tax, Companies Act and DPDP obligations.

E-invoicing in India has created a structured digital trail that is now indispensable for GST compliance, audit and dispute defence. With the Digital Personal Data Protection Act, 2023 fully operational and CBIC continuing to fine-tune e-invoice rules in 2026, every Indian business must move from ad-hoc storage to a documented data retention policy. This guide sets out the legal baseline, practical options and pitfalls.

What e-invoice data actually consists of

  • The original invoice JSON pushed to the Invoice Registration Portal.
  • The signed JSON and IRN returned by the IRP, including the QR payload.
  • Cancellation and credit/debit note linkages.
  • E-way bill data derived from or linked to the invoice.
  • Underlying purchase orders, contracts and proof of supply.

Statutory retention timelines

Section 35 of the CGST Act requires every registered person to retain GST records — which include e-invoice data — for at least 72 months from the due date of the relevant annual return. The Income-tax Act expects six assessment years, the Companies Act, 2013 requires eight financial years of books, and the Information Technology Act, 2000 imposes additional standards on electronic records. Disputes or appeals extend retention to one year after the final order.

DPDP Act overlay

Where invoices carry personal data of customers — proprietors, partners, individuals — the DPDP Act, 2023 and its 2025 rules apply. Retention must align to a documented purpose, be limited to what is needed for that purpose, and be secured through reasonable safeguards. Data principal rights of correction and erasure must be operationalised, subject to overriding statutory retention requirements.

Designing a defensible retention policy

  1. Map every type of e-invoice artefact to the longest applicable statute (usually GST 72 months).
  2. Document a clear lawful basis and purpose for retention under the DPDP Act.
  3. Tier storage: hot for the current and previous financial year, warm for the next two, cold archive thereafter.
  4. Use write-once-read-many storage for archived JSON and signed payloads.
  5. Define a destruction protocol that produces an evidentiary destruction certificate.
  6. Review the policy annually and on every relevant CBIC or MeitY notification.

Common pitfalls

Frequent gaps include retaining ERP records but not the signed IRP JSON, deleting cancelled invoices before the audit window closes, and storing e-invoice exports in personal email or unmanaged drives. Pay equal attention to vendor copies — buyers often need supplier IRNs for input tax credit defence, especially where the supplier has since become inactive.

Operationalising the retention policy

A policy on paper is only as good as the day-to-day workflow that enforces it. Map each business process — invoice generation, IRN submission, GSTR filing, credit-note issue, refund application — to specific retention rules. Automate moves between hot, warm and cold storage tiers, and ensure the destruction protocol cannot be triggered without a documented authorisation and a destruction certificate.

Train finance, tax and IT teams on the policy, with a refresher each year and an additional briefing whenever the policy changes. Conduct an annual records audit to confirm samples are retrievable, legible and complete; this annual confidence-check is also useful evidence in the event of a regulatory inspection.

Cross-border and group structures

Many Indian groups have entities in multiple states and jurisdictions sharing e-invoice flows. Where data crosses borders — for example, a shared service centre in a different country accessing Indian invoices — the DPDP Act and any sectoral guidance on data localisation may apply. Document the cross-border flows, the lawful basis and the safeguards, and review them whenever the global footprint changes.

Stress-testing the policy

Test the retention policy under simulated stress — a regulator demanding three-year-old e-invoice JSONs for a specific GSTIN, a partner raising a dispute on a transaction five years ago, or a ransomware event affecting recent data. If the team cannot produce evidence quickly in each scenario, the policy needs refinement. Conduct such tests annually and document the outcomes for future audits.

Tested, demonstrably operational retention practice is a strong defence in any regulatory or contractual proceeding.

Crucially, the retention policy is a living document. Schedule an annual review, tie it to relevant CBIC, CBDT, MCA and MeitY notifications, and brief stakeholders on every material change. Indian businesses that treat retention as a continuous governance activity rather than a one-time exercise emerge stronger across tax disputes, regulator inspections and data-protection scrutiny — at meaningfully lower long-term cost.

Conclusion

A documented, DPDP-aligned data retention policy for e-invoicing protects against tax disputes, regulator notices and data-protection penalties simultaneously. For Indian businesses in 2026, it is no longer optional — it is the bedrock of a trustworthy compliance posture.

Frequently Asked Questions

How long must e-invoice data be kept under GST?
At least 72 months from the due date of the relevant annual return, as required by Section 35 of the CGST Act. If a dispute, audit or appeal is pending at the end of that period, records must be kept until one year after the final order disposing of the matter.
Which e-invoice artefacts should be retained?
Retain the original JSON sent to the IRP, the signed JSON and IRN returned, the QR code payload, cancellation entries, credit and debit notes, linked e-way bills, and the underlying purchase orders or contracts that establish the genuineness of the supply.
Does the DPDP Act affect e-invoice retention?
Yes. When invoices carry personal data of individual customers or proprietors, retention must serve a documented purpose, be limited to what that purpose requires, and be secured through reasonable safeguards. Statutory retention requirements override DPDP erasure rights for the prescribed period.
Can e-invoices be stored only in the cloud?
Yes, provided the cloud storage is reliable, tamper-evident and supports legible reproduction of records throughout the retention period. Write-once-read-many archival and access logging are recommended, along with geographic redundancy and a tested disaster-recovery plan.
Mayank Wadhera
Content Reviewed By

Mayank Wadhera

CA | CS | CMA | Lawyer | Insolvency Professional | IBBI Valuator

"I help founders increase real business value and achieve stronger valuations | Turning messy workflows into scalable, time-saving systems"

View Profile
Share this article:3,799 Views
Previous
Form 11 vs Form 8 LLP: 12 Differences Every Partner Must Know (2026 Verified Guide)

Related Posts

View All