- with Finance and Tax Executives
- in India
- with readers working within the Law Firm industries
The Legal Framework under the DPDP Act
The Digital Personal Data Protection Act, 2023 ("DPDP Act") establishes a comprehensive framework governing the processing of digital personal data in India.
A common question that arises for employers is whether consent is required to process the personal data of employees, or whether such processing may be undertaken under another lawful basis recognised by the statute.
Under the DPDP Act, "personal data" means any data about an individual who is identifiable by or in relation to such data.
The definition of "processing" is broad and includes operations such as collection, recording, storage, organisation, retrieval, use, disclosure and erasure. Consequently, virtually every activity undertaken by an employer in relation to employee's personal information constitutes processing under the Act.
A "Data Fiduciary" is any person who determines the purpose and means of processing personal data. In the employment context, the employer acts as the Data Fiduciary. The employer may process the data directly or through a third party, known as a "Data Processor," but remains responsible for compliance with the DPDP Act and the Digital Personal Data Protection Rules ("DPDP Rules"). The individual to whom the personal data relates is referred to as the "Data Principal."
The DPDP Act permits processing of personal data only for a lawful purpose and only in two circumstances:
- where the Data Principal has given her consent, or
- where the processing falls within one of the recognised "legitimate uses" set out in the DPDP Act.
Consent as a Lawful Basis for Processing
Where a Data Fiduciary intends to rely on consent, the statutory requirements are detailed and stringent. Consent must be free, specific, informed, unconditional and unambiguous. The request for consent must be accompanied by a notice informing the Data Principal of the personal data proposed to be processed, the purpose of such processing, the right to withdraw consent, the availability of grievance redressal, and the manner in which a complaint may be made to the Data Protection Board of India.
The notice must also provide clear mechanisms through which the Data Principal may withdraw consent, exercise her rights under the Act, and lodge a complaint. These procedural safeguards make consent a structured and compliance intensive basis for processing.
Legitimate Use in the Employment Context
Section 7 of the DPDP Act recognises certain "legitimate uses" pursuant to which personal data may be processed without obtaining consent.
The clause (a) of Section 7 of the DPDP Act states as under:
"(a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data."
The clause (i) of Section 7 of the DPDP Act states as under:
"(i) for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee."
Clause (a) provides that where a Data Principal has voluntarily provided her personal data for a specified purpose and has not indicated that she does not consent to its use, processing for that specified purpose constitutes a legitimate use. This provision may be relevant to recruitment scenarios where job applicants voluntarily submit resumes and related information for the purpose of being considered for employment. Further, it can extend to situations where employees provide personal data during the course of employment for a clearly specified purpose, even if such purpose is not strictly intrinsic to core employment functions, provided the processing remains confined to that specified purpose.
More significantly, clause (i) of Section 7 permits processing "for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee."
This clause expressly recognises employment related processing as a lawful ground independent of consent. The DPDP Act and the DPDP Rules do not prescribe additional conditions or limitations restricting the scope of this legitimate use.
In my view, the expression "purposes of employment" should be interpreted broadly to encompass not only the processing of personal data of existing employees but also processing undertaken in connection with recruitment, evaluation of candidates, background verification, onboarding, payroll and tax compliance, performance management, disciplinary proceedings, internal investigations, and measures necessary to safeguard the employer from loss or liability. It would also extend to processing required for administering or providing services and benefits sought by an employee in the course of employment, such as medical insurance, car related benefits, or other employment linked facilities.
Accordingly, where processing of employees' personal data is undertaken for purposes falling within Section 7 of the DPDP Act, consent is not required. Employers are not legally obligated to obtain consent for routine employment related processing that is reasonably necessary for managing the employment relationship.
Other Compliance Obligations of the Employer
Reliance on legitimate use does not dilute the employer's broader statutory obligations. Processing must be limited to personal data that is relevant and reasonably necessary for the employment purpose. The employer must comply with transparency requirements, implement reasonable security safeguards, provide mechanisms for the exercise of Data Principal rights and grievance redressal, and adhere to applicable retention and erasure obligations under the DPDP Act and the DPDP Rules.
Any processing that goes beyond employment related purposes or involves unrelated secondary uses would require an independent lawful basis, which may include consent.
In conclusion, the DPDP Act adopts a dual framework for lawful processing, i.e., consent or legitimate use. In the employment context, the statute expressly recognises employment related processing as a legitimate use. Therefore, consent is not required for processing employees' personal data where such processing is reasonably necessary for employment purposes. However, employers must ensure that such processing remains proportionate, purpose specific and fully compliant with the overarching obligations under the DPDP Act and the DPDP Rules.
By
Rajat Jain, Advocate
Vaish Associates Advocates
Email id: rajatjain@vaishlaw.com
Mobile No. 9953887311
LinkedIn: https://www.linkedin.com/in/rajat-jain-75772398/
© 2026, Vaish Associates Advocates,
All rights reserved
Advocates, 1st & 11th Floors, Mohan Dev Building 13, Tolstoy Marg New Delhi-110001 (India).
The content of this article is intended to provide a general guide to the subject matter. Specialist professional advice should be sought about your specific circumstances. The views expressed in this article are solely of the authors of this article.
© 2026, Vaish Associates Advocates,
All rights reserved
Advocates, 1st & 11th Floors, Mohan Dev Building 13, Tolstoy Marg New Delhi-110001 (India).
The content of this article is intended to provide a general guide to the subject matter. Specialist professional advice should be sought about your specific circumstances. The views expressed in this article are solely of the authors of this article.
