The Digital Personal Data Protection Act, 2023 ("DPDP") stands as a cornerstone of legislative reform, crafted to govern the processing of personal data within India, striking a delicate balance between safeguarding the rights of individuals and permitting the lawful use of data for specific, legitimate purposes. At the heart of this statute lies a fundamental principle—the necessity of obtaining explicit consent from the data principal (the individual) prior to the processing of their personal data. Yet, the DPDP is not without its nuances as it carves out exceptions to this consent requirement, as provided in Section 7.


One such exemption as mentioned in the paragraph above is provided to the employers while collecting personal data of the employees. It is to be noted that section 2(d) of the DPDP permits the processing of personal data for lawful purposes, while Section 4(1) further refines this by introducing – (i) personal data processing after having obtained consent of the data principal; OR (ii) personal data processing for “legitimate use”. This exemption of “legitimate use” lies at the heart of employment-related data collection, a domain where personal information is regularly collected for essential functions such as payroll processing, background verifications, and performance evaluations. To put it succinctly, section 7 (i) of the DPDP clarifies that personal data can be processed without consent for the following purposes:


  • For the purposes of employment;
  • To safeguard the employer from loss or liability, such as protecting intellectual property or preventing corporate espionage; and
  • To provide services or benefits sought by the employee.


Notably, Section 7(i) of the DPDP explicitly lists “employment purposes” as one of the legitimate uses, thereby allowing employers to process employee data without seeking explicit consent from the data principal, provided such processing aligns with the stipulated legal framework.


It is imperative to mention at this stage that, while the requirement for explicit consent may be waived under Section 7 (i), this does not grant employers the freedom to handle employee data without restriction. On the contrary, employers remain tethered to a series of critical responsibilities, ensuring that personal data– (i) is processed within the confines of a legitimate contract, (ii) protected by appropriate security measures, and (iii) retained only for the duration necessary to fulfil its intended purpose. In addition to this and in line with the principle of “purpose limitation”, employers must ensure that the employee’s personal data is not used for purposes which may not be considered as related to employment, nor may it be sold to third parties.  These safeguards are not mere formalities as they are crucial in ensuring that the personal data is handled with care, respect, and accountability.


While the DPDP directly and indirectly provides the abovementioned clarity on legitimate use in the context of employee’s personal data, it remains unclear on several other aspects such as:


(a)   Pre-employment data processing: One significant gap in the DPDP is its silence on whether pre-employment activities such as shortlisting, interviews, or background checks fall under “purposes of employment.” While DPDP addresses data processing for employment-related purposes, it does not explicitly cover data collection during the recruitment phase. This leaves ambiguity about whether consent is to be obtained for processing of personal data collected for evaluating candidates. Employers may face challenges in determining if they need explicit consent or can rely on personal data processing based on the legitimate use exemption for processing pre-employment data. Clearer guidelines are essential to ensure compliance during the recruitment process, which could be provided through formal rules, detailed guidelines, or FAQs specifically addressing this matter. 


(b)    Post employment data processing: Section 7 (i) of the DPDP states that “A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely: — for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.” 


A reading of the above demonstrates that the DPDP provides no guidance on whether personal data retained after an employee leaves the organization can still be considered for employment-related purposes. Infact, the DPDP uses phrases like “purposes of employment” or “safeguarding the employer” which conveys that once the employment relationship ends, any data processing by the employer cannot be for the "purposes of employment," as the relationship has been terminated. Similarly, it cannot be for "safeguarding the employer," as the employer-employee relationship no longer exists. Therefore, based on this reading, it seems that the employer is only permitted to process personal data of the employee as long as the employment relationship is active, and not beyond that point.


While it may be argued that employers might retain such data for future background checks or potential re-employment, the DPDP's second key criterion—safeguarding the interest of the employer—becomes irrelevant once the individual is no longer employed. In the absence of clear provisions, employers may face difficulty justifying the retention of a former employee's personal data. Furthermore, individuals who have left the organization may seek the deletion of their personal data, as they no longer fall under the scope of employee protections and the employer cannot continue to retain such data without an active consent. 


To address these concerns, the legislature should provide greater regulatory clarity on post-employment data retention, such as outlining the circumstances under which data may be retained for legal compliance, dispute resolution, or other justifiable purposes. It would also be useful for employers to implement a clear personal data retention policy that defines how long personal data is kept after an employee leaves, ensuring that data is erased or anonymized when no longer needed. Additionally, the employers may in their employment agreement incorporate provisions for obtaining the employee’s consent regarding the retention of their personal data post the termination of their employment would nicely balance the ex-employee’s privacy needs vs. the employer’s interest. 


(c)   Contractual hires: In addition to the above, the use of the terms like “employment” or “employee” implies that this exemption is only available to the “employees” and not to contractual hires, agents, or personnel on secondment (“Non-Permanent Staff”). This raises significant compliance related concerns as companies generally use a set procedure for hiring both – the employees as well as the Non-Permanent Staff. To mitigate compliance risks, employers will have to ensure that they developing tailored Standard Operating Procedures (“SOPs”) for these situations. Such SOPs should specify that:


  • Amongst the employees and non-permanent staff, only employees shall be covered in the “legitimate use” exemption.
  • Data processing practices for contractual hires and seconded employees.
  • Data retention and erasure policies for temporary personnel.


An SOP will help employers manage data processing while ensuring compliance with the DPDP’s provisions.


(d)  Employee rights under the DPDP: The DPDP recognizes an individual’s rights and grants them several protections such as the right to request the correction, erasure, or updation of their personal data. It is important to note here that though Section 7 (i) of the DPDP permits processing of employee’s personal data without obtaining consent, it does not clarify that in case of there being a conflict between employer’s right to process data basis legitimate use vs. individual’s rights pertaining to correction, erasure, or updation of their personal data, which one is to prevail. Consideringly, it is entirely possible that while employer may want to process the personal data of the employee, however may not be able to do so as the employee may prior to that seek deletion of such personal data. In such cases, the employer’s interest may not be safeguarded as is intended under the DPDP. Alternatively, the employer may reject the employee’s request of correction, erasure, or updation of personal data arbitrarily citing the employer’s interest and the legitimate use exemption. In such cases, employers must balance these competing interests and comply with the proportionality principle, ensuring that data processing is necessary and limited to the specified purpose.


In conclusion, while the DPDP makes strides in regulating employee data processing, it leaves several ambiguities, particularly regarding pre-employment data collection, post-employment retention, and the application of the "legitimate use" exemption for non-permanent staff. The DPDP also lacks clear guidance on balancing employer interests with employees' rights to correct or delete their personal data. To address these gaps, clearer regulations and tailored policies are needed, ensuring data is processed and retained only when necessary and in compliance with privacy rights. A well-defined approach will help both employers and employees navigate the complexities of data protection under the DPDP as well as help employers in ensuring compliance with the mandates under DPDP.