All articles
HR Compliance 9 min read 20 March 2026 Primitra

HR Data Privacy Obligations Under India's DPDP Act

Employee data is in scope. Here's what HR and ops leaders need to operationalize — from offer letter to exit interview — without paralyzing the business.

One of the most persistent myths in Indian HR circles is that "employment law covers our data — the DPDP Act doesn't really apply to us." It does. Employees are data principals, and every HR system — from ATS to exit surveys — processes personal data of natural persons in India.

The good news: the Digital Personal Data Protection Act, 2023 gives HR a helpful bit of headroom. The bad news: HR leaders often over-rely on it and skip the notices, retention, and lawful-basis work.

The Section 7(i) headroom — and its limits

Section 7 of the DPDP Act defines "certain legitimate uses" for which processing is permitted without consent. Sub-clause (i) covers processing "necessary for the purposes of employment, or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, or provision of any service to, or benefit sought by, the Data Principal who is an employee".

This is broad — but not unlimited. Three important boundaries:

  1. "Necessary" is a real word. Nice-to-have employee monitoring, non-essential wellness programs, and mass engagement surveys usually do not clear the necessity bar.
  2. Sensitive processing still needs care. Health data collected for insurance is arguably necessary; the same data collected for a wellbeing dashboard is not.
  3. The notice obligation persists. Even if you rely on Section 7(i), you still owe employees a Section 5 notice describing what is processed and why.

The end-to-end HR data lifecycle

Hiring

  • Job application data. Résumés, portfolios, references. Lawful basis: consent (the candidate voluntarily provided the data — Section 7(a)). Retention: purpose-linked; typically 6–12 months post-decision for unsuccessful candidates, with an option for the candidate to consent to longer retention if you maintain a talent pool.
  • Background checks. Consent-based, with a distinct notice covering the categories of checks and the third-party vendor. This is a common enforcement risk area.
  • Assessment tools. Psychometrics, coding tests — inform candidates of the tool used and how results are handled.

Onboarding

  • Offer letter attachments. Include a Section 5 notice for employment processing. This is your best chance to establish the notice cleanly.
  • HRIS setup. Only collect what's necessary. Nominee details, blood group, and personal contact numbers are usually necessary; a photograph of the family is not.

Employment

  • Performance data. Necessary for employment; document retention (usually 3–7 years post-exit) and access controls.
  • Compensation and benefits. Sensitive; access-controlled to HR and finance. Health insurance data flows to insurers under a separate DPA.
  • Monitoring. Any monitoring that goes beyond "we log access to systems for security" — for example, keystroke logging, screen recording, or productivity scoring — needs explicit notice, and in many cases consent, plus a proportionality analysis.
  • Learning and development. Course completions, certifications. Usually straightforward.

Grievances and investigations

  • Whistleblower and grievance systems. These process highly sensitive data, often about third parties. Ensure the platform has appropriate access controls and a documented investigation-hold retention policy.

Exit

  • Exit interviews and surveys. Consent-based if you want to attribute responses; anonymised if not.
  • Final settlement. Necessary retention; usually 7 years for tax and dispute purposes.
  • Alumni programs. Consent-based, revocable, and separately opt-in.

The retention question no one wants to answer

The most audited HR question we see is: "You still have Aadhaar copies of candidates you rejected in 2021. Why?"

Rejected candidate data should be purged or anonymised on a schedule. Former employee data should be trimmed to what's legally required (tax, provident fund, gratuity records) and everything else deleted. Every HRIS has an "archived users" corner that quietly grows for a decade. Clean it.

Practical checklist for the HR leader

  1. HR data map. Every HR system, the personal data it holds, and the lawful basis for each processing activity.
  2. Rewrite the employment notice. Update the offer letter appendix and the employee handbook to include a proper Section 5 notice.
  3. Candidate notice. Add a Section 5 notice to the careers page and application flow.
  4. Retention schedule. Written retention periods for candidate, employee, and alumni data. Implement them.
  5. Monitoring inventory. Every tool that observes employee behaviour, with a proportionality note and (where required) consent.
  6. Access review. Who in HR, IT, and management can see what. Annual review.
  7. Rights request handling for employees. Employees have the same access, correction, and erasure rights as any data principal — with employment-context limits.
  8. Vendor DPAs. Every HRIS, ATS, payroll, benefits, background check, and engagement platform needs a DPDP-native DPA.

Common pitfalls

  • Assuming Section 7(i) is a blanket consent-free zone. It isn't; it's a specific carve-out that needs specific justification per processing activity.
  • Forgetting that employees are data principals with rights. They can (and increasingly do) file grievances and access requests.
  • Treating background checks as a vendor problem. You remain the Data Fiduciary; the check vendor is a Data Processor, and Section 8(2) makes their mistakes your problem.

If you want a template employment notice, retention schedule, and monitoring policy tailored to your workforce structure, our privacy program implementation engagement includes the full HR-track deliverables.

Get help implementing this

Turn this reading into a compliance plan.

Book a free 30-minute consultation. We'll map your DPDP Act exposure and give you a prioritized 90-day action list — no obligation.

Book a free 30-minute consultation