Back to Blog
DPDP Act 9 min read

DPDP Act and Employee Data: HR Data Protection Rules

How the DPDP Act 2023 applies to employee personal data — HR obligations, consent requirements, monitoring rules, and what HR SaaS platforms must do.

Key Takeaways
  • Employee personal data is fully subject to the DPDP Act — there is no blanket employment exemption.
  • Section 7(b) provides a limited exemption for employment-related processing where providing notice or seeking consent is not reasonably possible, but this is narrow.
  • Employers must have a lawful basis for each type of employee data processing — payroll, performance management, monitoring, and background checks all require separate justification.
  • Employee monitoring (location tracking, email surveillance, productivity software) requires a particularly strong lawful basis given its intrusive nature.
  • HR SaaS platforms are Data Processors under the DPDP Act and need compliant DPAs with their employer clients.

In this guide

  1. Does the DPDP Act Apply to Employee Data?
  2. The Section 7(b) Employment Exemption and Its Limits
  3. Lawful Bases for Common HR Processing Activities
  4. Employee Monitoring: Special Considerations
  5. Background Checks and Third-Party Verification
  6. Employee Data Rights Under the DPDP Act
  7. Obligations for HR SaaS Platforms

Does the DPDP Act Apply to Employee Data?

Yes, unambiguously. The DPDP Act 2023 applies to the processing of "personal data" — defined as any data about an identifiable individual. Employees are individuals, and employment records (name, address, salary, performance data, attendance, bank account for payroll, health information for benefits) are personal data. There is no general employment exemption in the Act comparable to what some other jurisdictions have enacted.

This is a significant departure from how many Indian companies have historically thought about privacy compliance. The SPDI Rules 2011 were primarily focused on customer data and specific sensitive data categories. The DPDP Act's broad definition of personal data brings all HR data processing within its scope, requiring organisations to establish lawful bases, privacy notices, and rights management processes for their employees as well as their customers.

Estimates suggest that India's formal employment sector involves hundreds of millions of workers across public and private sectors. The scale of employee data processing in India — from large enterprises using sophisticated HRMS platforms to small businesses managing payroll manually — makes HR compliance a major implementation challenge for the DPDP Act framework.

The Section 7(b) Employment Exemption and Its Limits

Section 7 of the DPDP Act identifies categories of "legitimate use" where processing may occur without explicit consent. Section 7(b) covers processing "for employment or safeguarding the employer from loss or liability," where it is not reasonably possible to obtain consent — for example, in a large workforce where individual consent for every HR process would be impractical.

However, Section 7(b) is a narrow exemption, not a blanket licence. It applies specifically where: (a) the processing is for an employment-related purpose, and (b) consent is not reasonably possible in the circumstances. It does not cover all processing by an employer of employee data — only employment-related processing where consent is impractical. Processing employee data for marketing, product improvement, or selling to third parties would not fall within Section 7(b).

For most routine HR processing (payroll, attendance, leave management, performance reviews), the Section 7(b) exemption provides a practical basis without requiring individual consent for each process. However, employers should document their reliance on this exemption clearly: what processing activities are covered, why consent is not reasonably possible, and what the employment nexus is. Ambiguous reliance on Section 7(b) will not withstand Board scrutiny.

Lawful Bases for Common HR Processing Activities

Payroll and benefits processing is the clearest case for the Section 7(b) employment exemption — processing salary data, bank account details, tax information, and statutory deductions is inherently employment-related and required by law (Income Tax Act, PF Act, ESI Act). Document the specific legal requirements that make this processing necessary and mandatory.

Performance management processing — ratings, reviews, goal tracking, 360-degree feedback — is also employment-related but more nuanced. The employment nexus is clear, but the use of performance data for consequential decisions (promotions, terminations) heightens the accuracy and fairness obligations. Ensure performance data is accurate, that employees have access to their own performance records, and that any automated scoring components are disclosed to employees.

Health and medical data collected for leave management, disability accommodations, or group health insurance is sensitive processing. Section 7(b) provides a basis for health data processed for employment purposes, but the more sensitive the data, the more carefully the exemption should be documented. Limit access to health data strictly to those with a need to know (typically HR only) and ensure it is not used for any purpose beyond the legitimate employment need.

Employee Monitoring: Special Considerations

Employee monitoring — including email surveillance, internet monitoring, GPS tracking of company vehicles or mobile devices, productivity software that captures screenshots or keystrokes, and biometric attendance systems — is one of the most privacy-sensitive areas of HR data processing. The DPDP Act does not explicitly address workplace monitoring, but the general principles of purpose limitation, data minimisation, and necessity apply with full force.

For any monitoring programme, establish a clear employment policy that discloses the monitoring to employees: what is monitored, how, for how long, who has access to the monitoring data, and how it may be used. Employees must be informed — this is both a DPDP Act privacy notice requirement and a basic employment law good practice under Indian labour legislation. Covert monitoring without disclosure is significantly harder to justify under the Act.

Productivity monitoring tools (software that tracks active application usage, captures screenshots, or logs keystrokes) require careful justification under the necessity test. If the same management goal can be achieved through outcome-based performance measurement rather than behavioural surveillance, the necessity test may not be satisfied for highly intrusive monitoring. Document the specific business need, the proportionality assessment, and employee disclosure before deploying monitoring tools.

Background Checks and Third-Party Verification

Pre-employment background checks involve processing personal data by both the employer and third-party verification agencies. The data processed — criminal records, employment history, educational qualifications, identity documents — is personal data subject to the DPDP Act. The employer is a Data Fiduciary; the verification agency is a Data Processor under a DPA.

Obtain candidate consent for background checks as part of the offer letter or onboarding process. Even where the Section 7(b) employment exemption might technically apply, obtaining explicit consent for background checks is best practice and avoids disputes about the scope of the exemption. The consent should specify what checks will be conducted, what data will be collected, and who the verification agency is.

Ensure background check data is used only for its stated purpose (employment decision-making), is retained only for the period necessary (typically the duration of employment plus a short period for legal claims), and is shared only with those in the hiring decision chain. Do not retain failed candidate background check data indefinitely — apply the same retention schedule as other candidate data.

Employee Data Rights Under the DPDP Act

Employees have the same DPDP Act rights as any other Data Principal: right of access (Section 11(a)), right to correction (Section 11(b)), right to erasure (Section 11(b)), and right to grievance redressal (Section 12). Employers must have processes in place to receive and respond to employee data rights requests.

The right of access gives employees the right to obtain a summary of their personal data held by their employer. This is significant in HR contexts: an employee can request their full employment file including performance records, salary history, leave records, and any notes or assessments. Prepare for this by ensuring HR records are well-organised and can be compiled for an individual employee efficiently.

The right to correction is particularly important for HR data given the decision-making impact. An employee who discovers an incorrect attendance record that led to a salary deduction, or an inaccurate performance rating in their file, has the right to request correction. Employers must investigate these requests in good faith and correct inaccurate records. Establish a grievance process for HR data disputes that is separate from standard employment grievance procedures to avoid conflicts of interest.

Obligations for HR SaaS Platforms

HR SaaS platforms — HRMS, payroll software, performance management tools, applicant tracking systems — are Data Processors under the DPDP Act. They process employee personal data on behalf of employer clients (the Data Fiduciaries). This creates a specific set of obligations for HR SaaS vendors: they must have DPDP-compliant DPAs with all employer clients, implement reasonable security safeguards for HR data, assist clients in responding to employee data rights requests, and delete data upon contract termination.

HR SaaS platforms should build employee data rights management features into their products: an employer-accessible interface for pulling individual employee data exports (supporting access requests), a correction workflow, and account deletion capability with confirmed data erasure. These features are both DPDP compliance requirements and product differentiators in enterprise sales to DPDP-aware buyers.

Employee data held in HR systems is among the most sensitive personal data in an organisation — it includes financial data, health information, performance records, and in some cases disciplinary history. HR SaaS platforms should pursue SOC 2 Type II certification to demonstrate their security posture to employer clients. AuditPath supports HR SaaS companies in achieving SOC 2 certification while simultaneously building DPDP compliance evidence — the two programmes share significant common ground in access controls, data handling procedures, and audit trails.

Frequently Asked Questions

Do we need to update our employment contracts to address the DPDP Act?
Yes. Employment contracts and offer letters should include a DPDP-compliant privacy notice explaining what employee data you collect, the purposes, the lawful basis, how long you retain it, and employees' rights. If you are relying on consent for any processing (rather than Section 7(b)), the consent must be obtained during the contracting process. Review your standard employment contract templates with legal counsel.
Can employees refuse to provide personal data required for employment purposes?
Employees can refuse, but refusing to provide data that is legally required (e.g., PAN for salary tax compliance, bank account for salary payment) may make employment impractical. For legally mandated data collection, explain clearly why each data element is required. For data that is not legally mandated but used for employment purposes, employees have more latitude to decline.
Can we share employee data with our parent or group companies for HR purposes?
Intra-group sharing of employee data requires a lawful basis just like any other sharing. Where the group HR function centrally manages employees across entities (e.g., group payroll, group health insurance), this can fall within the Section 7(b) employment exemption if properly documented. Employees should be informed of intra-group sharing in their employment privacy notice.
How should we handle employee data when an employee leaves the company?
Apply your HR data retention schedule: retain records required by law (tax records, PF contributions, employment verification letters) for the legally specified period, and delete all other personal data within the retention period you have established. Ensure former employee access to company systems is revoked immediately on departure. Provide former employees with their data on request (DSAR) during the retention period.
Does the DPDP Act apply to gig workers and freelancers?
Yes, to the extent you process their personal data. While gig workers and freelancers are not employees in the traditional legal sense, they are individuals whose personal data (name, bank account, PAN, location, work records) you process. The DPDP Act applies to all individuals, not just employees. The Section 7(b) employment exemption may not apply cleanly to gig relationships — seek legal advice on the appropriate lawful basis.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

DPDP Act

DPDP Act 2023 Explained: What Every Indian Company Must Know

DPDP Act

DPDP Act Consent Requirements: What Valid Consent Means

DPDP Act

Data Principal Rights Under DPDP Act: Access, Erasure, Grievance