HR & DPDPA: Do you need Consent to Process Employee Data?

Introduction 

Every HR function depends on personal data. Recruitment forms, Aadhaar copies, salary bank details, attendance logs, performance reviews, medical certificates, and disciplinary records are all part of everyday employment administration. With the Digital Personal Data Protection Rules, 2025 being notified, A common question arises: Does HR need employee consent to process personal data? 

The short answer is no, not in most cases. The longer answer, and the legally accurate one, lies in understanding how the DPDP Act treats employment processing, what obligations still apply, and when consent becomes unavoidable. Indian law creates a special exemption for employment-related processing, so employers generally do not need to chase consent for standard HR activities. Instead, they must rely on the “legitimate use” ground in Section 7(1)(i) of the Act. In practice, this means HR can process data if it’s reasonably tied to the job or protecting the business. However, employers still have strict duties on transparency, security, and data deletion. 

Legitimate Use versus Consent 

Under the DPDP Act, any processing of personal data must be for a “lawful purpose” and on one of the permitted legal grounds. One ground is consent (Section 4(1)(a)), but the Act explicitly creates a broad second bucket for “certain legitimate uses” (Section 4(1)(b)). Employment is specifically listed there. Section 7(1)(i) says that a data fiduciary (e.g. an employer) may process personal data “for the purposes of employment or those related to safeguarding the employer from loss or liability”, including prevention of espionage or protection of trade secrets. 

In other words, standard HR processing can rely on this employment exception rather than consent. The law recognises it would be impractical and unfair to require an employee’s free, specific, informed consent (as strictly defined in Section 6) for every payroll slip, attendance entry or security check. In real life, employees depend on their jobs, so a signature on a form often isn’t truly voluntary. Given the inherent imbalance of power in the employment relationship, scholars argue that employee consent cannot be freely given, making it an unreliable legal ground for processing personal data. This means consent in the workplace is risky; another reason the Act provides the alternate lawful basis. But even when consent isn’t needed, purpose limitation and transparency are still required. 

What HR data processing is covered by the “employment” exception 

Practically speaking, Section 7(1)(i) covers almost every routine HR activity. Examples include: 

• Recruitment and onboarding: Collecting resumes, identity proofs, background-check information, education and criminal record verifications. 

  
  

• Payroll and benefits: Processing bank account details, tax forms, provident fund or insurance data to pay salary and maintain compliance. 

  
  

• Attendance and leave tracking: Using biometric scanners or attendance software to record working hours. 

  
  

• Performance management: Storing performance reviews, appraisals, disciplinary records, and training data. 

  
  

• Workplace investigations: Collecting emails, CCTV footage, or other data if there are allegations of misconduct or fraud. 

  
  

• Security and IP protection: Monitoring for corporate espionage or enforcing NDAs by logging computer access or encrypting sensitive files. 

  
  

All the above are clearly “purposes of employment” or employer risk protection under Section 7(1)(i). If data use has a reasonable connection to the employment relationship, consent is not required. (The DPDP Rules even list “provision of any service or benefit sought by an employee” as part of these purposes. 

In practice, employers often lawfully rely on Section 7(1)(i) rather than asking for consent. For example, if an applicant has already submitted a resume or medical certificate voluntarily, the company can assume that covers processing for hiring and onboarding purposes. Once someone applies for a job, there is an implied permission for basic checks needed to assess and verify their application. However, this exemption is not limitless. Employers should still ask: is this data really necessary for the job or for protecting the business? If not, they may need a different basis. 

Transparency, security, and retention: safeguards still apply 

Even when consent is not needed, every use of personal data triggers DPDP’s safeguards. Employers must still treat employee data carefully: 

• Transparency (Privacy Notice): The DPDP Act demands that data principals be informed about data collection and use. Under Section 5(1), any request for consent (or any processing) must be preceded by a notice describing the categories of data and purposes. The DPDP Rules flesh this out in detail. Rule 3 requires a clear, stand-alone notice written in plain language, explaining at least the specific types of data collected and the purpose of processing. The notice must also tell the employee how to withdraw consent or exercise rights and how to lodge a complaint with the Data Protection Board. In practice, HR should provide a privacy policy or handbook section covering how employee data is handled; even if it’s not asking for consent, it still has to be open about data use. 

  
  

• Security safeguards: Section 8(5) of the Act obliges every data fiduciary to implement “reasonable security safeguards” to prevent breaches. In the HR context this means using access controls, encryption or masking of sensitive data (salary, health records), and monitoring access logs for unusual activity. The DPDP Rules explicitly mention measures like encrypting files, multifactor authentication, logging systems, data backups and incident response plans. Any third-party HR vendor (payroll processor, recruitment agency, etc.) must be bound by contract to enforce equivalent protections. If a breach occurs, Section 8(6) requires the employer to promptly notify the Data Protection Board and each affected employee. In short, HR data must be defended just as vigorously as any other personal data. 

  
  

• Data minimization and retention: Under Section 8(7), a data fiduciary must erase personal data when the specific purpose is no longer being served, unless another law requires retention. The DPDP Rules further define how to determine when the purpose has ended (for example, if the employee has not engaged with the company for a prescribed period). In employment, this means an employer should not hold onto old employee records indefinitely. In practice, labor, tax and social security laws often set minimum retention periods (for example, the Income Tax Act or EPF rules may require keeping payroll records for several years). Once those legal requirements are satisfied, the company should securely delete or anonymize the data. HR must track these timelines and ensure compliance. 

  
  

• Accountability and grievance redressal: While not unique to HR, the Act also requires a grievance mechanism and a designated officer (Section 8(9–10)) to answer employee data queries. In short, HR should have clear channels for data questions and correction requests. Example: Suppose an ex-employee requests deletion of their data. If no law requires the company to retain it, Section 8(7) says HR must erase it “as soon as it is reasonable to assume” the employment purpose is no longer served. Conversely, if tax laws say salary records must be kept for 6 more years, HR lawfully retains them for that period. 

  
  

When HR still needs consent (and special cases) 

Consent is not completely eliminated from HR data processing; it’s just not the primary basis. Employers must seek employee consent in specific situations: 

• Beyond employment purposes: If the company wants to use employee data for anything other than core HR functions or safety, Section 7(1)(i) will not apply. For example, using employee email addresses for marketing a new product to external customers, or analyzing personal performance data for unrelated research, would not be “for the purposes of employment.” In such cases, consent is the correct legal basis. The DPDP Act reminds us that if processing goes beyond what is necessary for the employment, explicit consent is required (and it must meet the strict test of Section 6). Token consents buried in forms will not suffice. 

  
  

• Optional programs and perks: If participation is truly voluntary (say, a wellness program, a charitable donation drive, or an employee survey on personal interests), the employer should seek consent. Again, it must be genuine. Employees should feel free to opt in or out without penalty. 

  
  

• Children and protected adults: The Act has special rules for minors and persons with disabilities. Section 9(1) says an employer must obtain verifiable consent from a parent or legal guardian before processing the personal data of any “child” (under 18) or a disabled employee under guardianship. This means even if a teenager works part-time, their data needs parental consent. Similarly, if an employee is unable to consent due to a disability with a guardian, the guardian’s consent is required. These protections apply irrespective of the employment context, so they are an absolute consent requirement. 

  
  

• Statutory restrictions: Separate laws may prohibit certain data uses outright. For instance, the Aadhaar Act forbids private employers from mandating Aadhaar (biometric) authentication for attendance or employment verification. So, HR cannot bypass consent by relying on Section 7 if another law disallows the processing entirely. 

  
  

• When external sources are used: If HR collects or buys data about employees from third parties (social media profiles, credit reports, etc.) for unrelated analysis, then consent will generally be needed, because this was not the data employee specifically gave for employment. 

Global perspective: GDPR and employee consent 

India’s DPDP Act approach is in line with international practice. The European Union’s General Data Protection Regulation (GDPR) takes a similar view: it explicitly notes that member states can adopt special rules for processing employee data (Article 88 GDPR) because “the context of employment requires specific protection.” In line with that, data protection authorities in Europe and the UK have long cautioned that employee consent is rarely a true option. For instance, the UK Information Commissioner has pointed out that if an employer is in a position of power over a worker, obtaining genuine consent is often impossible. Instead, European employers typically rely on other lawful bases like performance of the employment contract or compliance with legal obligations. 

To illustrate, consider a recent Indian example (even though it was decided under pre-DPDP rules). In Union of India v. Dilip Kumar Rout (2025), the Supreme Court upheld a mandatory biometric attendance system for government employees. The Court found that fingerprint-scanning was a rational step for discipline and efficiency, and importantly not unconstitutional simply because employees weren’t consulted. The judgment reasoned that no one has a right to object to a security measure that is no more than verifying attendance, provided it includes reasonable privacy safeguards. This mirrors what many Western rulings say: workplace monitoring for legitimate purposes does not violate privacy if it is proportionate. 

Conclusion 

Throughout all this, the key point is: No consent doesn’t mean no rules. It simply changes the legal ground. The employer must still justify the purpose, secure the data, inform the employee, and dispose of it when done. Additionally, the default is no consent needed for job-related data uses, but if you’re outside that box, using data in new ways, for optional activities, or involving special categories, HR should switch to seeking consent (meeting all the Act’s requirements for it to be valid). 

Just as GDPR and its enforcers generally discourage relying on consent in employment contexts, India’s DPDP Act builds the same principle into law. Consent is available under Section 6, but it’s explicitly not the default tool for HR processing.