Introduction
The Digital Personal Data Protection Act 2023 (DPDP Act) provides that consent is a prerequisite to process the personal data of an individual. So, a question arises, what if there is no prior consent of the Data Principal? Would an organisation be able to process their personal data? The answer to this question would be ‘yes’. The Act itself, under Section 4, provides that a person may process the personal data of a Data Principal only in accordance with the provisions of the law and for a lawful purpose, (a) for which the Data Principal has given her consent; or (b) for certain legitimate uses. Therefore, ‘certain legitimate use’ is one such ground for processing the data of an individual under the DPDP Act.
Furthermore, the Ministry of Electronics and Information Technology (MeitY) has recently released the draft of Digital Personal Data Protection Rules 2025 (DPDP Rules/Draft Rules) for public consultation. These draft rules provide additional guidance on this matter, outlining the standards that must be followed when processing personal data under this clause. These draft Rules further elaborate on the technical and organisational measures that must be taken to ensure compliance. In this blog, we will discuss what the DPDP Act and draft DPDP Rules say about certain legitimate uses as a ground for processing, and what measures organisations must take before any such processing under this provision.
Reading of Draft DPDP Rules 2025
‘Certain Legitimate Uses’ as per the DPDP Act, 2023
Section 7 of the DPDP Act provides several grounds on which a Data Fiduciary can process the personal data of a Data Principal without their prior consent. Section 7(a) of the Act states that if a Data Principal voluntarily provides their personal data to a Data Fiduciary for a specific purpose and does not object, the Data Fiduciary can process such data on the ground of certain legitimate use. The Act itself provides following illustrations for further clarity.
For instance, if a customer gives a pharmacy their phone number in order to receive a payment receipt, the pharmacy can process the data to send the receipt, because this is considered to be certain legitimate use. Similarly, when someone gives personal data to a real estate broker that is looking for a rental on their behalf, the broker may process that data. If the person subsequently withdraws their request, the broker must stop processing the data, though. If broker process such data even after withdrawing consent, then this will not fall under certain legitimate uses clause and organisation may be held liable for unauthorised processing of the personal data.
Furthermore, Section 7(b) allows the State and any of its instrumentalities to process personal data of the Data Principal for providing subsidies, benefits, services, certificates, or licenses. This applies when the individual has already consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit, or when such personal data is available in government databases, either in digital form, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government.
Section 7(c) permits the State and any of its instrumentalities to process personal data of the Data Principal to perform its legal duties under any law for time being in force in India or for reasons related to sovereignty and integrity of India or security of the state. Additionally, Section 7(d) permits the processing of personal data when required by law for disclosing information to the State or any of its instrumentalities, provided that the processing complies with the applicable legal provisions on information disclosure in India. Section 7(e) covers situations where processing is necessary for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India.
The certain legitimate use provisions under the DPDP Act extend to justify the processing of the personal data of the Data Principal in a medical emergency. Section 7(f) allows processing when there is an immediate threat to someone’s (Data Principal or any other individual) life or health. Similarly, Section 7(g) permits processing to provide medical treatment or health services during an epidemic, disease outbreak, or public health crisis. Additionally, Section 7(h) allows data to be used to ensure safety, provide assistance, or deliver services during a disaster or a breakdown of public order.
Lastly, Section 7(i) permits data processing in employment-related matters to protect an employer from losses or liabilities. This includes preventing corporate espionage, maintaining confidentiality of trade secrets and intellectual property, and providing employment-related services or benefits. Therefore, these provisions define clear instances where data can be processed without prior consent, ensuring that individual rights are respected while addressing practical governance requirements.
Draft DPDP Rules, 2025 on ‘Certain Legitimate Uses’
Rule 5 of the draft DPDP Rules further elaborates on certain legitimate uses as a ground for processing of data. It provides that the State and its instrumentalities are permitted to process the personal data of a Data Principal on grounds of certain legitimate uses under Section 7(b) of the Act for the purpose of providing or issuing any subsidy, benefit, service, certificate, license, or permit, as long as these are provided or issued in accordance with applicable laws, policies, or by utilizing public funds. Furthermore, Rule 5(2) specifies that processing under this rule shall be done following the standards specified in Second Schedule of the draft DPDP Rules, which outlines the technical and organizational measures that must be followed to ensure that personal data is processed in a lawful and responsible manner.
The standards in Second Schedule require that personal data processing must be carried out in lawful manner and such processing must be limited to the specific purposes mentioned in Section 7(b) of the DPDP Act, and further limited to such personal data as is necessary for such uses or achieving such purposes.
It further provides that while processing personal data, the organization must take several important steps to ensure the data is handled properly. First, reasonable efforts must be made to ensure the accuracy of the personal data being processed. Additionally, personal data should only be retained for as long as necessary to fulfil the purpose for which it was collected or to comply with any applicable laws. The organization must also implement reasonable security safeguards to protect the data from breaches, including ensuring data is secure even when processed by a third-party Data Processor.
Furthermore, if the processing is being done under Section 7(b) of the Act, the Data Principal must be notified about the processing of their personal data. The organization processing the data must provide a contact person who can answer questions about the data and how it’s being handled. The organization should also make it clear how the Data Principal can access its website or app, or use any other means to exercise their rights under the Act. Additionally, the processing must comply with any additional standards set by the Central Government or relevant laws.
Finally, the Second Schedule states that accountability lies with the person or entity that determines the purpose and methods of processing the personal data. This person or entity is responsible for ensuring that all the above standards are followed properly, ensuring the personal data is processed effectively. Overall, Rule 5, along with the Second Schedule, creates a framework that ensures personal data is processed in a transparent and secure manner, respecting the rights of the Data Principal. At the same time, it balances the interests of the State and its instrumentalities with the provision of public benefits and services, ensuring that data processing aligns with both legal and public service requirements.
Best Practices for Organizations
The DPDP Act and the draft DPDP Rules allow organizations and state instrumentalities to process personal data without prior consent under “certain legitimate uses”, such as issuing subsidies, benefits, or services, as long as it aligns with laws, policies, or public funding. This ensures the government’s ability to carry out essential functions like public services, health responses, and national security, while protecting individual privacy rights.
However following measures have to be in place for relying on “certain legitimate uses”-
- Any processing under these legitimate uses must be done lawfully, with data minimization, and reasonable security measures to prevent misuse.
- Organizations are required to follow specific standards set in the Second Schedule of the draft DPDP Rules, ensuring data is handled responsibly and securely.
- Transparency is also key, as Data Principals must be informed and given means to exercise their rights.
Therefore, businesses and state entities can process personal data for legitimate purposes, but only within the specified grounds and by implementing strict compliance measures to safeguard privacy and security. This approach ensures both organizational efficiency and protection of individual rights.
Conclusion:
The DPDP Act and draft DPDP Rules together create a structured balance between empowering organizations and the state, along with its instrumentalities, to process personal data for essential public purposes, while upholding individual privacy rights. By specifying grounds and safeguard measures for processing without prior consent, they ensure that personal data is handled lawfully and securely. Organizations must rigorously follow data protection standards, ensuring transparency and accountability at every step. This approach not only enhances the efficiency of public services but also reinforces trust, ensuring that personal data is processed responsibly and with respect for the rights of the Data Principal.
Tsaaro Consulting, in collaboration with PSA Legal Counsellors and Advertising Standards Council of India, has authored a whitepaper titled ‘Navigating Cookies: Recalibrating Your Cookie Strategy in Light of the DPDPA’. If you want to learn more about cookie consent management, read the whitepaper by clicking here.
The Ministry of Electronics and Information Technology (MeitY) has released the Draft DPDP Rules, 2025 for Public Consultation!
Learn more about the Draft Rules here: