Employee Data Privacy in India: What the DPDP Act Says About Employer Access

India’s data privacy landscape changed significantly when the Digital Personal Data Protection Rules, 2025 (DPDP Rules) were notified on November 13, 2025. For businesses, one of the most pressing questions is this: when can an employer process employee data without asking for consent?

The answer lies in a concept called “legitimate use” – and understanding it is now essential for every HR team, compliance officer, and business leader in India.

What Is “Legitimate Use” Under the DPDP Framework?

Under the DPDP Act, 2023, processing of digital personal data must generally be based on the individual’s consent. However, the law carves out specific situations – called legitimate uses – where consent is not required. For employers, three such situations exist:

1. For purposes of employment
2. To safeguard the employer from loss or liability
3. To provide a service or benefit that the employee has asked for

These sound straightforward. But the devil is in the details. A Small Word with Big Consequences: “Of” vs. “Related To. “Earlier drafts of India’s data protection law (the 2018 and 2019 Bills) allowed processing of employee data without consent for purposes “related to” employment. The 2022 Bill went further – it treated consent as already given if data was processed for employment purposes, and it listed examples like recruitment, termination, and attendance tracking. The final DPDP Act, however, uses the phrase “purposes of employment” – not “related to.” Legal experts have made note that this shift likely signals a tighter standard. The word “of” suggests a direct and proximate link to the employment relationship – not merely any loose connection. In plain terms: If the data processing is a core part of managing the employment relationship, it likely qualifies. If it is tangential or convenient for the employer but not truly necessary, it probably does not.

What can Employers actually do Without Consent?

Permitted Without Consent

• Salary disbursement Processing an employee’s bank account details, tax information, and pay structure to run payroll is squarely within the “purposes of employment” ground. It is direct, necessary, and proportionate.
• Investigating corporate espionage If an employer has reasonable grounds to suspect data theft, leakage of trade secrets, or intellectual property violations, it can process the suspected employee’s data to investigate – without consent. The law recognises this under the “safeguard from loss or liability” ground.
• Relocation assistance If an employee requests help with relocation – say, travel reimbursements or temporary housing – the employer can process the personal data needed to fulfil that request. The key word: the employee asked for it.

Likely Requires Consent

• Sharing employee data with group companies for marketing If a parent company wants to share employee data with affiliated entities to market products or services, this is unlikely to survive scrutiny. It is not necessary for employment and is arguably disproportionate – making prior consent essential.
• Peripheral data collection with no clear employment linked any processing activity that is not directly connected to managing, compensating, or protecting the employment relationship may fall outside the legitimate use boundary.

The Constitutional Guardrail: The Puttaswamy Test

India’s Supreme Court, in the landmark Puttaswamy judgment, established that privacy is a fundamental right – but not an absolute one. Any restriction must pass a three-part test:

1. There must be a law authorising the restriction
2. The restriction must be necessary
3. It must be proportionate to the objective

The DPDP Act is built on this foundation. This means that even where an employer believes it can rely on a legitimate use ground, the processing must still be necessary and proportionate – not just technically permitted. Practical implication are that Employers should ask: “Is this the minimum data needed, for the minimum time, to achieve a legitimate employment purpose?” If the answer is no, they are on shaky ground.

Four Steps Every Employer Should Take Now

1. Keep Employees Informed – Draft clear employee handbooks or HR data policies that spell out – What data is collected, why it is collected and who it is shared with and why. Transparency is not just good practice – it builds trust and reduces compliance risk.

2. Map and Categorise Employee Data – Create a data inventory that clearly separates like Data that can be processed without consent (legitimate use) and Data that requires explicit consent. Without this map, you cannot manage risk effectively.

3. Limit Access Internally – Just because data can be processed without consent does not mean everyone in the organisation should have access to it. Apply role-based access controls – only those who need the data for the stated purpose should be able to see it.

4. Train Your People – HR teams, line managers, and IT personnel need to understand the boundaries. Conduct regular data governance training with specific focus on employee data handling. Awareness is your first line of defence against excessive or unlawful processing.

The Bottom Line for Businesses

DPDP Act gives employers a workable framework to process employee data without consent – but it is narrower than many may assume. The shift from “related to employment” to “of employment” is a deliberate tightening of scope. The core principles to carry forward are:

• Necessity – process only what you truly need
• Proportionality – do not go further than the purpose demands
• Caution – where the legitimacy of processing is unclear, default to the notice-and-consent route

India’s data protection framework is still evolving. Phased implementation means enforcement timelines are not yet fully clear. But the time to build compliant systems is now – not after a regulator comes knocking.