Government Sector — DPDPA Compliance

DPDPA for Government Contractors & Public Procurement

Q: How does DPDPA apply to government contractors?

Government contractors processing personal data on behalf of government entities are Data Processors under DPDPA. The government entity is the Data Fiduciary, and the contractor must comply with Section 8(2) processor obligations and Rule 6 requirements. However, the contractor is also an independent Data Fiduciary for its own employee data, vendor data, and any data it collects independently. The key complexity is that Section 17 exemptions for government may not extend to private contractors performing government functions — the exemption attaches to the instrumentality of the State, not to its vendors.

Q: Does Section 17 exemption apply to government contractors?

Section 17 provides exemptions for the State and its instrumentalities for certain processing activities (national security, public order, etc.). These exemptions are narrowly construed and attach to the sovereign function, not to the entity performing it. A private contractor building a surveillance system for the government cannot claim Section 17 exemption for its own data processing — even if the government entity commissioning the system can. Contractors must maintain full DPDPA compliance for their processing activities.

Q: How should government contractors handle Aadhaar data under DPDPA?

Aadhaar data is personal data under DPDPA, and its processing is additionally governed by the Aadhaar Act 2016. Government contractors handling Aadhaar data face dual compliance: Aadhaar Act restrictions on storage, sharing, and purpose limitation, plus DPDPA's full framework of consent, security safeguards, and data principal rights. The Aadhaar Act's prohibition on storing Aadhaar numbers beyond authentication purposes creates a strict data minimisation requirement that goes beyond DPDPA's general principle.

Government contractors process citizen data at population scale — Aadhaar records, welfare beneficiary data, Smart City surveillance, defence personnel records. Section 17 exemptions do not automatically extend to private contractors performing government functions.

Section 17 ExemptionsAadhaar ActSmart CitiesDefence5 Sub-Sectors

Government IT contracts routinely require contractors to process personal data of millions of citizens. Under DPDPA, the government entity is the Data Fiduciary, but the contractor’s processor obligations under Section 8(2) are extensive and effectively non-delegable. The common assumption that government exemptions under Section 17 shield contractors is legally incorrect.

Sub-Sector Analysis

DPDPA Challenges by Government Contractor Type

IT System Integrators

Building & operating government IT systems

›Processing citizen data in government portals, databases, and applications — processor responsibilities under Section 8(2)
›Aadhaar authentication integration — dual compliance with Aadhaar Act and DPDPA
›Employee access to government data — security safeguards and access control requirements
›Section 17 exemption ambiguity — does the exemption flow through to the contractor?
›Data residency requirements for government projects — data must remain in India
›Incident response for government systems — CERT-In + DPDPA dual notification

Smart City & Urban Tech Contractors

Surveillance, traffic, utility, and citizen services

›CCTV and surveillance data from public spaces — massive personal data processing without individual consent
›IoT sensor data from smart infrastructure — when does aggregate data become personal?
›Citizen services data (water, electricity, property tax) linked to Aadhaar
›Public Wi-Fi user data — TRAI and DPDPA dual compliance
›Traffic management systems capturing vehicle registration and driver images

Defence & Security Contractors

National security, intelligence, and defence procurement

›Section 17(2)(a) national security exemption — scope and limits for contractor processing
›Personnel security clearance data processing — background verification at scale
›Biometric and access control data at defence installations
›Cross-border data restrictions for defence projects — stricter than DPDPA Section 16
›Classified data handling intersecting with personal data of employees and contractors

Healthcare & Social Sector Contractors

Public health, welfare schemes, education systems

›Ayushman Bharat beneficiary data — health insurance claims, hospital records, treatment data
›Direct Benefit Transfer (DBT) systems processing Aadhaar-linked bank details
›Mid-Day Meal and education scheme student data — children's data under Section 9
›Public Distribution System (PDS) data linked to ration cards and Aadhaar
›Immunisation and disease surveillance data — health data at population scale

E-Governance Platform Developers

Portals, apps, and digital infrastructure

›DigiLocker, UMANG, and mGov platform data processing — citizen documents at scale
›GeM (Government e-Marketplace) — seller and buyer data governance
›e-Court and legal tech platforms — litigant personal data processing
›Common Service Centre (CSC) data — rural citizen data processed by private operators
›API-based data sharing across government departments — purpose limitation enforcement

5 DPDPA Compliance Pillars for Government Contractors

Section 17 Exemption Mapping

Map every processing activity against Section 17 exemptions. Identify which activities fall within government exemptions and which require full DPDPA compliance. Exemptions are narrow, purpose-specific, and do not automatically extend to contractors.

Section 17

Aadhaar–DPDPA Dual Compliance

Aadhaar data processing requires compliance with both Aadhaar Act 2016 and DPDPA. The Aadhaar Act imposes stricter restrictions on storage and sharing. Build data governance that satisfies both statutes simultaneously.

Aadhaar Act 2016, DPDPA

Processor Obligation Framework

Government contractors are processors under Section 8(2). Build processor compliance frameworks including data processing agreements, security safeguards, breach notification to government fiduciary, and sub-processor controls.

Section 8(2), Rule 6

Citizen Data Security Architecture

Government data processing involves citizen data at population scale. Implement security safeguards proportional to the volume and sensitivity — encryption, access controls, audit trails, and incident response aligned with CERT-In requirements.

Section 8(4), CERT-In

Procurement Compliance Integration

Integrate DPDPA compliance requirements into government procurement responses (RFPs, RFIs). Build DPDPA compliance as a competitive differentiator in government tenders.

Section 8, GFR 2017

Related DPDPA Resources

Compliance Checklist

8-phase implementation

Vendor Governance

Processor obligations

Data Breach Response

Section 8(6) + Rule 7

DPDPA for AI Companies

AI in government systems

Children's Data

Education sector data

Enterprise Governance

Board-level framework

DPDPA for BFSI

Payment data in government

DPDPA Consulting

Counsel-led advisory

Government Contractor DPDPA Advisory

Government contracts create unique compliance obligations — citizen data at scale, Section 17 exemption boundaries, Aadhaar Act intersection, and defence classification overlays. AMLEGALS brings 27 years of regulatory and government practice experience to DPDPA implementation for government contractors.

Request a Confidential Briefing

Our data privacy counsel will reach out within one working day.

Insights & Answers

What practitioners and boards are asking

How does DPDPA apply to government contractors in India?

Government contractors processing citizen data on behalf of government entities are Data Processors under Section 8(2). The government entity is the Data Fiduciary, but the contractor's processor obligations are extensive and effectively non delegable. Section 17 exemptions for government do not automatically extend to private contractors. the exemption attaches to the instrumentality of the State, not its vendors. Aadhaar data processing requires dual compliance with DPDPA and the Aadhaar Act 2016. AMLEGALS advises government contractors on Section 17 exemption mapping, Aadhaar DPDPA dual compliance, and procurement integrated DPDPA frameworks.