Employee Data Privacy for GCCs Under the DPDPA
From biometrics to background checks — every piece of employee personal data processed by a GCC is now subject to statutory obligation.
1.9 million professionals across 2,100+ centres. Every GCC employee's data is now a compliance obligation.
GCCs are among India's largest employers of knowledge workers — Accenture alone employs over 300,000 in India, Microsoft over 20,000, Amazon over 100,000 across its GCC and operations. They process an extraordinary breadth of employee personal data: recruitment records, identity documents, biometric attendance, CCTV surveillance, health insurance data, performance appraisals, compensation details, and increasingly, productivity monitoring analytics. The DPDPA applies to all of this. Section 4 defines processing broadly to encompass collection, storage, use, sharing, and erasure. Every data point requires a lawful basis. Every processing activity must be documented.
Why Employee Data Is the GCC's Most Complex Compliance Challenge
The volume, variety, and sensitivity of employee data processed by GCCs creates a compliance surface that exceeds most customer-facing operations.
Consider the data lifecycle of a single GCC employee. Recruitment generates application data, interview assessments, background verification reports, and reference checks. Onboarding produces identity documents, bank details, emergency contacts, and biometric enrollment. Employment generates attendance records, access logs, CCTV footage, email metadata, productivity metrics, health insurance claims, and performance reviews. Offboarding requires secure deletion, experience letter generation, and PF/gratuity settlement data.
The lawful basis question is particularly complex for employee data. Section 6 consent is problematic in employment contexts — the power asymmetry between employer and employee raises questions about whether consent can truly be "free." Section 7 provides "legitimate uses" including employment purpose, but its scope is narrower than GDPR's legitimate interest. GCCs must carefully evaluate which processing activities can rely on Section 7 and which require explicit Section 6 consent.
Cross-border transfer of employee data adds another layer. GCCs routinely share employee data with global HR systems — Workday, SAP SuccessFactors, Oracle HCM — hosted outside India. Each transfer must comply with Section 16. Employee biometric data, health records, and compensation data transferred to headquarters in the US or Europe require specific contractual safeguards and documented transfer assessments.
Employee Data Compliance Architecture
Six pillars of employee data governance that every GCC must implement under the DPDPA.
Lawful Basis Mapping
Map every category of employee data to its lawful basis — consent under Section 6 for non-essential processing (e.g., marketing photographs), legitimate use under Section 7 for employment-related processing (e.g., payroll, statutory compliance). Document the rationale for each categorisation.
Employee Privacy Notice
Issue a comprehensive privacy notice to every employee before or at the time of collecting personal data. The notice must identify the Data Fiduciary, itemise personal data collected, state each processing purpose, and explain rights of withdrawal and grievance.
Biometric & CCTV Governance
Biometric attendance systems and CCTV surveillance generate sensitive personal data. Implement specific policies for collection, retention, access control, and deletion. Ensure biometric data is encrypted and stored with limited access.
Monitoring & Productivity Analytics
Employee monitoring tools — email scanning, screen capture, keystroke logging, productivity scoring — require careful consent architecture. Passive monitoring may require explicit consent beyond the employment contract.
Global HR System Transfers
Employee data transferred to global HR platforms (Workday, SAP, Oracle) hosted outside India must comply with cross-border transfer requirements. Implement DPAs with platform providers and document transfer necessity.
Exit & Retention Protocol
When an employee exits, the GCC must erase personal data that is no longer necessary for the purpose for which it was collected. Statutory retention requirements (PF, tax, labour laws) must be mapped and documented as exceptions.
The Consent-vs-Legitimate-Use Dilemma in Employment
GCCs must navigate the narrow corridor between Section 6 consent and Section 7 legitimate use — and document every decision.
Section 7 permits processing without consent for certain "legitimate uses" including processing necessary for employment. However, the scope of "employment purpose" under Section 7(a) is not defined with the breadth of GDPR's legitimate interest. Productivity monitoring, workplace culture surveys, diversity analytics, and wellness programme data may fall outside the strict employment necessity test. GCCs must conduct a granular assessment of each processing activity and maintain a documented register of lawful basis determinations. Where Section 7 does not apply, Section 6 consent must be obtained — and it must be demonstrably free, given the employment power dynamic.
“A GCC with 10,000 employees processes more personal data in its HR systems than most consumer-facing applications. The exposure is not theoretical — it is operational, immediate, and auditable.”
— AMLEGALS GCC Privacy Practice
Frequently Asked Questions
Key questions on gcc employee data compliance under the DPDPA.
The DPDPA requires consent to be free, specific, informed, and unambiguous. An employment contract clause purporting to provide blanket consent for all data processing is unlikely to satisfy these requirements. GCCs should use Section 7 legitimate use for employment-essential processing and obtain separate, specific consent for non-essential activities.
While the DPDPA does not create a separate category for "sensitive personal data" like the IT Act 2000, biometric data carries elevated risk. Rule 6 mandates reasonable security safeguards proportionate to the sensitivity of data processed. Biometric data requires encryption, access restrictions, and limited retention.
This constitutes a cross-border transfer under Section 16 and processing for a purpose (analytics) that may exceed the original collection purpose. The GCC must evaluate whether this requires fresh consent, implement appropriate DPAs, and document the transfer assessment.
Employees, as Data Principals, have the right to access information about processing (Section 11), seek correction and erasure (Section 12), nominate a representative (Section 14), and file complaints with the Data Protection Board (Section 13). GCCs must establish accessible grievance mechanisms under Rule 8.
Build Your GCC's Employee Data Governance Framework
Our engagement maps the complete employee data lifecycle, determines lawful basis for every processing activity, and builds operational compliance architecture.