DPDPA Exemptions and Legitimate Uses

DPDPA does not require consent for all processing. Section 7 specifies legitimate uses permitting processing without consent, and Section 17 provides government and research exemptions. Understanding these exceptions is critical for organisations to avoid unnecessary consent collection while maintaining compliance.

Section 7(a) permits processing employee personal data for employment purposes including recruitment, attendance, performance assessment, and termination. The exemption covers employee verification, payroll processing, and benefits administration. However, excessive surveillance beyond legitimate employment purposes may exceed the exemption scope.

Section 7(b) permits processing during medical emergencies threatening life or health. Section 7(c) covers disaster response and public order maintenance. Section 7(d) addresses processing by government for subsidies, benefits, and services. These exemptions prioritise urgent public interest over individual consent requirements.

Processing for compliance with judicial orders, court judgments, and legal proceedings is exempt under Section 7(e). This covers litigation discovery, regulatory investigations, and enforcement actions. The exemption extends to processing necessary for establishing, exercising, or defending legal claims.

Section 17 exempts government agencies from certain provisions for sovereignty, security, public order, and friendly relations with foreign states. Research exemptions may apply where data is processed solely for statistical or research purposes with appropriate safeguards. These exemptions are narrowly interpreted and strictly limited.