Lawful Processing
Plain English Translation
Under Section 4 of the Act, organizations cannot simply collect data because it is useful; they must establish a specific lawful basis processing India mandates. There are only two paths for lawful processing DPDP: obtaining the Data Principal's verified consent or falling under "Certain Legitimate Uses" defined in Section 7. Unlike GDPR's broad "legitimate interest," legitimate uses DPDP are strictly itemized—such as for employment purposes, medical emergencies, or when a user voluntarily provides data. Engineers must tag every dataset with its specific legal basis to automate lawful processing compliance and retention policies.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Create a spreadsheet inventory listing all data collection points and their lawful processing grounds.
- Ensure privacy policy clearly states purposes.
- Separate employee data from customer data.
Required Actions (scaleup)
- Implement a processing legal basis DPDP tag in the database schema.
- Conduct periodic reviews of data processing activities.
Required Actions (enterprise)
- Automated enforcement of lawful processing requirements via policy-as-code.
- Real-time lineage tracking linking data usage to specific consent IDs or Section 7 categories.
- Dynamic access control based on the active status of the lawful basis.
According to Section 4, lawful processing means processing personal data only for a lawful purpose (not forbidden by law) based on either the Data Principal's consent or for 'certain legitimate uses' defined in Section 7.
Personal data can be processed without consent if it falls under 'certain legitimate uses' in Section 7, such as voluntary provision by the user, employment purposes, responding to medical emergencies, or fulfilling legal obligations to the State.
Section 7 lists legitimate uses including: voluntary provision of data, State subsidies/benefits, legal compliance, medical emergencies, safety during disasters, and employment-related purposes (safeguarding employer from loss/liability).
Identify if the processing is for a purpose the user specifically agreed to (Consent under Section 6) or if it fits a specific category in Section 7 (Legitimate Use). If neither applies, the processing is likely unlawful.
Yes, Section 4(b) allows processing for 'certain legitimate uses' without explicit consent. However, for voluntary provision (Section 7(a)), the user must not have indicated a refusal of consent.
Examples include an employer processing salary data (Section 7(i)), a hospital processing data during an epidemic (Section 7(g)), or a bank processing data for loan default recovery (Section 17(1)(f) exemption).
Organizations should maintain a Record of Processing Activities (RoPA) as implied by the right to access (Section 11). This document should map every data flow to either a consent record or a specific Section 7 clause.
Processing becomes unlawful if it is not for a 'lawful purpose' (Section 4(2)), if valid consent was not obtained (and no legitimate use applies), or if the consent was withdrawn and processing continued (Section 6(6)).
"(1) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— (a) for which the Data Principal has given her consent; or (b) for certain legitimate uses. (2) For the purposes of this section, the expression “lawful purpose” means any purpose which is not expressly forbidden by law."
"A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:— (a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-08 | WatchDog Security GRC Wiki Team | Initial publication from DPDP Workbook |
