INTRODUCTION

The Digital Personal Data Protection Act, 2023 (DPDPA) outlines two lawful grounds for processing personal data : consent and legitimate uses. This article focuses on the latter, offering insights and recommendations for businesses to identify suitable legal bases for data processing.

LEGITIMATE USES

Under DPDPA, certain legitimate uses permit businesses to process personal data without explicit consent under specific circumstances :

(a) Voluntary Provision : Data fiduciaries can process personal data voluntarily provided by individuals for purposes disclosed in a notice.
(b) Employment-related Purposes : Data processing for employment-related matters, safeguarding employers, or providing explicitly requested services or benefits to employees is permitted. However,
explicit consent may be required for certain activities like pre-employment background checks, that do not fall strictly within the scope of ‘employment’.
(c) Legal Obligations : Data processing to fulfil a legal obligation to disclose information to a government authority is allowed.
(d) Medical Emergencies : Processing personal data to address medical emergencies threatening life or health is permissible.
(e) Public Health and Safety : Data processing for medical treatment or health services during a threat to public safety, or for ensuring safety during a breakdown of public order is permitted.

EXEMPTIONS

Certain processing activities are exempted from most obligations under the DPDPA, including the need for a legal basis :

(a) Enforcement of Legal Rights : Processing necessary for enforcing legal rights or claims is exempted.
(b) Law Enforcement : Processing for preventing, detecting, investigating, or prosecuting offences under Indian law is exempted.
(c) International Processing : Processing personal data of individuals outside India under contracts between Indian and foreign persons or entities is exempted.
(d) Corporate Transactions : Processing necessary for corporate transactions approved by competent authorities is exempted.
(e) Financial Assessments : Processing for financial assessments related to defaulted loans is exempted, provided it complies with other relevant laws.

Additionally, the new data protection law in India exempts the processing of publicly available data (made available by an individual about themselves or by someone under a legal obligation) or for research/statistical purposes if not used for decisions specific to an individual.

THE WAY FORWARD

Businesses must adapt their processes to comply with the grounds of processing under the DPDPA. Key steps include modifying consent collection processes, conducting data mapping exercises, implementing consent management tools, maintaining records, and ensuring multilingual communication with data principals.

By adhering to these guidelines, businesses can navigate data processing within the legal framework of the DPDPA effectively.