India

Key employer obligations under India’s new data protection regime

19 October 2023 4 min read

By Emily Gallagher

At a glance

  • The Digital Personal Data Protection Act (DPDP Act) was enacted on 11 August 2023. 
  • It sets out the framework for consent-based processing of data and non-consent based processing. 
  • It also sets out the key rights of data principals, the key obligations for data fiduciaries, and what the penalties are when the fiduciaries do not uphold these rights.

Reproduced with the permission of the authors Gerald Manoharan, Sonakshi Das and Sandhya Swaminathan at JSA advocates and solicitors.

The DPDP Act enacted on 11 August 2023, is a new data protection legislation that regulates the processing of digital personal data. The DPDP Act is applicable to personal data processed:

  • Within the territory of India, where such personal data is collected in digital form; and non-digital form, which is subsequently digitised; and
  • Outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to ‘data principals’ within the territory of India.

Notice and consent requirements

The DPDP Act broadly sets out the framework for consent-based processing of personal data; and non-consent based processing of personal data. Among other prescribed legitimate uses for processing such data, is when it is carried out:

For the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a data principal who is an employee.

As such, employers will not be required to obtain express consent to process personal data of employees, for, inter alia, purposes of employment. The DPDP Act presently does not qualify or define the terms ‘for the purposes of employment’.

Processing employee personal data for lawful purposes other than ‘legitimate uses’ including employment purposes, however, will require employers to obtain from employees or Data Principals, consent that is:

  • Free, specific, informed, unconditional, and unambiguous with a clear affirmative action; and
  • Signifying agreement to processing of personal data for specified purposes.

The notice and request for consent are required to be presented in clear and plain language, providing the data principal with an option to access such notice and request for consent in English language or any other language as specified in the eighth schedule of the Indian Constitution (ie in a total of 22 languages). Further, with respect to personal data of persons with disability, employers will have to obtain verifiable consent of the parent or legal guardian of such person with disability in the manner as yet to be prescribed under DPDP Act. For consent received prior to the enforcement of DPDP Act, employers will have to notify employees of the processing of personal data based on past consent as soon as reasonably practicable, in the prescribed manner; and can continue processing such personal data until consent is revoked.

Revocation of consent

The DPDP Act provides data principals with a right to withdraw consent and requires data fiduciaries to cease processing the personal data within a reasonable time upon withdrawal of consent unless such processing is required or authorised under DPDP Act or any other law.

Key obligations of Data Fiduciaries

The DPDP Act requires Data Fiduciaries to, inter alia, ensure:

  • Compliance with DPDP Act, and compliance by data processors (ie persons processing personal data on behalf of data fiduciaries) with provisions of DPDP Act;
  • Completeness, accuracy and consistency of personal data that they process, if it is to be used to make a decision that affects a data principal; or is to be disclosed to another data fiduciary;
  • Implementation of appropriate technical and organisational measures for compliance with DPDP Act, and adoption of reasonable security measures to prevent personal data breaches;
  • Notification to the Data Protection Board and each affected data principal of personal data breach;
  • Erasure of personal data upon withdrawal of consent by a data principal; or specified purpose for collection no longer being served by its retention; and
  • Establishment of effective grievance redressal mechanism to redress data principal grievances.

Further, data fiduciaries can engage data processors to process personal data on their behalf for any activity related to offering goods or services to data principals, only under a valid contract. As such, employers engaging or intending to engage third party payroll service providers and other service providers for processing employee personal data, can now do so, or continue to do so only under valid contracts. As liability linked with processing of personal data by third-party data processors or service providers is now on employers appointing such parties, it becomes essential for underlying contracts to, inter alia, provide adequate safeguards to ensure such third-party data processor or service provider’s compliance with DPDP Act. 

Rights of Data Principals

Data principals have the right to, inter alia:

  • Seek access to information, including a summary of their personal data being processed, processing activities undertaken and information relating to data fiduciaries and data processors with whom their personal data has been shared;
  • Request the data fiduciary to correct, complete, update personal data; and to erase personal data in the prescribed manner;
  • Grievance redressal; and
  • Nominate an individual to exercise rights under DPDP Act in the event of their death or incapacity.

Employers are likely to establish adequate internal mechanisms for personal data retrieval, updating, erasure and grievance redressal to facilitate such requests of employees.

Penalties

Prescribed penalties for non-compliance with DPDP Act, including failure to take reasonable security safeguards to prevent personal data breach may range up to INR 2,50,00,00,000.

Authors

Gerald Manoharan

Sonakshi Das

Sandhya Swaminathan

More to explore

Status of legislative proposals following the federal election

Germany

Status of legislative proposals following the federal election

Proposals put forward by the previous federal Parliament are now on hold due to recent elections.

25 March 2025 3 min read
Changes to the retention period for employment documents

Hungary

Changes to the retention period for employment documents

From 1 January 2025, changes to the retention period for employment documents in Hungary will come into force.

20 December 2024 1 min read
Draft of a new Employee Data Act (update)

Germany

Draft of a new Employee Data Act (update)

The draft Employee Data Act introduces a separate employee data law outside the scope of the Federal Data Protection Act.

19 November 2024 2 min read
Changes to privacy laws in Quebec with regards to anonymising personal information

Canada

Changes to privacy laws in Quebec with regards to anonymising personal information

New privacy laws impact on anonymising of personal information.

30 September 2024 1 min read
Supreme Court ruling on remuneration transparency

Spain

Supreme Court ruling on remuneration transparency

The Court ruled that Spanish law does not require salary registers to include data that identifies individual employee remuneration.

13 December 2024 1 min read
Breach of data protection regulations by publishing the employees’ personal phone numbers on the employer’s intranet

Finland

Breach of data protection regulations by publishing the employees’ personal phone numbers on the employer’s intranet

The Deputy Data Protection Ombudsman considered that a company had violated data protection regulations by publishing on its intranet the personal phone numbers of 300 employees.

7 August 2024 1 min read