Can an Employer Process Employee Data Without Consent? The Answer Is Not What You Expect.
Every employer in India is a Data Fiduciary under DPDPA. Employee data including payroll, biometrics, health records, and disciplinary files is personal data. Maximum penalty: Rs 250 crore. The gap between employment law compliance and data protection compliance is where the real risk lives.
The Question Almost Nobody in Indian Employment Law Is Asking
Every employer in India collects employee personal data. Names. Addresses. Bank accounts. Aadhaar numbers. PAN numbers. Biometric fingerprints. Health records. Performance evaluations. Disciplinary files. Nominee details. Background verification reports. Compensation history. Leave records. Exit interview responses.
Under the Digital Personal Data Protection Act 2023, every employer that processes this data digitally is a Data Fiduciary. The obligations are not optional. They are statutory. The maximum penalty is Rs 250 crore per contravention.
Yet the intersection of employment law and data protection remains one of the least addressed compliance domains in India. Employment lawyers focus on Labour Codes. Data privacy lawyers focus on customer data. The space where these two disciplines overlap, the space where employee data sits, is a gap that creates real legal exposure for every employer in the country.
This page addresses the central question: can an employer in India process employee personal data without consent under DPDPA? The answer is nuanced. It depends on the type of data, the purpose of processing, and whether the processing falls within the legitimate use grounds of Section 7.
AMLEGALS advises on both employment law and DPDPA with equal depth. We are one of the few practices in India that treats this intersection as a distinct compliance domain rather than an afterthought.
Every Employer Is a Data Fiduciary. No Exceptions.
Under Section 2(i) of DPDPA, a Data Fiduciary is any person who alone or in conjunction with other persons determines the purpose and means of processing of digital personal data.
An employer determines why employee data is collected (statutory compliance, payroll processing, performance management, security). An employer determines how employee data is processed (HRMS platform, payroll software, biometric device, email server). The employer is therefore a Data Fiduciary in relation to every category of employee personal data it processes.
This classification carries specific obligations under DPDPA:
Lawful processing. Every data processing activity must have a legal basis: either consent of the Data Principal (the employee) or a legitimate use ground under Section 7.
Purpose limitation. Data collected for one purpose cannot be processed for a different purpose without a separate legal basis. Payroll data collected for salary payment cannot be used for marketing analytics without separate justification.
Data minimisation. Only data that is necessary for the stated purpose should be collected. Collecting residential address, family details, and personal photographs when none of these are required for the employment purpose is over-collection.
Accuracy. The Data Fiduciary must ensure that personal data is accurate and kept up to date. Stale employee records with outdated addresses, incorrect designations, or obsolete nominee details are a compliance gap.
Storage limitation. Data must not be retained beyond the period necessary for the purpose. Employee data retained indefinitely after the employee has left the organisation without a documented legal basis for retention is a DPDPA violation.
Security safeguards. Reasonable security safeguards must be implemented. A data breach involving employee data (Aadhaar numbers, bank details, health records) attracts penalties of up to Rs 250 crore.
Section 7(1)(i): The Legitimate Use Ground for Employment Data
Section 7 of DPDPA provides grounds on which a Data Fiduciary can process personal data without the consent of the Data Principal. For employment data, the critical provision is Section 7(1)(i).
Section 7(1)(i) permits processing of personal data for the purpose of employment including but not limited to:
Prevention of corporate espionage. Maintenance of confidentiality of trade secrets. Intellectual property protection. Classified information protection. Recruitment. Termination of employment. Provision of any service or benefit to the employee. Verification of attendance. Assessment of performance.
What this covers. Payroll processing for salary payment and statutory deductions: covered under provision of service and benefit. Biometric attendance: covered under verification of attendance. Performance reviews: covered under assessment of performance. Recruitment data processing: covered under recruitment. Background verification during recruitment: arguably covered under recruitment, though obtaining consent is prudent given the sensitivity.
What this does not cover. The legitimate use ground is tied to the employment purpose. Processing that goes beyond the employment relationship requires separate justification:
Sharing employee data with group companies for non-employment purposes. Using employee data for AI model training. Granular surveillance (keystroke logging, personal device monitoring) beyond performance assessment. Retaining employee data after all employment-related purposes have been fulfilled and no statute requires retention. Processing family member data (nominees, dependents) beyond statutory requirements.
The distinction matters. An employer that treats Section 7(1)(i) as a blanket exemption for all employee data processing will discover the boundaries when a complaint is filed with the Data Protection Board.
Where the Four Labour Codes and DPDPA Collide
The four Labour Codes require employers to collect, process, and retain specific categories of employee data. DPDPA governs how that data is handled. The two frameworks create overlapping obligations that must be addressed together, not in silos.
Code on Wages. Requires employers to maintain wage registers containing employee names, designations, wage components, deductions, and payment details. Every entry in the wage register is personal data under DPDPA. The employer has a statutory obligation to maintain the register (Labour Code compliance) and a statutory obligation to process the data lawfully (DPDPA compliance). The legal basis for processing is compliance with law, a legitimate use ground.
Industrial Relations Code. Generates disciplinary records, termination documents, strike records, union membership data, and dispute history. Disciplinary records are particularly sensitive. Retention beyond the dispute resolution period without a documented legal basis is a DPDPA violation. Union membership data is political association data that requires careful handling.
Social Security Code. Requires PF account data, ESIC health records, gratuity entitlements, maternity benefit records, and nominee details. Health records and nominee details are among the most sensitive categories. Sharing this data with EPFO and ESIC portals is regulated cross-organisation data transfer. The employer must ensure that the data sharing mechanism is DPDPA compliant.
OSH Code. Generates medical fitness certificates, health surveillance records, accident reports, disability data, and biometric attendance records. Biometric data (fingerprints, retina scans, facial recognition) is personal data requiring elevated protection. Health surveillance records are sensitive and their retention, access, and deletion must follow DPDPA principles.
The conclusion is straightforward. Compliance with the Labour Codes and compliance with DPDPA are not separate exercises. They must be integrated. A CTC restructuring under the Code on Wages is also a data architecture exercise under DPDPA.
Biometric Data: The Highest Risk Category in HR
Biometric attendance systems are ubiquitous in Indian workplaces. Fingerprint scanners. Facial recognition cameras. Retina scanners. These devices collect biometric personal data that is among the most sensitive categories under DPDPA.
Section 7(1)(i) provides a legitimate use ground for verification of attendance. Biometric data collected solely for attendance verification can be processed without separate consent. This is the narrow safe harbour.
The risk areas are substantial:
Purpose creep. Biometric data collected for attendance is repurposed for security surveillance, employee tracking, or access control analytics. Each additional purpose requires a separate legal basis.
Vendor security. Most biometric systems are operated by third-party vendors. The vendor is a Data Processor under DPDPA. The employer must have a Data Processing Agreement governing purpose limitation, security standards, access controls, and deletion obligations. Most existing biometric vendor contracts do not contain DPDPA-compliant DPA clauses.
Retention. Biometric templates stored indefinitely after an employee has left the organisation create a retention violation. The employer must implement a deletion protocol triggered by employment termination or purpose fulfilment.
Breach impact. A biometric data breach is irreversible. Unlike a password, a fingerprint cannot be changed. The penalty for inadequate security safeguards leading to a biometric data breach can reach Rs 250 crore. The reputational impact is equally severe.
Employers deploying biometric systems must conduct a focused assessment: legal basis, purpose scope, vendor contracts, security measures, retention policy, and breach response plan. This assessment should be documented and reviewed annually.
HR Vendors as Data Processors: The Contract Gap
Every employer shares employee personal data with third-party HR vendors. Payroll processors. Background verification agencies. HRMS platform providers. Employee benefits administrators. Insurance companies. Training platforms. HR analytics tools.
Under DPDPA, each of these vendors is a Data Processor processing personal data on behalf of the employer (the Data Fiduciary). The employer must ensure that every Data Processor relationship is governed by a Data Processing Agreement that meets DPDPA requirements.
What the DPA must contain. Purpose of processing (limited to what the employer authorises). Categories of personal data processed. Security safeguards the processor must implement. Sub-processing restrictions. Breach notification obligations (the processor must notify the employer of any breach). Deletion obligations (data must be deleted or returned when the processing purpose is complete). Audit rights (the employer must have the right to audit the processor).
The current reality. Most HR vendor contracts in India were signed before DPDPA. They contain standard commercial terms without DPDPA-specific data processing clauses. The indemnities do not address DPDPA penalties. The security obligations are generic. The deletion timelines are absent. The breach notification provisions are inadequate.
Every employer must audit their HR vendor contracts and negotiate DPDPA-compliant DPA addendums. The employer remains liable as the Data Fiduciary regardless of whether the breach or violation occurs at the processor level. Outsourcing HR data processing does not outsource DPDPA liability.
After the Employee Leaves: Retention, Deletion, and the Compliance Timeline
When an employee exits the organisation, the employer must determine what happens to each category of personal data. DPDPA requires deletion when the purpose is no longer being served and no other law requires retention.
Data with statutory retention requirements. Wage registers under the Code on Wages: prescribed retention period. PF records under the EPF Act: prescribed retention period. Tax records under the Income Tax Act: eight years for specified records. Disciplinary records where legal proceedings are pending: until resolution. These categories have a documented legal basis for continued retention.
Data without statutory retention requirements. Internal communication logs. Productivity metrics. Personal photographs. Training attendance records. Casual leave records. Exit interview transcripts. Lunch preference data. Birthday and anniversary data. These categories have no statutory retention requirement after employment ends. DPDPA requires their deletion once the purpose is fulfilled.
The practical challenge. Most HRMS systems do not distinguish between mandatory and discretionary data categories. When an employee exits, the entire employee record persists indefinitely. This creates a growing pool of personal data that has no current lawful purpose and is a DPDPA violation waiting to materialise.
The solution is a documented data retention schedule that maps every category of employee data to a retention period and a legal basis. When an employee exits, the schedule triggers a structured deletion process. Statutory data is retained for the prescribed period and then deleted. Non-statutory data is deleted within a defined window.
Why AMLEGALS for Employee Data and DPDPA
This page exists because almost nobody in the Indian legal market is treating the intersection of employment law and DPDPA as a distinct compliance domain. Employment lawyers advise on Labour Codes without addressing the data implications. Data privacy lawyers advise on DPDPA without understanding the statutory data obligations under the Labour Codes.
AMLEGALS has deep practice capability in both domains. Our employment law practice has advised on Labour Code transition, POSH compliance, workforce restructuring, and industrial disputes for over 27 years. Our data privacy practice leads DPDPA implementation through the Vibe Data Privacy framework across sectors.
When we advise an employer on employee data compliance, the advisory covers both dimensions simultaneously. The CTC restructuring memo under the Code on Wages includes the data architecture implications under DPDPA. The biometric attendance assessment addresses both OSH Code compliance and DPDPA consent requirements. The HR vendor contract review addresses both commercial terms and Data Processing Agreement clauses.
With 10 offices across India, we provide state-specific advisory because Labour Code rules vary by state and data processing practices vary by industry and geography. A technology company in Bengaluru has different HR data architecture than a manufacturing unit in Gujarat. The legal framework is national. The implementation is specific.
What You Need to Know
Your employee data is personal data. Is your processing DPDPA compliant?
Speak with our team about the intersection of employment law and DPDPA for your organisation.
[email protected]