The four Labour Codes generate the data and the DPDPA governs it, where payroll, biometrics, health and disciplinary files are all personal data.
Compliance with the Labour Codes does not equal compliance with the DPDPA. They are separate obligations that happen to operate on the same information. The Codes tell you what records to keep. The DPDPA tells you how lawfully to collect, store, share, and delete them.
Most law firms advise on the DPDPA. Most employment firms advise on the Codes. Very few read both statutes in the same sitting, which is precisely where employer data risk lives.
Each of the four Labour Codes generates specific categories of employee personal data. The DPDPA applies to all of it, without exception or sector carve out.
Code on Wages 2019. Wage records, bank account details, PF and ESI deductions, payment history, salary structure, bonus calculations.
Every payroll record is personal data. The employer is a Data Fiduciary. Payroll processors are Data Processors bound by DPDPA compliant Data Processing Agreements.
Common gap: Most payroll systems were not built for DPDPA consent architecture. Retroactive consent capture is required.
Industrial Relations Code 2020. Disciplinary records, termination documents, strike and conciliation records, union membership data, dispute history.
Disciplinary data is sensitive. Retention beyond dispute resolution without a lawful basis is a DPDPA violation. Union membership can qualify as sensitive personal data.
Common gap: HR departments routinely retain disciplinary files indefinitely. DPDPA requires a documented purpose and a deletion timeline.
Social Security Code 2020. PF account data, ESIC health records, gratuity entitlements, maternity benefit records, nominee details.
Health and social security data is among the most sensitive categories. Transfer to EPFO and ESIC portals is regulated cross organisation data sharing.
Common gap: Nominee data and beneficiary records are often stored without consent or purpose documentation, creating a direct DPDPA gap.
Occupational Safety, Health and Working Conditions Code 2020. Medical fitness certificates, health surveillance records, accident reports, disability data, biometric attendance.
Biometric data including fingerprints, retina scans and facial recognition is personal data under DPDPA. Health surveillance records are sensitive personal data requiring elevated protection.
Common gap: Biometric attendance systems were deployed without DPDPA consent architecture. Remediation is urgent before enforcement begins.
These are the highest risk employee data scenarios at the intersection of the Labour Codes and the DPDPA. Each has a specific compliance fix.
Biometric Attendance Systems (Critical risk). Fingerprint and facial recognition attendance systems process biometric data, a sensitive category under DPDPA. Most were deployed without consent, purpose documentation, or a deletion policy.
Fix. Obtain specific consent for biometric processing. Define and document the purpose. Implement a deletion policy tied to the employment end date.
Background Verification (High risk). Employment background checks process criminal records, credit history, and personal references. Third party verification vendors are Data Processors. Most such contracts have no DPA clause.
Fix. Add DPDPA Data Processing Agreement clauses to every verification vendor contract. Obtain candidate consent specifically for the check.
HR Analytics and Monitoring (High risk). Productivity monitoring, email surveillance, location tracking, and performance analytics all process personal data. Analytics tools can be Data Fiduciaries in their own right.
Fix. Disclose monitoring in employment contracts. Obtain consent. Define the purpose and data minimisation standard for every analytics tool deployed.
Employee Health Data (High risk). Pre employment medicals, health insurance claims, sick leave records, and vaccination records are sensitive personal data. Sharing them with insurers without specific consent is a violation.
Fix. Audit every touchpoint where employee health data is shared externally. Add data sharing consent to employment onboarding documentation.
Contract and Gig Workers (Medium risk). Contractors, gig workers, and platform workers are Data Principals under DPDPA. Their data, including tax details, bank accounts, and ratings, is personal data. The platform is a Data Fiduciary.
Fix. Extend DPDPA compliance to gig and contract worker data pipelines. They are not exempt simply because they are not permanent employees.
Termination and Ex Employee Data (Medium risk). Retaining employee data after termination without a lawful basis is a DPDPA violation. Most HR systems do not have automated deletion tied to exit dates.
Fix. Implement post termination data retention policies with defined timelines. Automate deletion where technically feasible.
These steps address Labour Code and DPDPA compliance together, because they operate on the same data.
01. Conduct an HR Data Inventory. Map every category of employee and contractor data across all four Labour Codes. Most employers have never done this in the context of DPDPA.
02. Audit All HR Vendor Contracts. Payroll processors, verification vendors, HR software providers, health insurers. Every one is a Data Processor. Every contract needs a DPDPA compliant Data Processing Agreement.
03. Redesign Employment Consent Architecture. Employment consent for payroll and statutory compliance is not the same as DPDPA consent for monitoring, analytics, and third party sharing. Separate them in your onboarding process.
04. Address Biometric Systems First. Biometric data is the highest risk employee data category. Retrofit consent, purpose documentation, and deletion architecture into every biometric attendance system before enforcement begins.
05. Build an HR Data Principal Rights Mechanism. Employees are Data Principals. They have the right to access their HR data, correct inaccuracies, and file grievances. Your HR team needs a functioning mechanism to respond to every request.
06. Review Employee Monitoring Policies. Every monitoring policy, including email, device, location, and productivity, must be disclosed, consent backed, and purpose limited. Update employment contracts and standing orders accordingly.
AMLEGALS maintains a dedicated data privacy practice and a dedicated employment practice. When HR data creates DPDPA exposure, you need counsel who can read both statutes in the same room.
The combined engagement typically covers a Labour Code and DPDPA gap assessment, HR Data Processing Agreement templates for payroll, verification and software vendors, employment contract clauses for monitoring and data sharing, and a compliance retrofit for biometric attendance systems.
We do this across ten offices in India, for organisations from fifty employees to fifty thousand.
Short, direct, on the record.
Each of India’s four Labour Codes generates categories of employee personal data including payroll, biometrics, health records, and disciplinary files. DPDPA 2023 applies to all of it. The employer is the Data Fiduciary and must comply with every statutory obligation for each category of employee data processed.
Yes. Every employer that processes digital personal data of employees, contractors, or gig workers is a Data Fiduciary under DPDPA 2023. This applies regardless of company size, sector, or number of employees. There is no exemption for employment data.
Yes. Biometric data including fingerprints, retina scans, and facial recognition used in attendance systems is personal data under DPDPA. Most biometric systems were deployed without DPDPA consent architecture and require urgent remediation before enforcement begins.
The maximum financial penalty under DPDPA 2023 is Rs 250 crore. Employee data violations carry the same exposure as any other breach. Penalties are imposed by the Data Protection Board of India.
Yes. Contractors, gig workers, and platform workers are Data Principals under DPDPA. Their personal data, including tax details, bank accounts, and performance ratings, is protected. The platform or employer is the Data Fiduciary for this data.
Speak with our data privacy and employment teams about a combined Labour Code and DPDPA assessment for your organisation.