+91-8448 548549

Labour Codes and DPDPA Intersection

Every Employer Is
a Data Fiduciary.
Most Don't Know It.

India's Four Labour Codes and the DPDPA 2023 create a layered compliance obligation for every employer. Employee data including payroll, biometrics, health records, and disciplinary files is personal data. The employer is the Data Fiduciary.

Request Employer DPDPA Audit

The Four Labour Codes

Where Each Code Creates DPDPA Obligations

Each of India's four Labour Codes generates specific categories of employee personal data. DPDPA applies to all of it without exception or sector carve-out.

CoW

Code on Wages 2019

Employee Data Covered

Wage records, bank account details, PF and ESI deductions, payment history, salary structure, bonus calculations

DPDPA Obligation

Every payroll record is personal data. The employer is a Data Fiduciary. Payroll processors are Data Processors bound by DPDPA compliant DPAs.

Most payroll systems were not built for DPDPA consent architecture. Retroactive consent capture is required.

IRC

Industrial Relations Code 2020

Employee Data Covered

Disciplinary records, termination documents, strike and conciliation records, union membership data, dispute history

DPDPA Obligation

Disciplinary data is sensitive. Retention beyond dispute resolution without a lawful basis is a DPDPA violation. Union membership may qualify as sensitive personal data.

HR departments routinely retain disciplinary files indefinitely. DPDPA requires a documented purpose and deletion timeline.

SSC

Social Security Code 2020

Employee Data Covered

PF account data, ESIC health records, gratuity entitlements, maternity benefit records, nominee details

DPDPA Obligation

Health and social security data is among the most sensitive categories. Transfer to EPFO and ESIC portals is regulated cross-organisation data sharing.

Nominee data and beneficiary records are often stored without consent or purpose documentation, creating a direct DPDPA gap.

OSH

Occupational Safety, Health and Working Conditions Code 2020

Employee Data Covered

Medical fitness certificates, health surveillance records, accident reports, disability data, biometric attendance

DPDPA Obligation

Biometric data including fingerprints, retina scans, and facial recognition is personal data under DPDPA. Health surveillance records are sensitive personal data requiring elevated protection.

Biometric attendance systems were deployed without DPDPA consent architecture. Remediation is urgent before enforcement begins.

Specific Risk Areas

Employer Data Risks Most HR Teams Miss

These are the highest risk employee data scenarios at the Labour Codes and DPDPA intersection. Each has a specific compliance fix.

Biometric Attendance Systems

Critical

Fingerprint and facial recognition attendance systems process biometric data, a sensitive category under DPDPA. Most were deployed without consent, purpose documentation, or deletion policy.

Fix

Obtain specific consent for biometric processing. Define and document the purpose. Implement a deletion policy tied to employment end date.

Background Verification

High

Employment background checks process criminal records, credit history, and personal references. Third party BGV vendors are Data Processors. Most BGV contracts have no DPA clause.

Fix

Add DPDPA Data Processing Agreement clauses to all BGV vendor contracts. Obtain candidate consent specifically for BGV processing.

HR Analytics and Monitoring

High

Productivity monitoring, email surveillance, location tracking, and performance analytics all process personal data. AI driven HR analytics tools are Data Fiduciaries in their own right.

Fix

Disclose monitoring in employment contracts. Obtain consent. Define the purpose and data minimisation standard for every HR analytics tool deployed.

Employee Health Data

High

Pre-employment medicals, health insurance claims, sick leave records, and vaccination records are sensitive personal data. Sharing them with insurers without specific consent is a violation.

Fix

Audit every touchpoint where employee health data is shared externally. Add data sharing consent to employment onboarding documentation.

Contract and Gig Workers

Medium

Contractors, gig workers, and platform workers are Data Principals under DPDPA. Their data including tax details, bank accounts, and ratings is personal data. The platform is a Data Fiduciary.

Fix

Extend DPDPA compliance to gig and contract worker data pipelines. They are not exempt simply because they are not permanent employees.

Termination and Ex-Employee Data

Medium

Retaining employee data after termination without a lawful basis is a DPDPA violation. Most HR systems do not have automated deletion tied to exit dates.

Fix

Implement post-termination data retention policies with defined timelines. Automate deletion where technically feasible.

Employer Action Plan

Steps Every Employer Must Take Now

Compliance with the Labour Codes does not equal DPDPA compliance. They are separate obligations that happen to operate on the same data. These steps address both simultaneously.

01

Conduct an HR Data Inventory

Map every category of employee and contractor data across all four Labour Codes. Most employers have never done this in the context of DPDPA.

02

Audit All HR Vendor Contracts

Payroll processors, BGV vendors, HR software providers, health insurers. Every one is a Data Processor. Every contract needs a DPDPA compliant Data Processing Agreement.

03

Redesign Employment Consent Architecture

Employment consent for payroll and statutory compliance is not the same as DPDPA consent for monitoring, analytics, and third party sharing. Separate them in your onboarding process.

04

Address Biometric Systems First

Biometric data is the highest risk employee data category. Retrofit consent, purpose documentation, and deletion architecture into every biometric attendance system before enforcement begins.

05

Build HR Data Principal Rights Mechanism

Employees are Data Principals. They have the right to access their HR data, correct inaccuracies, and file grievances. Your HR team needs a functioning mechanism to respond to every request.

06

Review Employee Monitoring Policies

Every monitoring policy including email, device, location, and productivity must be disclosed, consent backed, and purpose limited. Update employment contracts and standing orders accordingly.

AMLEGALS Advisory

Advising on Both With Equal Depth

Most law firms advise on DPDPA. Most employment law firms advise on Labour Codes. Very few understand both well enough to advise on the intersection.

AMLEGALS has a dedicated data privacy practice and a dedicated employment law practice. When your HR data creates DPDPA exposure, you need counsel who can read both statutes in the same sitting.

We do this across ten cities, for enterprises from fifty employees to fifty thousand.

Get Employer Data Privacy Counsel

Labour Code and DPDPA Gap Assessment

A combined audit across all four Labour Codes and DPDPA to identify every employee data compliance gap in your organisation.

HR Data Processing Agreement Templates

DPDPA compliant DPA templates for payroll vendors, BGV agencies, HR software providers, and health insurers.

Employment Contract DPDPA Clauses

Updated employment contract templates with DPDPA consent clauses for monitoring, analytics, and data sharing.

Biometric System Compliance Retrofit

Legal and operational guidance on retrofitting DPDPA consent architecture into existing biometric attendance systems.