DPDP for HR & Employee Data

What the DPDP Act 2023 means for payroll, resumes, background checks, and every HR file you hold
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

DPDP Employee Data: Every Employer Is Now a Data Fiduciary

When people think about the DPDP Act, 2023, they picture customer data. But the law covers all digital personal data, and that includes DPDP employee data: HR files, payroll records, resumes, background checks, attendance logs, and appraisal notes. If you employ even one person, or screen even one candidate, DPDP applies to you as an employer.

There is a helpful shortcut in the law: employment is a "legitimate use" under Section 7, one of only two lawful bases for processing (the other being consent). That means much of routine HR processing does not need separate consent. But the shortcut has limits, and DPDP for HR gets tricky exactly where those limits sit: candidates, ex-employees, and anything beyond what the job genuinely requires.

This page walks HR teams, recruiters, and business owners through what the employment legitimate use covers, where consent kicks in, and how to keep your HR stack compliant.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Employment Legitimate Use vs Consent: Where the Line Falls

HR ActivityLikely Lawful BasisWhat to Watch
Payroll and salary processingEmployment legitimate use (Section 7)Only data actually needed to pay and administer employment
Attendance, leave, appraisalsEmployment legitimate use (Section 7)Stays within employment purposes; no repurposing for marketing
Candidate resumes and screeningUsually consentCandidates aren't employees yet, so the employment use generally doesn't cover them
Background checksDepends on stage and scopeKeep checks proportionate to the role and get consent where the employment use doesn't clearly apply
Ex-employee recordsLegal obligations only, time-limitedDelete once the purpose is served, keep only what law requires
Rejected-candidate dataConsent, purpose ends at rejectionDelete after the hiring purpose is served, or get fresh consent to keep the resume on file

The core rule: the employment legitimate use covers only what is needed for employment purposes. It is not a blanket licence to collect, keep, or reuse whatever an HR file happens to contain.

What HR Teams Need to Put in Place

Whether you're an HR firm, a recruiter, or an employer with a five-person team, these are the building blocks of DPDP-ready HR.

Map Your HR Data

List every place employee and candidate data lives: HRMS, payroll software, ATS, shared drives, email threads, and WhatsApp groups. Digitized offline records count too.

Candidate Consent Workflow

Build consent into your application forms and job portals: clear, specific, no pre-ticked boxes, with withdrawal as easy as giving consent. Keep consent records with timestamps.

Retention & Deletion Schedule

Set deletion timelines for rejected-candidate and ex-employee data, with documented exceptions for records that tax or labour laws require. Then automate the deletion.

HR Vendor Contracts

Your HRMS, payroll, ATS, and background check providers are data processors. Sign written contracts with each, you stay legally responsible for what they do with your data.

Secure the HR Stack

Salary data and ID documents are exactly what attackers want. Apply the Rule 6 security safeguards: encryption, access control, MFA, and logs, across your HR systems.

Handle Employee Rights

Employees and candidates hold data principal rights too: access, correction, erasure, and grievance redressal within 90 days. Our free audit checks your whole HR data setup.

Book Free Audit

Why HR Data Is a Real Penalty Risk

HR files concentrate everything sensitive in one place: identity documents, bank details, salaries, health-related leave records. A leak of that data is a reportable breach, every breach must be notified to affected people and reported to the Data Protection Board within 72 hours, and failing to report carries a penalty of up to ₹200 crore. Weak safeguards on HR systems sit in the top tier at ₹250 crore, and other violations, like keeping rejected-candidate data without a basis, fall under the ₹50 crore tier.

Penalties apply per violation with no small-business discount, and there is no size exemption in the Act. HR firms, recruiters, and staffing agencies face the sharpest exposure because candidate data is their core inventory, but every employer with a payroll holds enough personal data to be squarely in scope. Your grievance mechanism matters here too: an employee complaint must be resolved through your grievance redressal process within 90 days.

HR Consent Workflows Take Time to Build

Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup takes 2-6 months, and old candidate databases need valid consent too.

Check My HR Data Setup Free

Want the Complete DPDP Picture?

Employee data is one slice of your obligations. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.

Learn Everything About DPDP Compliance

DPDP for HR: Frequently Asked Questions

Do I need employee consent to process employee data?

Not always. Employment is a legitimate use under Section 7, so processing genuinely needed for employment, like payroll, does not need separate consent. Anything beyond what employment purposes require falls back to consent.

Is Your HR Data DPDP-Ready?

Our free audit reviews your employee and candidate data handling, consent workflows, retention, and vendor contracts, with a gap report and fix roadmap.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.