

When people think about the DPDP Act, 2023, they picture customer data. But the law covers all digital personal data, and that includes DPDP employee data: HR files, payroll records, resumes, background checks, attendance logs, and appraisal notes. If you employ even one person, or screen even one candidate, DPDP applies to you as an employer.
There is a helpful shortcut in the law: employment is a "legitimate use" under Section 7, one of only two lawful bases for processing (the other being consent). That means much of routine HR processing does not need separate consent. But the shortcut has limits, and DPDP for HR gets tricky exactly where those limits sit: candidates, ex-employees, and anything beyond what the job genuinely requires.
This page walks HR teams, recruiters, and business owners through what the employment legitimate use covers, where consent kicks in, and how to keep your HR stack compliant.
No cost. No obligation. Get your compliance gap report.
| HR Activity | Likely Lawful Basis | What to Watch |
|---|---|---|
| Payroll and salary processing | Employment legitimate use (Section 7) | Only data actually needed to pay and administer employment |
| Attendance, leave, appraisals | Employment legitimate use (Section 7) | Stays within employment purposes; no repurposing for marketing |
| Candidate resumes and screening | Usually consent | Candidates aren't employees yet, so the employment use generally doesn't cover them |
| Background checks | Depends on stage and scope | Keep checks proportionate to the role and get consent where the employment use doesn't clearly apply |
| Ex-employee records | Legal obligations only, time-limited | Delete once the purpose is served, keep only what law requires |
| Rejected-candidate data | Consent, purpose ends at rejection | Delete after the hiring purpose is served, or get fresh consent to keep the resume on file |
The core rule: the employment legitimate use covers only what is needed for employment purposes. It is not a blanket licence to collect, keep, or reuse whatever an HR file happens to contain.
Whether you're an HR firm, a recruiter, or an employer with a five-person team, these are the building blocks of DPDP-ready HR.
List every place employee and candidate data lives: HRMS, payroll software, ATS, shared drives, email threads, and WhatsApp groups. Digitized offline records count too.
Build consent into your application forms and job portals: clear, specific, no pre-ticked boxes, with withdrawal as easy as giving consent. Keep consent records with timestamps.
Set deletion timelines for rejected-candidate and ex-employee data, with documented exceptions for records that tax or labour laws require. Then automate the deletion.
Your HRMS, payroll, ATS, and background check providers are data processors. Sign written contracts with each, you stay legally responsible for what they do with your data.
Salary data and ID documents are exactly what attackers want. Apply the Rule 6 security safeguards: encryption, access control, MFA, and logs, across your HR systems.
Employees and candidates hold data principal rights too: access, correction, erasure, and grievance redressal within 90 days. Our free audit checks your whole HR data setup.
Book Free AuditHR files concentrate everything sensitive in one place: identity documents, bank details, salaries, health-related leave records. A leak of that data is a reportable breach, every breach must be notified to affected people and reported to the Data Protection Board within 72 hours, and failing to report carries a penalty of up to ₹200 crore. Weak safeguards on HR systems sit in the top tier at ₹250 crore, and other violations, like keeping rejected-candidate data without a basis, fall under the ₹50 crore tier.
Penalties apply per violation with no small-business discount, and there is no size exemption in the Act. HR firms, recruiters, and staffing agencies face the sharpest exposure because candidate data is their core inventory, but every employer with a payroll holds enough personal data to be squarely in scope. Your grievance mechanism matters here too: an employee complaint must be resolved through your grievance redressal process within 90 days.
Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup takes 2-6 months, and old candidate databases need valid consent too.
Check My HR Data Setup FreeEmployee data is one slice of your obligations. Our main guide covers the full DPDP Act: deadlines, penalties, checklist, roles, and all our services.
Learn Everything About DPDP ComplianceNot always. Employment is a legitimate use under Section 7, so processing genuinely needed for employment, like payroll, does not need separate consent. Anything beyond what employment purposes require falls back to consent.
Yes. Candidates aren't employees yet, so the employment legitimate use usually doesn't cover them. Resumes, screening records, and interview notes typically need consent, and rejected-candidate data should be deleted once the hiring purpose is served.
Only as long as the purpose or a legal obligation requires. Delete ex-employee data once it is no longer needed, keeping only records that tax, labour, or other laws require, and document those exceptions in your retention schedule.
Yes. HRMS, payroll, ATS, and background check providers are data processors working on your behalf. You need written contracts with each, and you stay legally responsible for how they handle your data.
Our free audit reviews your employee and candidate data handling, consent workflows, retention, and vendor contracts, with a gap report and fix roadmap.
Book Your Free DPDP AuditNo cost. No obligation. Get your compliance gap report.
Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.
Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.