DPDPA for employers India is not a sector-specific obligation — if your company collects and processes digital personal data of employees or candidates, the Act applies to you now.
TL;DR
- Under DPDPA 2023, any entity that determines the purpose and means of processing digital personal data is a Data Fiduciary — every employer handling salary, Aadhaar, PF/EPFO, biometric attendance, or medical records falls into this category.
- Section 6 requires consent to be free, specific, informed, unconditional, unambiguous, and given through clear affirmative action — a blanket joining-kit declaration does not meet this bar for distinct processing purposes.
- 13 May 2027 is the phased commencement date for substantive DPDPA obligations; HR workflows built today will be tested against that standard.
- Breach reporting runs on a dual clock: CERT-In’s 6-hour initial notification and the Data Protection Board’s 72-hour detailed report — both clocks start at the moment of detection.
- Rule 13 mandatory audits apply to Significant Data Fiduciaries only — not every employer — but all Data Fiduciaries must maintain proportionate security controls, rights workflows, and breach response SOPs.
- Penalties reach up to ₹250 crore per instance of non-compliance.
Does DPDPA Apply to My Company If I Only Have Employees?
DPDPA for employers India starts with a simple statutory test: does your company decide why and how personal data of identifiable individuals is processed? If yes — and every employer does — you are a Data Fiduciary. The Act carries no headcount exemption, no sector carve-out for private companies, and no grace period based on size alone.
The practical trigger is the employment relationship itself. From the moment a candidate submits a CV, your company begins processing digital personal data. Offer letters, onboarding KYC, Aadhaar submission for PF linkage, biometric registration for attendance systems, salary records flowing to your HRMS — each is a distinct processing activity governed by the Act and enforced by the Data Protection Board of India (DPBI).
For a mid-size company of 50–500 employees, the operative obligations centre on notice architecture, documented lawful grounds, vendor controls, and breach response — not the Significant Data Fiduciary tier, which is reserved for large platforms handling high volumes of sensitive data. That distinction matters: Rule 13 mandatory audits do not apply to most employers. But the core obligations do.
If your company also processes data of contract workers, gig staff, or interns digitally, those individuals are likely Data Principals under the Act. Scope should be defined before a complaint or audit forces the question.
For a grounding in the Act’s foundational structure, the Privigo fundamentals guide is a useful starting point before working through HR-specific obligations.
What Employee Data Counts as Personal Data Under DPDPA?
The DPDPA does not retain the old “sensitive personal data” category from earlier Indian frameworks. All digital personal data — any data that can identify a natural person — falls within the Act’s scope. For HR teams, this is a larger surface than most compliance checklists acknowledge.
| Data Category | Typical HR Purpose | Lawful Ground Note | Retention Owner |
|---|---|---|---|
| Salary / payroll records | Compensation, TDS, statutory filings | Lawful obligation (Income Tax Act, EPF & MP Act) | Payroll / Finance |
| Aadhaar / KYC documents | PF linkage, ESIC, background checks | Lawful obligation (EPFO regulations) | HR / Compliance |
| PF / EPFO records | Statutory provident fund contributions | Lawful obligation | HR / Finance |
| Biometric attendance data | Attendance tracking, access control | Consent or documented legitimate employer purpose | IT / Admin |
| Background check reports | Pre-employment screening | Consent (candidate) + processor contract | HR / Legal |
| Medical / insurance data | Group health, ESI, leave management | Consent or statutory obligation (ESI Act) | HR / Insurance team |
| Exit / separation records | Full-and-final settlement, relieving letters | Contractual + statutory dispute retention | HR / Legal |
No category in this table is automatically exempt. Each needs a documented lawful ground, a stated retention period, and a deletion trigger when the ground lapses.
Do We Need Consent for Salary, Aadhaar, PF, and Attendance Records?
Not always — but the answer is more nuanced than a yes/no, and getting it wrong in either direction creates exposure.
Under Section 6, consent must be free, specific, informed, unconditional, unambiguous, and given through clear affirmative action. That is the standard when consent is the chosen lawful ground. The Act also permits processing on other lawful grounds — including compliance with a legal obligation — and employment-related processing frequently qualifies.
Salary and PF/EPFO records can typically rely on statutory obligation. The Income Tax Act, the Employees’ Provident Funds and Miscellaneous Provisions Act, and the ESIC Act require this data. Notice must still explain purpose clearly, but consent is not the operative ground.
Biometric attendance data sits differently. Where biometrics go beyond a legal requirement and serve operational convenience, the lawful basis should be carefully documented. Burying biometric enrolment in a joining-kit acknowledgement does not produce a defensible record.
Background check reports involve a third-party screening processor and typically require separate, informed candidate consent before the check is initiated — the candidate is a Data Principal with rights over that processing.
Medical and insurance data linked to group health benefits or leave administration may involve both statutory grounds and consent depending on what is collected beyond the legal minimum.
The common failure is bundling: one HR handbook declaration trying to cover all of the above in a single signature. That bundled record is difficult to defend when an employee asks which specific data was collected, for which purpose, and on what basis. The architectural solution is purpose-level notice with documented lawful grounds per data category. This is the pattern Privigo implements through a sealed PII vault with cryptographically immutable consent records — giving HR an evidentiary-grade audit trail that survives a Board inquiry or employee rights request.
The consent and notice flow for a new hire should look like this:
The flowchart above shows two parallel paths through HR data processing: statutory-obligation data (salary, PF, ESIC) routes directly to a retention SOP with no consent required, while higher-sensitivity categories such as biometrics and background checks require a logged consent event tied to a specific notice version. Every path terminates at a rights-handling step, meaning an employee’s access or erasure request must be serviceable regardless of which lawful ground was used.
For the parallel pattern applied in financial services, see how consent is structured across systems — the architectural logic is the same.
On breach response: the dual clock begins at the moment of detection. CERT-In’s 6-hour initial notification and the Data Protection Board’s 72-hour detailed report are not sequential — they run in parallel. An employee data breach involving salary or Aadhaar records at a payroll processor is a live test of whether your vendor contracts and internal response plan function under pressure. Most HR teams have no written SOP for this scenario.
Who Owns HR Data Risk When Payroll or HRMS Is a Vendor?
Section 8 of the DPDPA places accountability on the Data Fiduciary regardless of who processes the data. If your payroll runs through a third-party HRMS and that vendor suffers a breach or misuses employee records, your company remains the accountable entity in the eyes of the Board.
This makes vendor contracts a compliance control, not a procurement formality. Before employee data is uploaded to any payroll platform, HRMS, background verification agency, or benefits administrator, the contract must confirm:
- Purpose limitation — the vendor processes data solely for the stated purpose
- Security safeguards proportionate to the sensitivity of employee data
- Breach escalation obligations aligned with the CERT-In 6-hour and DPB 72-hour clocks
- Sub-processor controls where the vendor further outsources
- Retention and deletion at termination — data does not persist on vendor infrastructure after contract end
- Audit and assurance rights for your compliance team
Standard SaaS subscription terms do not cover this. Processor-grade data processing agreements need to be in place before data moves. The Privigo platform maps vendor obligations against live data flows, so HR and legal teams see exposure in real time rather than discovering gaps at audit.
What Should HR Fix Before the Next Appraisal or Hiring Cycle?
Appraisal cycles and hiring rounds generate new data, refresh old records, and route information through additional vendors — assessment platforms, background check agencies, payroll processors. They are also the natural moment to harden compliance architecture before the next set of Data Principals enters your systems.
Governance ownership table
| Area | Owner | Status |
|---|---|---|
| Employee notice redesign (purpose-specific per data category) | HR Head | ☐ |
| Vendor DPA review — payroll, HRMS, screening agencies | HR + Legal | ☐ |
| Biometric attendance policy documented and communicated | IT + Admin | ☐ |
| Breach response SOP (CERT-In 6h + DPB 72h aligned) | IT + Legal | ☐ |
| Rights request handling process and timelines | HR + Compliance | ☐ |
| Exit data deletion SOP for separated employees | HR + Legal | ☐ |
| Consent / lawful-ground mapping per data category | Compliance Owner | ☐ |
Three changes close the largest part of practical exposure before your next cycle opens: replace bundled declarations with purpose-level notice and documented lawful grounds per data category; audit vendor contracts for processor-grade obligations before the next payroll upload or hiring round; and build a written breach response SOP before an incident requires one under a live clock.
Closing
DPDPA obligations for employers are not a distant risk gated behind a 2027 date. The consent architecture, vendor contracts, and breach SOPs you build into HR systems today will be measured against obligations that take effect from 13 May 2027 — and fixing them mid-cycle is operationally harder than addressing them now, before forms go out and data starts flowing.
Start with three concrete actions:
- Map every employee data category to a lawful ground and a documented retention period — this is the foundation everything else depends on.
- Review payroll, HRMS, and screening vendor contracts for processor-grade clauses before the next upload or hiring round.
- Write a breach response SOP against the dual-clock timeline before an incident forces an improvised response under regulatory pressure.
If your HR team wants a structured walkthrough of how these obligations apply to your specific data flows and vendor relationships, Book a demo with Privigo — we map your consent architecture, processor agreements, and breach posture against the DPDPA in a single 30-minute session.
Frequently Asked Questions
Does DPDPA apply to every company with employees in India?
Yes — if you determine the purpose and means of processing digital personal data of employees or candidates, you typically act as a Data Fiduciary under the DPDPA 2023, with obligations on notice, lawful grounds, security, and rights handling. No headcount threshold exempts a company from this classification.
Is employee salary and Aadhaar data personal data under DPDPA?
Yes — salary, bank, Aadhaar, PF/EPFO, attendance, and background-check records are personal data when they relate to an identifiable employee or candidate. They must be collected for specified purposes with an appropriate lawful basis and cannot be retained beyond the period for which that basis holds.
Do employers need separate consent for every HR data use?
No — not every processing activity requires consent. Employment-related processing may rely on lawful grounds other than consent where the law permits — salary and PF data, for example, are typically processed under statutory obligation. However, notice must still be clear, purpose-specific, and defensible for every category; bundled handbook declarations rarely suffice for distinct uses like biometrics or third-party screening.
Are mandatory DPDPA audits required for all employers?
No — Rule 13 mandatory audits apply to Significant Data Fiduciaries only, not every employer. All Data Fiduciaries, however, must maintain security safeguards, breach reporting workflows, and Data Principal rights mechanisms proportionate to the scale and sensitivity of their processing.
Sources
- Digital Personal Data Protection Act, 2023 (official text) — https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
- Digital Personal Data Protection Rules, 2025 commencement notification (G.S.R. 843(E)) — https://www.meity.gov.in/static/uploads/2025/11/c56ceae6c383460ca69577428d36828b.pdf
- PIB reference note on DPDP Rules notification — https://www.pib.gov.in/PressReleasePage.aspx?PRID=2190014
This article provides operational compliance guidance and does not constitute legal advice. Employers should obtain institution-specific legal counsel for their particular circumstances and data processing activities.