Legitimate Uses Under the DPDP Act: When Is Consent Not Required?

While consent is the primary basis for processing, the Act recognises that requiring consent in every situation would be impractical or counterproductive. Section 7 defines nine legitimate uses where processing is permitted without consent.

First: voluntary provision without objection. If a Data Principal voluntarily provides their personal data for a specified purpose and has not indicated that they do not consent, the Data Fiduciary may process it. For example, if a customer willingly fills out a feedback form, that data can be processed for the stated purpose without a separate consent step — as long as the individual has not signalled otherwise.

Second: State provision of subsidies, benefits, and services. The State may process personal data to provide subsidies, benefits, services, certificates, licences, or permits. This applies when the Data Principal has previously consented to such processing, or when the data comes from government databases. This covers programmes like Aadhaar-linked benefit transfers or digital locker-based document issuance.

Third: State functions under law or sovereign interests. The State may process personal data when performing functions authorised by law or when acting in the interest of sovereignty, integrity, or security of India.

Fourth: legal disclosure obligations. When any person is legally obligated to disclose information to the State — for instance, under tax laws or regulatory reporting requirements — that processing does not require the Data Principal's consent.

Fifth: compliance with judicial orders. Processing personal data to comply with any judgment, decree, or order of a court or tribunal does not require consent.

Sixth: medical emergencies. When there is a threat to the life or health of the Data Principal or any other individual, personal data may be processed to respond to the emergency. This covers situations such as sharing a patient's medical history with emergency responders.

Seventh: epidemic and public health response. During epidemics, disease outbreaks, or threats to public health, personal data may be processed for medical treatment purposes without consent.

Eighth: disaster and public order situations. Personal data may be processed to ensure safety and provide assistance during disasters or breakdowns of public order.

Ninth: employment purposes. An employer may process employee data for purposes related to safeguarding the employer from loss or liability. This explicitly covers corporate espionage prevention, trade secret protection, and providing services to employees who are themselves Data Principals. For example, an employer may monitor work email to protect trade secrets, or process employee data to administer payroll and benefits.

Rule 5 adds an important constraint for State processing under these provisions. When the State processes personal data under a legitimate use, it must follow the standards set out in the Second Schedule. These require that processing be lawful, limited to data that is necessary, backed by reasonable efforts for accuracy, retained only as long as needed, and protected by reasonable security safeguards.