• Home
    • /
  • Articles
    • /
  • 92. Digital Personal Data Protection Act (DPDP) – Legitimate Use, Employment Purpose & Consent

92. Digital Personal Data Protection Act (DPDP) – Legitimate Use, Employment Purpose & Consent

Published on: April 15, 2026
HR Systems, Tech & Governance

When Can HR Use Personal Data and When Should It Stop?

In the first article, we spoke about why digital HR is less about technology and more about responsibility. We clarified why HR sits at the centre of personal data decisions in a digital workplace. This article moves a step further and this is where things start getting uncomfortable.

Just because HR has access to personal data, does it mean HR is allowed to use it the way it wants to? The DPDP Act answers this question very clearly and the answer is not always what a HR Practitioner expects.

The most common HR assumption

For years, as HR we have worked with a assumption if the data was collected legitimately, HR teams can use it as part of its normal activities.

Under the DPDP framework, that assumption is questioned.

What we want to focus your attention to is, personal data can be processed only in two situations

  1. when the individual has given consent, or
  2. when the data is used for a recognised legitimate purpose under the law

For HR, the most relevant legitimate purpose is ‘for employment purposes.’

This distinction between employment purpose and consent is one of the most misunderstood aspects of data protection in HR. So, what does for employment purposes really mean?

Personal data qualifies as being used for employment purposes only when it is reasonably necessary and directly connected to

  1. entering into an employment relationship
  2. managing and administering that relationship through its lifecycle
  3. meeting statutory, contractual, or risk management obligations arising from employment

Recruitment, payroll, attendance, performance management, statutory compliance, benefits administration, exit processes these fall within employment purposes.

But this is where the HR practitioner needs to review. Many activities that HR has traditionally done often with good intent, and many times as part of employee engagement do not automatically qualify as employment purpose.

Convenience is not employment purpose. Culture is not employment purpose. Tradition is not employment purpose.

Let us take a very common date of birth question

HR collects an employee’s date of birth as a standard practice. That is legitimate and even qualifies as for employment purposes as it may be required for age verification, statutory thresholds, benefits eligibility, or compliance.

But HR then uses that date of birth to send birthday emails, create public birthday calendars, or make organisation wide announcements, this is where things change.

Using date of birth for statutory or employment administration is one purpose. Using the same data for engagement or cultural activities is a different purpose altogether. Under the DPDP Act, the original justification for collecting data does not automatically extend to new uses.

If HR teams want to use personal data for such activities, it is recommended that

  • be transparent about that use, and
  • take explicit consent for that specific purpose, explaining clearly who will see the information

This does not mean HR must stop trying to create a positive organisational culture. It simply means HR must stop assuming cultural intent is enough to justify data use.

Consent is not a formality

Another common misconception is treating consent as a checkbox. Consent must be

  • affirmative, silence or non-response does not count
  • purpose specific, data can be used only for what consent was taken for
  • easy to withdraw, and once withdrawn, processing must stop unless another legal obligation applies

This changes how HR needs to operationally deliver

Consent is not something HR takes once during onboarding and forgets about. It is something that must be tracked, respected, and acted upon throughout the data lifecycle. The moment consent is withdrawn, HR teams cannot continue with business as usual.

Recruitment exposes this gap faster than anything else

If there is one HR process where the distinction between employment purpose and uncontrolled use becomes immediately visible, it is recruitment. A resume enters the organisation for a legitimate purpose, that is employment. But in many organisations, resumes move freely across different email inboxes, get forwarded multiple times, downloaded, and stored locally by different stakeholders.

At that point, the HR practitioner may no longer have visibility over

  • where the candidate’s personal data sits
  • who has access to it
  • how it can be erased if requested
  • or how the confidentiality of the resume can be assured

Even when the intent is recruitment, personal data does not stop being governed. The responsibility is clear, the HR practitioner acting as the operational Data Fiduciary, must be able to justify how candidate data is shared and protected, not just why it was collected. This is not about mistrust within organisations. It is about recognising that uncontrolled flow is still a risk even when the purpose feels legitimate.

A simple test

Before using personal data, HR teams should get comfortable asking a few simple questions internally

  1. Is this use genuinely necessary to manage the employment relationship?
  2. Or is it something else, engagement, convenience, habit?
  3. If it is something else, have we taken explicit consent for this exact use?
  4. Can we confidently explain this use to the individual whose data it is?

If the answer to those questions is unclear, that uncertainty itself is a signal that HR needs to rethink on how to use the said data.

A shift HR teams must make consciously

Data protection under the DPDP Act is not about restricting HR. It is about disciplining how HR uses power that has always existed. Just because HR has access to personal data does not mean HR has unrestricted permission to use it.

That realisation marks a turning point in how HR operates in the digital workplace.

In the next article, we’ll move from judgement to execution, looking at what happens when employees and candidates start exercising their rights, and how HR must be ready to respond with clarity, not improvisation.


This article is based on the transcript of the original podcast of the same name featured in India HR Guide.
The transcript has been translated into this article with the support of AI and a human‑in‑the‑loop process.