Confidential Dispatch
At a glance

If you employ people or screen job applicants, you handle personal data — so recruitment and HR sit squarely under India’s DPDP Act. The employment ground (Section 7(i)) lets you process employees’ data for employment purposes without fresh consent, but it isn’t a blanket pass: it doesn’t clearly cover job candidates, and the security, breach-reporting and retention duties apply in full either way. The real work is separating what it genuinely covers from where you still need consent — mostly recruitment and background checks.

Educational resource only. This explains how India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies to recruitment and HR work; it is not formal legal advice.

The situation

No function in a company holds more personal data per person than HR. A single employee file runs from CV and ID proofs through bank details, salary structure, PF and tax records, medical certificates, appraisal notes and exit paperwork — and the pipeline that feeds it starts earlier, with every applicant who ever sent in a CV. Most of this was collected the informal way: emailed documents, WhatsApp forwards, folders on a shared drive. The DPDP Act treats all of it as regulated personal data, and it treats your company — not the HR executive handling the file — as the Data Fiduciary answerable for it.

Does DPDP apply to your HR function?

Yes — employees and job applicants are Data Principals like anyone else, and there is no HR or payroll exemption. The moment your company decides why and how a candidate’s or employee’s personal data is used, it is a Data Fiduciary with the full set of duties: a lawful basis for each use, reasonable security safeguards, breach reporting, retention limits, and answerability for what its vendors — payroll processors, HR-management software (HRMS) platforms, background-check agencies — do with the data on its behalf. Headcount doesn’t change this: a five-person firm processing salaries carries the same baseline duties as an enterprise, and what scales with size is exposure, not the existence of the obligation.

What makes HR distinctive is that the Act gives employment its own lawful basis — which is both the convenience and the trap, because it’s easy to read it as covering more than it does.

The candidate and employee data HR actually holds

The HR data estate splits into three pools — candidates, current employees, and ex-employees — and each pool sits on a different legal footing. In a typical company it includes:

  • Recruitment data — CVs, application forms, interview notes, assessment scores, reference and background-verification (BGV) reports, offer records — much of it about people who never joined.
  • Identity and statutory records — ID proofs collected at onboarding (PAN for tax, Aadhaar where Employees’ Provident Fund (EPF) enrolment requires it, passport for visa-linked roles), plus Universal Account Number (UAN), PF, Employees’ State Insurance (ESI) and gratuity records.
  • Financial data — bank account details, salary structure, tax declarations, investment proofs, loan and advance records.
  • Sensitive workplace records — medical certificates and insurance claims, disability details, grievance and disciplinary files, complaint records under the workplace sexual-harassment law (POSH).
  • Workplace-generated data — attendance logs (including biometric attendance where used), access-card swipes, monitoring data from company systems.

Treating these as one undifferentiated “employee data” pile is where compliance goes wrong, because the lawful basis, the retention period and the rights that attach differ across them.

The obligation that actually bites: what Section 7(i) covers — and what it doesn’t

The employment ground is real and useful — payroll, statutory deductions and ordinary employment administration don’t need fresh consent — but it stops at the edges of employment purposes, and candidates sit outside its clear scope. The DPDP Act’s legitimate-use ground for employment (Section 7(i)) covers processing for the purposes of employment, or to safeguard the employer from loss or liability — the Act’s own examples run to preventing corporate espionage, protecting trade secrets and intellectual property, and providing any service or benefit an employee seeks. For a working HR function this covers the everyday spine: running payroll, depositing PF and tax deducted at source (TDS), administering leave and insurance, maintaining service records.

Three edges matter more than the ground itself:

  1. Candidates aren’t clearly “employment.” The provision speaks to the employer–employee relationship; someone who has only applied for a job isn’t your employee yet. The safe footing for recruitment data — CVs, assessment results, and especially BGV and reference checks — is notice and consent, taken at the point of application. That also solves the practical question of holding CVs “on file” for future roles: that’s a purpose of its own, and it needs to be stated and agreed to.
  2. It isn’t a surveillance charter. The safeguarding-the-employer limb justifies processing tied to a genuine protective purpose, not open-ended monitoring of everything an employee does. Monitoring that reaches into personal territory — private chats on an office laptop, for instance — is contested ground; the defensible position is monitoring that is proportionate, disclosed in policy, and tied to a stated protective purpose.
  3. The other duties don’t switch off. Processing under the employment ground still demands security safeguards, breach notification, erasure once the purpose ends, and a working grievance channel. One nuance worth knowing: the Act’s correction and erasure rights formally attach to data processed on the basis of consent — but every employee retains the right to raise a grievance, and holding stale data past its purpose is a retention failure regardless of which basis it came in under.

Where DPDP sits alongside labour and tax law

HR’s retention question is the CA problem in another uniform: labour and tax statutes require you to keep records for years, while the DPDP Act expects deletion once the purpose ends — reconcile both in a written schedule. Payroll, PF, ESI, gratuity and tax-deduction records carry multi-year statutory retention under their own laws, and keeping data a law requires you to keep is itself a recognised legitimate use (Section 7’s legal-obligation grounds). So the ex-employee file doesn’t get wiped on the last working day — but nor does it get kept whole, forever, “for records.”

The reconciliation looks like this: statutory records (wage registers, PF/ESI, TDS) stay for their mandated periods, each hold traceable to the law that requires it; everything else — the CV, the interview notes, the BGV report, the medical certificate — has no statutory hold and should go once its own purpose is served. The same logic answers rejected candidates: once the role is closed and any agreed CV-retention period lapses, there is no basis for the file to persist. A written, per-record-type retention schedule is what turns this from an argument into a policy.

Common mistakes HR teams make

Most HR exposure is inherited habit, not deliberate carelessness.

  • The eternal CV pile — every application ever received, kept indefinitely, with no stated purpose or agreed retention.
  • “Send your documents on WhatsApp” — onboarding IDs and bank details collected over chat and email, scattered across personal devices with no notice, no consent capture and no controlled copy.
  • Reading Section 7(i) as “employees have no data rights” — the employment ground covers specific purposes; it doesn’t erase the duty of security, retention limits, or the grievance channel.
  • BGV without consent — background and reference checks run on candidates as if the employment ground already applied to them.
  • Over-collecting at onboarding — demanding the full document set (Aadhaar, PAN, passport, licences) from everyone, rather than what each statutory or business purpose actually needs.
  • Forgetting the vendors — payroll bureaus, HRMS tools and BGV agencies process your people’s data on your behalf; their failure is your liability, and the contract needs to say what they may do and when they delete.

Collecting candidate and employee documents compliantly

The fix is one controlled intake step at each gate — application and onboarding — rather than a rebuild of HR. A short notice-and-consent step where candidates submit documents, a single controlled channel for onboarding paperwork instead of ad-hoc email and chat, collection trimmed to what each purpose needs, and masking where the full identifier isn’t required get you most of the way. This is common ground across professional intake, not unique to HR, so the mechanics live in a dedicated guide — see secure client document collection for professionals for the channel-and-consent walkthrough, and collecting Aadhaar, PAN and KYC for what you can ask for and how.

FAQ

Do we need employee consent to run payroll under DPDP?

No. Payroll, statutory deductions and ordinary employment administration are covered by the Act’s employment ground, so fresh consent isn’t required for them. The duties that do apply are security, retention limits and breach reporting.

Do job applicants need to give consent before we process their CV?

That’s the safe footing. A candidate isn’t clearly covered by the employment ground, so take notice-and-consent at the application step — and state it explicitly if you intend to keep CVs on file for future roles.

Is a background check covered by Section 7(i)?

Treat it as consent territory. BGV happens before employment exists, and it often pulls in third-party agencies — a clear consent from the candidate, naming what will be checked, is the defensible basis.

Can we monitor employees’ laptops and chats under the employment ground?

The safeguarding limb supports proportionate, disclosed monitoring tied to a genuine protective purpose — preventing data theft, securing systems. It is not a licence for open-ended surveillance, and reaching into clearly personal content is contested ground worth treating carefully.

How long can we keep an ex-employee’s file?

Split it. Statutory records (payroll, PF, ESI, tax) stay for the periods their own laws mandate — that’s a recognised basis. Everything without a statutory hold — CVs, interview notes, BGV reports, medical certificates — should be deleted once its purpose is served, on a written schedule.

Reviewed by Confidential Dispatch Editorial Team
Last updated 17 July 2026
Not legal advice.

Collecting personal data from your own customers?

These are the rights your business has to honour. See where you stand with a two-minute self-check — no sign-up, no data stored.

Run the compliance self-check →