BACK TO DPDP ACT
DPDP Act 2023

Section 4

Grounds for Processing Personal Data

THE STATUTE

Original Text

A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose — (a) for which the Data Principal has given her consent; or (b) for certain legitimate uses.

Simplified

Section 4 establishes the two and only two lawful bases for processing personal data under the DPDP Act — a much simpler framework than GDPR's six lawful bases. The primary ground is consent, governed by Section 6 with detailed requirements. The secondary ground is 'legitimate uses' — a defined list in Section 7 that permits processing without consent in specified circumstances: medical emergencies, employment-related processing, processing for government benefits and services, processing by the State for national security, and similar public interest scenarios. This binary structure simplifies compliance: a Data Fiduciary must ask — 'do I have the Data Principal's consent, or does my use case fall within one of the Section 7 legitimate uses?' If neither, the processing is unlawful. The 'lawful purpose' qualifier applies to both grounds — even with consent, processing must be for a purpose that does not violate applicable law. This prevents consent from laundering fundamentally illegal data uses.

Common Queries

Consent (Section 6) and legitimate uses (Section 7). Unlike GDPR's six lawful bases, the DPDP Act uses a binary framework — a Data Fiduciary must identify one of these two grounds for every processing activity or the processing is unlawful.
No. Section 4 requires that even consented processing must be for a 'lawful purpose' — meaning the purpose itself must not violate any law in force. Consent cannot be used to legitimise fundamentally illegal processing, such as collecting data to facilitate fraud or money laundering.
The processing is unlawful under Section 4. The Data Fiduciary would be liable to a penalty of up to ₹150 crore under Section 33 for violation of the general data processing obligations in Sections 4–8.
Significantly so. GDPR's six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) require case-by-case assessment for each processing activity. The DPDP Act's binary framework — consent or Section 7 legitimate use — reduces this complexity, though the permitted legitimate uses are more narrowly defined.

Legal Context

The GDPR's six lawful bases were considered too complex for India's enforcement environment. The Srikrishna Committee recommended a broader consent-plus-reasonable-purposes model. The final DPDP Act adopted a consent + legitimate uses binary that is simpler to communicate and enforce. The legitimate uses carve-out is broader than GDPR's 'legitimate interests' — it is a statutory list rather than a balancing test, making it more predictable for Data Fiduciaries.

Key Rules & Provisions

Two processing grounds (consent + legitimate uses) vs GDPR's six grounds — significantly simpler architecture.

'Legitimate uses' in Section 7 are a statutory list — no balancing test required unlike GDPR Article 6(1)(f).

'Lawful purpose' requirement ensures consent cannot be used to authorise illegal processing.

Related Case Laws

Justice K.S. Puttaswamy v. Union of India (2017)

(2017) 10 SCC 1
RELEVANCE

The Puttaswamy court held that any restriction on the right to privacy must be lawful, necessary, and proportionate. Section 4's lawful purpose requirement for personal data processing directly reflects this proportionality mandate — processing must have a lawful basis and must not exceed what is necessary.