BACK TO DPDP ACT
DPDP Act 2023

Section 7

Certain Legitimate Uses

THE STATUTE

Original Text

A Data Fiduciary may process personal data of a Data Principal for any of the following purposes, namely: — (a) performance of a function of the State or any of its instrumentalities; (b) compliance with any law or judgment; (c) responding to medical emergencies involving a threat to life or immediate threat to health; (d) taking measures to provide medical treatment or health services during epidemic, outbreak of disease or similar threat to public health; (e) taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster or breakdown of public order; (f) purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.

Simplified

Section 7 lists the 'legitimate uses' for which Data Fiduciaries do not need consent. These are non-waivable in the sense that Data Principals cannot block these uses through consent withdrawal. The State exemption (7a) is the broadest: any government function can use personal data without consent, subject to other constitutional and statutory constraints. This covers Aadhaar-linked services, tax processing, welfare scheme administration, and law enforcement. The employment exemption (7f) is practically critical for businesses: HR functions including monitoring, confidentiality enforcement, background verification, and intellectual property protection can proceed without employee consent for each processing activity — though overall employment data handling must respect the Act's other principles. The medical emergency and public health exemptions (7c, 7d) respond to COVID-19 lessons about data sharing during crises. Disaster relief (7e) similarly permits data use without consent during catastrophic events. Unlike GDPR's 'legitimate interests' test which requires balancing against individual rights, these DPDP legitimate uses are categorical — if the purpose fits, consent is not needed. This gives businesses and government more certainty but less flexibility in novel situations.

Common Queries

Yes, under Section 7(f). Employment-related processing — including attendance, performance monitoring, background verification, and enforcement of confidentiality agreements — qualifies as a legitimate use. However, this exemption is limited to processing reasonably necessary for the employment relationship. Employees retain rights under other sections of the Act.
No. Section 7(b) is a broad state exemption: processing by the State or its instrumentalities for providing subsidies, benefits, services, certificates, licences, or permits under law or policy is a legitimate use without consent. This covers Aadhaar-linked benefit delivery, public health schemes, and government service delivery platforms.
Yes. Section 7(c) permits processing to respond to medical emergencies, including sharing data with healthcare providers treating a patient in life-threatening situations. This reflects the priority of life and safety over informational privacy in genuine emergencies.
GDPR's legitimate interests ground (Article 6(1)(f)) requires a balancing test — the controller's interest must outweigh the data subject's interests and rights. DPDP Act Section 7 is categorical: if the purpose fits one of the listed uses, consent is not needed and no individual balancing is required. This gives more predictability but less flexibility for novel use cases.
No. Legitimate uses under Section 7 operate independently of the Data Principal's consent — they cannot be blocked by a Data Principal objection. This contrasts with GDPR, where data subjects can object to processing based on legitimate interests. Under the DPDP Act, if the processing qualifies as a legitimate use, the Data Fiduciary is entitled to proceed.

Legal Context

The Srikrishna Committee had proposed a broader 'reasonable purposes' concept. The JPC added more specific carve-outs. The final DPDP Act's Section 7 is a compromise — more specific than GDPR's legitimate interests test, reflecting India's need for clear boundaries in a lower-litigation, lower-enforcement-capacity environment. The State exemption is broader than comparable EU provisions, reflecting India's tradition of state-centric data governance.

Key Rules & Provisions

No balancing test — categorical exemptions unlike GDPR Article 6(1)(f).

State exemption is very broad — covers all government functions without granular proportionality analysis.

Employment exemption explicitly covers trade secrets and corporate espionage prevention.

Related Case Laws

Ram Jethmalani v. Union of India (2011)

(2011) 8 SCC 1
RELEVANCE

The Supreme Court's recognition that the State has legitimate interest in accessing certain financial data for anti-corruption and tax enforcement — without requiring individual consent in every case — anticipates the Section 7 legitimate uses framework, which includes broad State processing exemptions.