BACK TO DPDP RULES INDEX
DPDP Rules 2025 Phase 3 (13 May 2027) CONSENT

Rule 5

Purposes for Which Personal Data May Be Processed Without Consent

Practical Note

Rule 5 specifies the exact circumstances in which processing is allowed without consent — the DPDP equivalent of GDPR's non-consent lawful bases. These are a closed, enumerated list. Any processing not falling within Act Section 7 categories and Rule 5 specifications requires consent. HR, legal compliance, and public health use-cases are covered. General commercial purposes (like marketing or product improvement) are not — these require consent.

THE STATUTE

Original Text

For the purposes of clauses (a) to (g) of section 7, the circumstances in which personal data may be processed without consent of the Data Principal are specified as follows — (a) for the purpose of providing a benefit, service, certificate, licence or permit sought by the Data Principal: [processing for the specific government benefit requested]; (b) for performing any function or service under law or for providing medical treatment in health emergency: [processing of data needed for the stated legal obligation or medical emergency]; (c) for employment purposes where the Data Principal is an employee: [HR data processing within the employment relationship]; (d) for the State and its instrumentalities for formulating or implementing policies, schemes or activities and for archiving, research or statistics.

Analysis & Details

Rule 5 gives specific content to the 'legitimate use' categories in Act Section 7 — which permits processing without consent in defined circumstances. Unlike GDPR's open-textured legitimate interests test (which allows broad commercial processing if the controller's interests outweigh the data subject's), DPDP's legitimate use categories are a closed, exhaustive list. Rule 5's key legitimate use categories are: (1) STATE BENEFIT DELIVERY — processing data to provide a specific government benefit, service, certificate, or licence that the individual themselves applied for (e.g., PAN card application, ration card, driving licence). The critical constraint: the data can only be used for the specific benefit requested — not repurposed for other government functions; (2) LEGAL OBLIGATIONS AND MEDICAL EMERGENCIES — processing required to comply with a legal obligation or to provide urgent medical treatment; (3) EMPLOYMENT — HR-related processing within the employer-employee relationship, covering payroll, performance management, benefits administration, background checks, and similar employment functions. The processing must be 'in connection with employment' — speculative HR analytics or third-party data sales are not covered; (4) STATE AND RESEARCH — processing by the state and its instrumentalities for policy formulation, archiving, academic research, and statistics. The research exemption is limited to specific research functions and does not create a broad research exception. Notably absent from legitimate use: marketing and advertising, product improvement, commercial analytics, fraud prevention by private entities, and most business-as-usual commercial processing. These all require consent under DPDP.

GDPR Parallel

Articles 6(1)(b)–(f) (Lawful bases other than consent)

IT Act Impact

Rule 5's legitimate use categories partially overlap with the 'legitimate purpose' concept in IT Act SPDI Rules. Where Rule 5 applies, the SPDI framework is superseded for digital personal data.

Common Queries

Yes, within limits. Rule 5 permits processing of an employee's personal data without consent for HR-related purposes within the employment relationship — payroll, performance management, benefits, tax compliance, background verification, and similar employment functions. Processing must be directly connected to the employment relationship and cannot be extended to unrelated commercial purposes.
No — and this is a critical difference. GDPR's legitimate interests is a flexible, open-textured basis allowing a wide range of commercial processing (fraud prevention, marketing analytics, network security, etc.) subject to a balancing test. DPDP's 'legitimate use' under Section 7 and Rule 5 is a closed, enumerated list with no equivalent flexibility. Most commercial processing not involving the specific categories in Rule 5 requires consent under DPDP.
No — Rule 5's state benefit provision requires that data collected for a specific benefit, service, or licence be used only for that purpose. Cross-scheme data sharing by government agencies requires separate authority (another legitimate use category or consent). This is a significant constraint on government data integration and Aadhaar-linked schemes.

Key Rules & Provisions

Enumerated, closed list — no open-textured legitimate interests test as in GDPR.

Employment processing explicitly permitted within the employment relationship.

Government benefit processing limited to the specific benefit applied for — no repurposing.

'Compelling legitimate interests' provision removed from January 2025 draft.

Commercial processing (marketing, analytics, fraud prevention) NOT covered — requires consent.