Legitimate Use
The limited category of non-consent-based lawful grounds for processing personal data under Section 7 of the DPDP Act — narrower than GDPR's six lawful bases.
Full Definition
Section 7 of the DPDP Act 2023 sets out 'Certain Legitimate Uses' — situations where personal data can be processed without consent. These are narrower than GDPR's six lawful bases and do not include a 'legitimate interests' ground (the most commonly used GDPR basis after consent). DPDP's legitimate uses include: compliance with a court judgment or order; performance of a function by the State or its instrumentalities; responding to a medical emergency; public health purposes; employment and employment-related purposes (limited); and breakdown of public order situations. The absence of a 'legitimate interests' balancing test is one of the most significant structural differences between the DPDP Act and the GDPR.
In Indian Law
DPDP Act 2023, Section 7. The narrow legitimate use grounds mean Indian companies must rely more heavily on consent than their EU counterparts. For example: direct marketing based on 'legitimate interests' (common under GDPR) cannot use the same basis under the DPDP Act — marketers must obtain specific consent. Similarly, fraud prevention based on legitimate interests (standard GDPR practice) needs to be structured as a legitimate use under Section 7 or via contractual necessity.
Related Legal Sections
Frequently Asked Questions
Why doesn't the DPDP Act have a 'legitimate interests' basis like the GDPR?
The omission was a deliberate policy choice — the drafters prioritised a consent-centric framework that gives Data Principals maximum control. The 'legitimate interests' balancing test under GDPR has been criticised for being too flexible and allowing companies to process data without meaningful consent. DPDP avoids this by keeping non-consent processing narrow and enumerated.