Section 4 Grounds Checklist: 6 Lawful Bases for Retail & Hospitality Data
| Applies to | Retail stores, restaurants, hotels, and hospitality chains operating in India |
| Primary law | DPDPA 2023 · Section 4 |
| Penalty ceiling | ₹150 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-06 |
| Source | DPDPAReady Compliance Team |
Why Your Retail or Hospitality Business Cannot Process Customer Data Without a Section 4 Ground
Your hotel collected a guest’s phone number to send booking confirmation—but have you documented why you have the right to process that number? Without a lawful basis under Section 4, you are processing personal data illegally, regardless of how securely you store it.
Section 4 of the DPDPA 2023 is not optional. It is the permission slip for every data collection in your business. A retail store collecting email addresses for a loyalty program, a restaurant storing credit card details, a hotel recording CCTV footage—each action requires one of six documented grounds. Audit firms and compliance bodies now report a rising number of retail and hospitality businesses operating without these grounds documented, exposing themselves to penalties up to ₹150 crore.
This template walks you through identifying, documenting, and auditing each ground in your business.
The Six Lawful Grounds Under Section 4
Section 4(1) of the DPDPA permits processing personal data on only one of six grounds. No exceptions. Here is what each ground means for a retail or hospitality business:
1. Consent (Section 4(1)(a)) – You have explicit, specific, informed written consent from the data principal.
- Retail example: A customer ticking “Yes” to “Send me promotional offers” before buying online.
- Hospitality example: A guest signing a consent form at check-in agreeing you may collect their phone number for booking updates.
- Compliance note: Generic consent (“I agree to Terms & Conditions”) does not satisfy Section 4. It must be separate, specific, and reversible.
2. Contract (Section 4(1)(b)) – Processing is necessary to fulfill a contract with the data principal.
- Retail example: Capturing a customer’s address to ship an online order.
- Hospitality example: Recording a guest’s passport number for hotel registration.
- Compliance note: “Nice to have” data (e.g., collecting dietary preferences when not needed for catering) does not qualify.
3. Legal Obligation (Section 4(1)(c)) – You are required by law to process the data.
- Retail example: Collecting GST registration details as a business-to-business requirement.
- Hospitality example: Mandatory guest registration for law enforcement under State rules.
- Compliance note: You must cite the specific law. “It’s required somewhere” is not enough.
4. Vital Interests (Section 4(1)(d)) – Processing is necessary to protect life or safety.
- Retail example: Storing a customer’s allergy information in a restaurant to avoid serving dangerous food.
- Hospitality example: Recording CCTV footage to prevent theft or violence on premises.
- Compliance note: Vital interests does not mean “useful to our business.” It means immediate harm would occur without processing.
5. Public Function (Section 4(1)(e)) – You are performing a statutory duty or public task.
- Retail example: A government-run store processing vendor data per ministry directive.
- Hospitality example: A public-sector hotel collecting data to fulfill a government hospitality scheme.
- Compliance note: Private businesses rarely qualify. You must hold official delegated authority.
6. Legitimate Interests (Section 4(1)(f)) – Your business interest justifies the processing, balanced against the individual’s rights.
- Retail example: A store recording customer behavior to optimize layout and stock.
- Hospitality example: A hotel analyzing guest feedback to improve room quality.
- Compliance note: This is easiest to claim and hardest to defend. Document your balancing test—why your interest outweighs the person’s privacy right.
Section 4 in Full
“A data fiduciary may process personal data only on one or more of the following grounds: (a) the data principal has given consent; (b) processing is necessary for performing a contract to which the data principal is a party; (c) processing is required by any law for the time being in force; (d) processing is necessary to protect the vital interests of the data principal; (e) the State is processing personal data for a public function; or (f) processing constitutes a legitimate interest of the data fiduciary or a third party.”
— Section 4(1), Digital Personal Data Protection Act, 2023
Five-Step Audit Checklist: Verify Your Processing Grounds
-
Map all data collection points. List every place you collect personal data: online forms, in-store payments, loyalty sign-ups, CCTV, staff applications, delivery addresses, email captures, phone numbers, guest registrations, feedback forms.
-
Assign one ground to each collection point. For each point, write down which one of the six grounds you are relying on. (You cannot list multiple grounds for the same data collection—pick one.)
-
Document your justification. For Consent, write down what you told the person. For Contract, cite the specific contractual need. For Legal Obligation, name the law. For Vital Interests, explain the harm. For Public Function, show your authority. For Legitimate Interests, document your balancing test.
-
Update your Privacy Notice. Your Privacy Notice (required under Section 6) must disclose which ground you are using. If your Privacy Notice says “Consent” but you are actually relying on “Legitimate Interests,” you are in violation.
-
Train staff on the grounds. Your team should know why data is being collected. A front desk agent must know whether a guest’s phone number is collected under Contract (confirmation) or Consent (promotional offers). Confusion leads to over-collection and breach risk.
Compliance Template: Personal Data Processing Ground Register
Use this template to document your processing grounds. Fill in one row for each data collection point in your business.
| Data Type | Collection Point | Ground (Section 4) | Justification / Citation | Privacy Notice Disclosure | Responsible Person |
|---|---|---|---|---|---|
| Name, Phone | Hotel check-in desk | Contract (4(1)(b)) | Necessary for guest registration and room booking confirmation | ”We collect your name and phone to confirm your booking and send check-in instructions” | Front Desk Manager |
| Loyalty program sign-up form | Consent (4(1)(a)) | Guest clicks “Yes” to “Send me offers and updates”; consent form attached to PII | ”We collect your email to send you personalized offers. You may unsubscribe anytime via the link in our emails” | Marketing Manager | |
| Credit card number | Online / in-store payment | Contract (4(1)(b)) | Necessary to process payment and fulfill order | ”We collect payment details to process your transaction and for fraud prevention” | Finance Manager |
| CCTV footage | Store / hotel lobby | Vital Interests (4(1)(d)) | Necessary to prevent theft, assault, and other physical harm | ”CCTV footage is recorded to ensure the safety of our guests and staff and to prevent theft” | Security Manager |
| Dietary restrictions | Restaurant reservation form | Legitimate Interests (4(1)(f)) | Our interest in delivering excellent service outweighs the burden of storing this data | ”We collect information about dietary restrictions to ensure we can meet your needs during your stay” | Restaurant Manager |
| Staff ID & address | Payroll system | Legal Obligation (4(1)(c)) | Required by Income Tax Act, 1961 Section 192 (salary deduction) | “We collect your address and ID to comply with tax withholding and employment law” | HR Manager |
Frequently Asked Questions
Q: Can I use “legitimate interests” for everything? A: No. Legitimate interests is a default, not a free pass. You must conduct and document a balancing test: Is our business interest proportionate to the harm to privacy? For example, storing a guest’s full passport details “just in case” is overreach. Storing their name and ID card number for identity verification is proportionate. If you cannot justify why the person’s privacy interest is outweighed, you are in breach.
Q: If a guest refuses to give their phone number, can I refuse to check them in? A: Only if the phone number is necessary to fulfill the contract (e.g., to send booking confirmation). If you are collecting it only for promotional offers (consent-based), you must accept a booking without it. If you have a legal requirement to collect it, you can refuse check-in but must cite that law in your Privacy Notice.
Q: Is GDPR consent enough for Section 4 compliance? A: No. GDPR consent and DPDPA Section 4 consent are different standards. GDPR allows implied consent in some cases; DPDPA requires explicit, specific, informed consent. If you are collecting GDPR-compliant consent from international guests, you must add a separate, explicit checkbox for DPDPA compliance. Auditors will check this.
Q: What happens if a regulator audits my business and I cannot show my Section 4 grounds? A: The Data Protection Board (DPB) will issue a notice under Section 18 requiring you to demonstrate compliance. If you cannot produce documented grounds, you face penalties up to ₹150 crore under Section 33 for violations of Section 4. You may also be ordered to stop processing that data immediately.
Q: Can I update my grounds later if an audit finds gaps? A: Technically yes—you can document a ground retroactively—but this is considered an admission of past violation. The safer practice is to audit your grounds now and document them in writing (via email to your legal team or in a compliance register, with timestamps). If an audit later reveals a gap, you can demonstrate you conducted a review and have complied since then, which may reduce penalties.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →