✓ Link copied
DPDPA 2023 Compliance

HR & Events: Section 7's 7 Legitimate-Use Grounds Under DPDPA 2023

Applies toCorporate events management firms, HR service providers, and staffing agencies operating in India
Primary lawDPDPA 2023 · Section 7
Penalty ceilingup to ₹150 crore per violation (misapplied legitimate-use grounds trigger consent-failure penalties under Section 12)
Enforcement statusData Protection Board accepting complaints — 2026-08
SourceDPDPAReady Compliance Team

What HR and Events Get Wrong About Section 7

HR professionals and event managers often confuse DPDPA’s Section 7 with GDPR’s “legitimate interest”—a misunderstanding that can cost up to ₹150 crore in penalties. Section 7 isn’t a balancing test where you weigh business convenience against privacy risk. It’s a closed list of seven exhaustive grounds for processing personal data without consent. If your use case doesn’t fit one of them, you must obtain consent under Section 6. This deep dive dissects each ground with real HR and event scenarios, showing where firms go wrong and how to stay compliant.

Section 7: The Exhaustive List

Section 7 of the Digital Personal Data Protection Act, 2023, states:

“Personal data may be processed without the consent of the data principal if such processing is necessary for—

(a) the performance of any function of the State;

(b) compliance with any law for the time being in force;

(c) compliance with any order made by any court or adjudicating body;

(d) performance of any obligation of the data principal under any law for the time being in force;

(e) medical emergency affecting the life or safety of the data principal or any other person;

(f) protection of the vital interests of the data principal or any other person;

(g) functioning of any employment relationship.”

Notice the language: “may be processed” if processing is “necessary” for one of these grounds. The word “necessary” is key—you cannot process data tangentially related to a ground; the processing must be essential to achieving the ground’s purpose. And the list is exhaustive. You cannot add an eighth ground, no matter how reasonable it seems.

The Seven Grounds: How HR & Events Misapply Them

Ground (a): State Functions—Rare for Private Firms

State functions are operations of government (tax collection, public health, law enforcement). A private HR firm or event company does not perform state functions, so this ground almost never applies. Misapplication: An event company claims Section 7(a) to justify processing attendee data “for national security.” No government function is being performed; this is overreach. Result: ₹150 crore penalty.

Ground (b): Compliance with Law—The Widest Gate

This is the most commonly invoked ground in HR and events. Statutory obligations under the Income Tax Act, 1961; Goods and Services Tax Act, 2017; Code on Social Security, 2020; Companies Act, 2013; Labor laws.

HR Examples (Correct):

  • Collecting and retaining employee PAN, Aadhaar, and bank account details for salary processing and income tax compliance. ✓ Section 7(b).
  • Maintaining attendance records and performance reviews for provident fund contributions and statutory audits. ✓ Section 7(b).
  • Keeping employee exit interviews and settlement data for 3 years (limitation period for labor disputes). ✓ Section 7(b).

Event Examples (Correct):

  • Retaining GST invoices from vendors for 10 years (GST Act, 2017). ✓ Section 7(b).

Misapplication:

  • Collecting attendee names for a corporate event (no law mandates it). ✗ Section 7(b) does not apply; you need consent or another ground.
  • An HR firm collects employee medical history “for compliance with occupational health laws.” The law requires basic health check-ups, not 20-year retention of medical records. After the check-up, the firm keeps the medical data “to defend against future wellness claims.” ✗ Retention is not justified by law; violates Section 7(b) scope. Penalty: ₹50–150 crore.

Critical Distinction from GDPR: GDPR’s “legitimate interest” allows you to retain data for business convenience. DPDPA Section 7(b) does not. Once the specific law’s requirement is met, you must erase the data. No “just in case” retentions.

Ground (c): Court Orders & Adjudication

You can process data without consent if legally compelled by a court order, subpoena, arbitration award, or regulatory demand.

HR Examples (Correct):

  • Police subpoenas employee records in an embezzlement investigation. ✓ Section 7(c).
  • Labor tribunal orders you to produce wage sheets and attendance. ✓ Section 7(c).

Event Examples (Correct):

  • Assault is reported at your conference; police obtain a court order to demand attendee lists. ✓ You can disclose under Section 7(c).

Misapplication: An event company discloses attendee lists to police without a formal FIR or order. The company claims Section 7(c) “court order.” ✗ No court order existed; this was unauthorized disclosure. Penalty: ₹50–150 crore.

Ground (d): Obligations Under Law

You must process data to comply with an obligation imposed on the data principal (not the organization). In HR and events, this ground rarely applies independently because most uses fall under Section 7(b) or 7(g).

Example: An employee is legally obligated to file income tax returns; you must process their PAN and income data to help them comply. ✓ Section 7(d).

Ground (e): Medical Emergency

Processing data to protect someone’s immediate health or safety.

HR Example: An employee collapses during a team outing. You access their emergency contact (collected during onboarding) to call family and hospital. ✓ Section 7(e).

Event Example: An attendee has a severe allergic reaction at your conference. You access allergy information from their registration to inform medical staff. ✓ Section 7(e).

Misapplication: You collect allergy information during event registration (genuine emergency purpose). Months later, you use the allergy list to market “hypoallergenic seating” to allergic attendees without consent. ✗ The emergency has passed; processing no longer falls under Section 7(e). You need a new ground or consent. Penalty: ₹50–150 crore.

Ground (f): Vital Interests

Protecting the life, health, rights, or dignity of someone. This is broader than medical emergency and overlaps with it.

Example: You process someone’s data to prevent human trafficking, identify a missing person, or protect a minor from harm. In HR and events, this ground is rarely invoked because medical emergencies or employment usually cover the scenarios.

Ground (g): Functioning of Any Employment Relationship—Most Misapplied

You can process employee data without consent if necessary for the employment relationship. Critical scope limit: It covers YOUR employees, not everyone’s data.

HR Examples (Correct):

  • Collecting employee name, address, and contact details for payroll and benefits administration. ✓ Section 7(g).
  • Processing employee performance data for appraisals, promotions, and termination. ✓ Section 7(g).
  • Recording employee work hours and attendance for shift scheduling and overtime. ✓ Section 7(g).

HR Examples (Misapplication):

  • You’re an event staffing company. You place 50 temporary workers at a conference. You collect their data under Section 7(g) employment. Later, you profile them by “reliability” and sell risk scores to other staffing agencies. ✗ Not an employment purpose; that’s third-party profiling without consent. Triggers ₹150 crore penalty.
  • You monitor employee email traffic “for compliance monitoring.” ✓ Justified if monitoring work emails for IP theft, confidentiality breaches. ✗ If you intercept personal emails (not work-related), that’s outside employment scope. Section 7(g) does not cover invasive surveillance.
  • You retain terminated employee data for 10 years “for reference checks and legal defense.” ✓ Justified for 3–6 years (limitation period). ✗ Retention beyond necessity violates Section 7(g) scope. Must erase after purpose ends.

Event Examples (Misapplication): You hire event staff. You collect their data under Section 7(g). ✓ But does this ground extend to attendee data? ✗ No. Attendees are not employees; processing their data under Section 7(g) is misapplication. You need consent.

Section 7 vs. Section 6: Why The Distinction Matters

Under Section 6 (Consent), you must obtain explicit, informed, freely-given consent for processing, with clear statement of purpose.

Under Section 7 (Legitimate Uses), you don’t need consent if one of the seven grounds applies. But once the ground’s purpose is served, you must stop processing and erase the data—you cannot shift to a secondary use without a new ground or fresh consent.

ScenarioGroundAction
Attendee registers for Tech Conf 2026 and consents to “event updates.”Section 6 consentSend her event agenda, logistics, day-of updates. ✓ All within stated purpose.
After conference, you want to email her: “Join our membership ($50/mo).”No groundShe needs new consent. Membership is a new purpose. Sending without consent = violation. ✗
Employee joins your HR firm. Data collection for payroll.Section 7(g) employmentNo consent needed for payroll processing. ✓
Employee leaves. You keep her address “in case she sues you.”DisputedYou can retain for 3 years (limitation period); that’s Section 7(b) statutory. After 3 years, erase. ✓ for 3 years; ✗ forever.
Event attendee provides emergency contact data.Section 7(e) medical emergencyNo consent needed. Use only if emergency occurs. ✓
Months later, you call the emergency contact to promote your next event.No groundSection 7(e) no longer applies. Calling requires fresh consent or a different ground. ✗

Misapplications That Trigger the ₹150 Crore Penalty

Section 12 of DPDPA (Data Fiduciary’s Obligations) is the enforcement mechanism. If you misapply Section 7, the Authority can levy penalties for:

  1. Processing without a valid ground (claiming Section 7(b) when no law requires the retention).
  2. Extending processing beyond the ground’s scope (using employee data for profiling, outside employment purposes).
  3. Failing to erase data when the ground’s purpose ends (keeping employee data after legal hold expires, violating Section 4 purpose limitation).
  4. Unauthorized disclosure (handing attendee data to law enforcement without a court order, violating Section 7(c) scope and Section 8 rights).

Real-World Scenario: An event company processes attendee data from 100 conferences over 5 years (1 million records). The company collects attendee emails “for event updates” (valid consent), then sells the email list to a marketing firm without attendees’ knowledge (misapplication—no Section 7 ground for resale), retains data for 7 years without justification (violates Section 7(b) scope), and ignores erasure requests for 6 months (violates Section 8 timelines). DPDP Authority findings: Secondary use without consent = ₹30 crore; unjustified retention = ₹20 crore; erasure delay = ₹25 crore. Total: ₹75 crore.

Compliance Checklist for Corporate Events & HR

  • Ground Mapping: For each data collection, document which Section 7 ground (or Section 6 consent) justifies it.

    • Employee PAN → Section 7(b) tax compliance.
    • Attendee email → Section 6 consent for “event updates.”
    • Vendor invoice → Section 7(b) GST compliance.
  • Retention Limits: Define retention periods tied to the ground’s purpose or statutory requirement. When purpose ends, erase within 30 days.

    • Employee data → Retain during employment + 3 years post-termination (limitation period).
    • Attendee data → Retain for 1 month post-event (event follow-up), then erase unless fresh consent.
    • Tax invoices → Retain 10 years (GST Act requirement).
  • Secondary Use Forbidden: Enforce a policy that marketing, profiling, or resale require a new Section 7 ground or fresh Section 6 consent.

  • Staff Training: Teach all staff that Section 7 is a closed list. Use the phrase “Section 7 is exhaustive, not a balancing test.”

  • Data Flow Audit (Monthly): Spot-check 5–10 processing activities:

    • Is the declared ground accurate?
    • Are we processing beyond the ground’s scope?
    • Are we retaining longer than justified?
  • Erasure Response: Honor erasure requests (Section 8 right) within 30 days. Even if Section 7 applies, individuals can request erasure after the ground’s purpose ends.

  • Processor Contracts: Ensure third-party payroll, HR software, and event platforms have contracts specifying which Section 7 ground each processor can rely on.

  • Incident Response: If you disclose data to law enforcement, court, or third parties, ensure you have a written order (Section 7(c)) or a medical emergency (Section 7(e)). Do not volunteer data based on informal requests.

Frequently Asked Questions

Q: Can I use “legitimate interest” as a ground under Section 7, like GDPR does?

A: No. DPDPA Section 7 provides a closed list of seven grounds. “Legitimate interest” does not appear on the list. GDPR allows regulators to balance data controller’s interests against individual privacy; DPDPA does not. If your use case doesn’t fit one of the seven grounds, you must obtain consent under Section 6. There is no balancing test, no ninth ground, no exceptions.

Q: I collected attendee data for an event last year with their consent. Can I reuse it for this year’s event without fresh consent?

A: Only if the attendees consented to “future events” or to a broad enough purpose covering both years. If the original consent said “Tech Conference 2025 only,” using it for “Tech Conference 2026” is a new purpose requiring fresh consent. Alternatively, erase the old list and collect fresh data. The DPDP Authority interprets consent narrowly—assume each event is a separate purpose unless consent explicitly covers it.

Q: Does “employment” under Section 7(g) cover contractors, freelancers, and temporary workers I hire for my events?

A: Yes, if they are formally engaged under a contract (even if short-term). Temp workers qualify. BUT—their data can only be processed for employment purposes (payroll, benefits, performance, scheduling). Using their data for profiling, reputation checks, or resale is NOT covered by Section 7(g). You would need separate consent for those uses.

Q: How long can I keep employee data after they leave the organization?

A: Retain only as long as a Section 7 ground justifies it. Examples: (1) Full-and-final settlement, tax filings, provident fund closure (up to 7 years per Income Tax Act). (2) Statutory disputes and limitation periods (3–6 years per relevant law). (3) Reference checks (reasonably 1–2 years). After the justification ends, erase within 30 days. “Just in case” or “for reputation management” are not valid Section 7 grounds.

Q: Can I hand over attendee data to law enforcement without a court order?

A: Not without a formal demand. Section 7(c) applies only to court orders or orders from an “adjudicating body.” A casual police request does not qualify. If law enforcement needs the data, they must obtain a court order (subpoena, CBI order, etc.). If you disclose without an order, you violate Section 8 (unauthorized disclosure) and risk ₹50–150 crore penalties. The only exception is a genuine medical emergency (Section 7(e)); if someone is in immediate danger and you call emergency services with minimal necessary data, that’s protected, but document it.

DPDPA Section 7 legitimate usesHR personal data processing IndiaCorporate events attendee privacy complianceConsent-free data processing grounds DPDPADPDPA employment data IndiaEvent registration privacy IndiaHR employee data retention India
VERIFIED DPDPAReady Editorial Desk 14 AUG 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →