HR & Events: Section 7's 7 Legitimate-Use Grounds Under DPDPA 2023
| Applies to | Corporate events management firms, HR service providers, and staffing agencies operating in India |
| Primary law | DPDPA 2023 · Section 7 |
| Penalty ceiling | up to ₹150 crore per violation (misapplied legitimate-use grounds trigger consent-failure penalties under Section 12) |
| Enforcement status | Data Protection Board accepting complaints — 2026-08 |
| Source | DPDPAReady Compliance Team |
What HR and Events Get Wrong About Section 7
HR professionals and event managers often confuse DPDPA’s Section 7 with GDPR’s “legitimate interest”—a misunderstanding that can cost up to ₹150 crore in penalties. Section 7 isn’t a balancing test where you weigh business convenience against privacy risk. It’s a closed list of seven exhaustive grounds for processing personal data without consent. If your use case doesn’t fit one of them, you must obtain consent under Section 6. This deep dive dissects each ground with real HR and event scenarios, showing where firms go wrong and how to stay compliant.
Section 7: The Exhaustive List
Section 7 of the Digital Personal Data Protection Act, 2023, states:
“Personal data may be processed without the consent of the data principal if such processing is necessary for—
(a) the performance of any function of the State;
(b) compliance with any law for the time being in force;
(c) compliance with any order made by any court or adjudicating body;
(d) performance of any obligation of the data principal under any law for the time being in force;
(e) medical emergency affecting the life or safety of the data principal or any other person;
(f) protection of the vital interests of the data principal or any other person;
(g) functioning of any employment relationship.”
Notice the language: “may be processed” if processing is “necessary” for one of these grounds. The word “necessary” is key—you cannot process data tangentially related to a ground; the processing must be essential to achieving the ground’s purpose. And the list is exhaustive. You cannot add an eighth ground, no matter how reasonable it seems.
The Seven Grounds: How HR & Events Misapply Them
Ground (a): State Functions—Rare for Private Firms
State functions are operations of government (tax collection, public health, law enforcement). A private HR firm or event company does not perform state functions, so this ground almost never applies. Misapplication: An event company claims Section 7(a) to justify processing attendee data “for national security.” No government function is being performed; this is overreach. Result: ₹150 crore penalty.
Ground (b): Compliance with Law—The Widest Gate
This is the most commonly invoked ground in HR and events. Statutory obligations under the Income Tax Act, 1961; Goods and Services Tax Act, 2017; Code on Social Security, 2020; Companies Act, 2013; Labor laws.
HR Examples (Correct):
- Collecting and retaining employee PAN, Aadhaar, and bank account details for salary processing and income tax compliance. ✓ Section 7(b).
- Maintaining attendance records and performance reviews for provident fund contributions and statutory audits. ✓ Section 7(b).
- Keeping employee exit interviews and settlement data for 3 years (limitation period for labor disputes). ✓ Section 7(b).
Event Examples (Correct):
- Retaining GST invoices from vendors for 10 years (GST Act, 2017). ✓ Section 7(b).
Misapplication:
- Collecting attendee names for a corporate event (no law mandates it). ✗ Section 7(b) does not apply; you need consent or another ground.
- An HR firm collects employee medical history “for compliance with occupational health laws.” The law requires basic health check-ups, not 20-year retention of medical records. After the check-up, the firm keeps the medical data “to defend against future wellness claims.” ✗ Retention is not justified by law; violates Section 7(b) scope. Penalty: ₹50–150 crore.
Critical Distinction from GDPR: GDPR’s “legitimate interest” allows you to retain data for business convenience. DPDPA Section 7(b) does not. Once the specific law’s requirement is met, you must erase the data. No “just in case” retentions.
Ground (c): Court Orders & Adjudication
You can process data without consent if legally compelled by a court order, subpoena, arbitration award, or regulatory demand.
HR Examples (Correct):
- Police subpoenas employee records in an embezzlement investigation. ✓ Section 7(c).
- Labor tribunal orders you to produce wage sheets and attendance. ✓ Section 7(c).
Event Examples (Correct):
- Assault is reported at your conference; police obtain a court order to demand attendee lists. ✓ You can disclose under Section 7(c).
Misapplication: An event company discloses attendee lists to police without a formal FIR or order. The company claims Section 7(c) “court order.” ✗ No court order existed; this was unauthorized disclosure. Penalty: ₹50–150 crore.
Ground (d): Obligations Under Law
You must process data to comply with an obligation imposed on the data principal (not the organization). In HR and events, this ground rarely applies independently because most uses fall under Section 7(b) or 7(g).
Example: An employee is legally obligated to file income tax returns; you must process their PAN and income data to help them comply. ✓ Section 7(d).
Ground (e): Medical Emergency
Processing data to protect someone’s immediate health or safety.
HR Example: An employee collapses during a team outing. You access their emergency contact (collected during onboarding) to call family and hospital. ✓ Section 7(e).
Event Example: An attendee has a severe allergic reaction at your conference. You access allergy information from their registration to inform medical staff. ✓ Section 7(e).
Misapplication: You collect allergy information during event registration (genuine emergency purpose). Months later, you use the allergy list to market “hypoallergenic seating” to allergic attendees without consent. ✗ The emergency has passed; processing no longer falls under Section 7(e). You need a new ground or consent. Penalty: ₹50–150 crore.
Ground (f): Vital Interests
Protecting the life, health, rights, or dignity of someone. This is broader than medical emergency and overlaps with it.
Example: You process someone’s data to prevent human trafficking, identify a missing person, or protect a minor from harm. In HR and events, this ground is rarely invoked because medical emergencies or employment usually cover the scenarios.
Ground (g): Functioning of Any Employment Relationship—Most Misapplied
You can process employee data without consent if necessary for the employment relationship. Critical scope limit: It covers YOUR employees, not everyone’s data.
HR Examples (Correct):
- Collecting employee name, address, and contact details for payroll and benefits administration. ✓ Section 7(g).
- Processing employee performance data for appraisals, promotions, and termination. ✓ Section 7(g).
- Recording employee work hours and attendance for shift scheduling and overtime. ✓ Section 7(g).
HR Examples (Misapplication):
- You’re an event staffing company. You place 50 temporary workers at a conference. You collect their data under Section 7(g) employment. Later, you profile them by “reliability” and sell risk scores to other staffing agencies. ✗ Not an employment purpose; that’s third-party profiling without consent. Triggers ₹150 crore penalty.
- You monitor employee email traffic “for compliance monitoring.” ✓ Justified if monitoring work emails for IP theft, confidentiality breaches. ✗ If you intercept personal emails (not work-related), that’s outside employment scope. Section 7(g) does not cover invasive surveillance.
- You retain terminated employee data for 10 years “for reference checks and legal defense.” ✓ Justified for 3–6 years (limitation period). ✗ Retention beyond necessity violates Section 7(g) scope. Must erase after purpose ends.
Event Examples (Misapplication): You hire event staff. You collect their data under Section 7(g). ✓ But does this ground extend to attendee data? ✗ No. Attendees are not employees; processing their data under Section 7(g) is misapplication. You need consent.
Section 7 vs. Section 6: Why The Distinction Matters
Under Section 6 (Consent), you must obtain explicit, informed, freely-given consent for processing, with clear statement of purpose.
Under Section 7 (Legitimate Uses), you don’t need consent if one of the seven grounds applies. But once the ground’s purpose is served, you must stop processing and erase the data—you cannot shift to a secondary use without a new ground or fresh consent.
| Scenario | Ground | Action |
|---|---|---|
| Attendee registers for Tech Conf 2026 and consents to “event updates.” | Section 6 consent | Send her event agenda, logistics, day-of updates. ✓ All within stated purpose. |
| After conference, you want to email her: “Join our membership ($50/mo).” | No ground | She needs new consent. Membership is a new purpose. Sending without consent = violation. ✗ |
| Employee joins your HR firm. Data collection for payroll. | Section 7(g) employment | No consent needed for payroll processing. ✓ |
| Employee leaves. You keep her address “in case she sues you.” | Disputed | You can retain for 3 years (limitation period); that’s Section 7(b) statutory. After 3 years, erase. ✓ for 3 years; ✗ forever. |
| Event attendee provides emergency contact data. | Section 7(e) medical emergency | No consent needed. Use only if emergency occurs. ✓ |
| Months later, you call the emergency contact to promote your next event. | No ground | Section 7(e) no longer applies. Calling requires fresh consent or a different ground. ✗ |
Misapplications That Trigger the ₹150 Crore Penalty
Section 12 of DPDPA (Data Fiduciary’s Obligations) is the enforcement mechanism. If you misapply Section 7, the Authority can levy penalties for:
- Processing without a valid ground (claiming Section 7(b) when no law requires the retention).
- Extending processing beyond the ground’s scope (using employee data for profiling, outside employment purposes).
- Failing to erase data when the ground’s purpose ends (keeping employee data after legal hold expires, violating Section 4 purpose limitation).
- Unauthorized disclosure (handing attendee data to law enforcement without a court order, violating Section 7(c) scope and Section 8 rights).
Real-World Scenario: An event company processes attendee data from 100 conferences over 5 years (1 million records). The company collects attendee emails “for event updates” (valid consent), then sells the email list to a marketing firm without attendees’ knowledge (misapplication—no Section 7 ground for resale), retains data for 7 years without justification (violates Section 7(b) scope), and ignores erasure requests for 6 months (violates Section 8 timelines). DPDP Authority findings: Secondary use without consent = ₹30 crore; unjustified retention = ₹20 crore; erasure delay = ₹25 crore. Total: ₹75 crore.
Compliance Checklist for Corporate Events & HR
-
Ground Mapping: For each data collection, document which Section 7 ground (or Section 6 consent) justifies it.
- Employee PAN → Section 7(b) tax compliance.
- Attendee email → Section 6 consent for “event updates.”
- Vendor invoice → Section 7(b) GST compliance.
-
Retention Limits: Define retention periods tied to the ground’s purpose or statutory requirement. When purpose ends, erase within 30 days.
- Employee data → Retain during employment + 3 years post-termination (limitation period).
- Attendee data → Retain for 1 month post-event (event follow-up), then erase unless fresh consent.
- Tax invoices → Retain 10 years (GST Act requirement).
-
Secondary Use Forbidden: Enforce a policy that marketing, profiling, or resale require a new Section 7 ground or fresh Section 6 consent.
-
Staff Training: Teach all staff that Section 7 is a closed list. Use the phrase “Section 7 is exhaustive, not a balancing test.”
-
Data Flow Audit (Monthly): Spot-check 5–10 processing activities:
- Is the declared ground accurate?
- Are we processing beyond the ground’s scope?
- Are we retaining longer than justified?
-
Erasure Response: Honor erasure requests (Section 8 right) within 30 days. Even if Section 7 applies, individuals can request erasure after the ground’s purpose ends.
-
Processor Contracts: Ensure third-party payroll, HR software, and event platforms have contracts specifying which Section 7 ground each processor can rely on.
-
Incident Response: If you disclose data to law enforcement, court, or third parties, ensure you have a written order (Section 7(c)) or a medical emergency (Section 7(e)). Do not volunteer data based on informal requests.
Frequently Asked Questions
Q: Can I use “legitimate interest” as a ground under Section 7, like GDPR does?
A: No. DPDPA Section 7 provides a closed list of seven grounds. “Legitimate interest” does not appear on the list. GDPR allows regulators to balance data controller’s interests against individual privacy; DPDPA does not. If your use case doesn’t fit one of the seven grounds, you must obtain consent under Section 6. There is no balancing test, no ninth ground, no exceptions.
Q: I collected attendee data for an event last year with their consent. Can I reuse it for this year’s event without fresh consent?
A: Only if the attendees consented to “future events” or to a broad enough purpose covering both years. If the original consent said “Tech Conference 2025 only,” using it for “Tech Conference 2026” is a new purpose requiring fresh consent. Alternatively, erase the old list and collect fresh data. The DPDP Authority interprets consent narrowly—assume each event is a separate purpose unless consent explicitly covers it.
Q: Does “employment” under Section 7(g) cover contractors, freelancers, and temporary workers I hire for my events?
A: Yes, if they are formally engaged under a contract (even if short-term). Temp workers qualify. BUT—their data can only be processed for employment purposes (payroll, benefits, performance, scheduling). Using their data for profiling, reputation checks, or resale is NOT covered by Section 7(g). You would need separate consent for those uses.
Q: How long can I keep employee data after they leave the organization?
A: Retain only as long as a Section 7 ground justifies it. Examples: (1) Full-and-final settlement, tax filings, provident fund closure (up to 7 years per Income Tax Act). (2) Statutory disputes and limitation periods (3–6 years per relevant law). (3) Reference checks (reasonably 1–2 years). After the justification ends, erase within 30 days. “Just in case” or “for reputation management” are not valid Section 7 grounds.
Q: Can I hand over attendee data to law enforcement without a court order?
A: Not without a formal demand. Section 7(c) applies only to court orders or orders from an “adjudicating body.” A casual police request does not qualify. If law enforcement needs the data, they must obtain a court order (subpoena, CBI order, etc.). If you disclose without an order, you violate Section 8 (unauthorized disclosure) and risk ₹50–150 crore penalties. The only exception is a genuine medical emergency (Section 7(e)); if someone is in immediate danger and you call emergency services with minimal necessary data, that’s protected, but document it.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →