Real Estate & Section 7 DPDPA: 6 Legitimate Grounds for Consent-Free Data Processing
| Applies to | Real Estate Developers & Property Management Companies operating in India |
| Primary law | DPDPA 2023 · Section 7 |
| Penalty ceiling | up to ₹150 crore |
| Enforcement status | Data Protection Board accepting complaints — 2026-08 |
| Source | DPDPAReady Compliance Team |
What Section 7 Means for Real Estate Data Processing
Section 7 of the DPDPA 2023 permits real estate organizations to process personal data without explicit consent, but only under six exhaustive grounds. Unlike broader legal frameworks, Section 7 offers no balancing test—the list is closed. Misidentifying your ground triggers penalties up to ₹150 crore. Real estate transactions generate vast personal data: property owner details, tenant information, transaction records, occupancy proofs, and financial information. Processing this data correctly under Section 7 is not optional.
The Six Section 7 Grounds: Real Estate Application
(a) Functions of the State Conferred by Law
Processing necessary to discharge a governmental function mandated by statute. Real estate example: A housing society processes resident data to file property tax returns with the municipal corporation. The processing is required by the [State] Property Tax Act.
(b) Employment Purposes
Processing personal data of employees for payroll, benefits, workforce management, or performance records. Real estate example: A real estate firm maintains employee records—salary, address, employment history, performance reviews—for payroll and HR administration. Key limit: Does NOT extend to tenant, buyer, or vendor personal data.
(c) Sale or Transfer of Business
Processing that transfers with acquisition or merger, provided processing remains within the original purpose. Real estate example: Developer A sells its rental portfolio to Developer B. Developer B inherits the tenant database. Section 7(c) permits continued processing for rental management WITHOUT re-obtaining consent. However, if Developer B intends new purposes (cross-selling unrelated services), fresh consent is required.
(d) Compliance with Law
Processing compelled by statute, court order, or regulatory directive. Real estate example:
- A property firm receives an income-tax notice demanding tenant details for audit purposes. Processing is compelled by law.
- A housing society discloses resident data to comply with RBI anti-money-laundering (AML/CFT) directions. Key limit: The obligation must be real and documented; speculative or assumed compliance does not qualify.
(e) Legal Claims
Processing necessary to establish, exercise, or defend a legal claim. Real estate example: A property owner sues a tenant for non-payment. The owner’s lawyer processes the tenant’s financial data (bank details, income proof) to establish damages or enforce recovery. Key limit: Processing must cease once the claim is resolved. Indefinite retention violates Section 7.
(f) Emergency
Processing necessary to protect life or physical safety in immediate danger. Real estate example: A residential complex processes resident medical information (allergy data, emergency contacts) to respond to a fire or medical emergency without waiting for consent. Key limit: Rarely invoked; only immediate, unforeseeable threats qualify. COVID lockdown protocols that persisted for months would not survive audit.
Section 7 Processing Documentation Template
Every real estate organization must maintain a processing registry documenting how each activity satisfies Section 7. Use this template:
SECTION 7 PROCESSING REGISTRY
Organization Name: _________________________________________
Prepared By: _____________________ | Date: _________________
Reviewed By: ______________________ | Date: _________________
═════════════════════════════════════════════════════════════
PROCESSING ACTIVITY 1:
Activity Description: ______________________________________
(Example: Tenant Background Verification)
Personal Data Categories Processed:
☐ Name ☐ Address
☐ Telephone / Email ☐ Employment History
☐ Income / Financial Info ☐ Credit Score
☐ Government ID ☐ Medical Info
☐ Occupancy Proof ☐ Other: _________________
Which Section 7 Ground Applies? (Select ONE ONLY):
☐ (a) State function conferred by law
☐ (b) Employment purposes
☐ (c) Sale or transfer of business (M&A)
☐ (d) Compliance with law
☐ (e) Legal claims
☐ (f) Emergency
LEGAL BASIS / EVIDENCE:
If (a) — State Function:
Cite the statute, rule, or directive.
Example: "Property registration under [State] Registration Act, 1908"
Reference: _____________________________________________________
If (b) — Employment:
Confirm this is employee data, not tenant/buyer data.
Employee Name: _____________________ | Role: _____________
If (c) — M&A:
Acquisition date: _________________ | Acquiring Entity: __________
Original Purpose (same as before M&A?): ____________________
New Purposes (if any): ____________________________________
☐ New purposes consent obtained separately
If (d) — Legal Compliance:
Cite the law, regulation, or authority directive.
Example: "RBI AML/CFT directions issued [date]"
Issuing Authority: _________________ | Reference: __________
Date Received: _________________ | Deadline to Comply: ________
If (e) — Legal Claim:
Brief description of the claim: ____________________________
Forum (Court/Arbitration): _________________ | Case ID: ________
Date Filed: _________________ | Expected Resolution Date: ______
If (f) — Emergency:
Type of Emergency: _________________ (e.g., Fire, Medical, Security)
Start Date: _________________ | End Date / Expected End: ________
RETENTION PERIOD:
When does the Section 7 ground expire? Delete data by: __________
(Example: "30 days after legal judgment" or "90 days after tax filing")
DATA RECIPIENTS:
Who accesses this personal data?
☐ Internal Department: ________________ (Role/Justification)
☐ External Party: ________________ (Justification under Section 7)
☐ Government Agency: ________________ (Mandate/Order Ref)
DATA SUBJECT COMMUNICATION:
Have data subjects been informed that processing occurs under
Section 7 (NOT consent)? ☐ Yes ☐ No
If Yes:
Method of Communication: ☐ Email ☐ In-app ☐ Website ☐ Other
Date Communicated: _________________ | Content Summary:
_____________________________________________________________
AUDIT TRAIL:
Log of access, recipients, and any data breaches:
Date | Recipient | Justification | Outcome
_____|___________|_______________|________
_____|___________|_______________|________
REVIEWER SIGN-OFF:
Reviewed by: ________________________ | Title: ____________
Signature: ______________________ | Date: ______________
═════════════════════════════════════════════════════════════
[REPEAT THIS TEMPLATE FOR EACH SECTION 7 PROCESSING ACTIVITY]
Key Distinctions: Why Section 7 Is Not a Blank Check
Section 7 vs. Consent-based Processing:
- Consent (Sections 5–6): Data subject explicitly agrees; the organization has flexibility in purpose.
- Section 7: No consent required, but processing must fall EXACTLY within one of the six grounds. A real estate firm cannot claim “we need tenant data to improve our services”—that is not a ground.
Section 7 vs. GDPR Legitimate Interest: The DPDPA deliberately chose an exhaustive list (Section 7) instead of GDPR’s open-ended “legitimate interest” test. This means:
- No balancing test: You cannot argue that your business benefit outweighs data subject privacy.
- No flexibility: You cannot invent new grounds; the six are final.
- Regulatory scrutiny: Auditors will examine your Section 7 classification closely. Weak justification will not survive.
Red Flags: Section 7 Misuse in Real Estate
Misapplication 1: Marketing as Section 7 Ground
Wrong: A property firm claims Section 7(a) to process buyer data for unsolicited property offers. Why it fails: Marketing is not listed as a Section 7 ground. It is a business purpose requiring consent. Compliance: Obtain explicit consent under Section 5 before sending marketing communications.
Misapplication 2: “Better Service” or Analytics
Wrong: A housing society claims Section 7(d) to analyze resident behavior for service improvement. Why it fails: “Improving service” is not compliance with law; it is a business goal. Compliance: Obtain consent for any analytics or profiling.
Misapplication 3: Data Broker Provenance
Wrong: A property firm receives buyer data from a third-party aggregator and assumes Section 7 applies because “the broker had authority.” Why it fails: The source does not determine the ground. You must identify a valid Section 7 ground for your own processing. Receiving data from a broker is not a ground. Compliance: Contractually verify the broker obtained proper consent, or obtain fresh consent yourself.
Misapplication 4: Purpose Creep Post-M&A
Wrong: After acquiring a rental portfolio, Developer B uses tenant data for cross-selling insurance and investment products. Why it fails: Section 7(c) permits transfer only for the original purpose (rental management). New purposes require fresh consent. Compliance: Segregate original-purpose data from new-purpose processing. Obtain consent for new purposes separately.
Misapplication 5: Indefinite Retention
Wrong: A property firm claims Section 7(e) for legal claim data, but retains it indefinitely after the claim is resolved. Why it fails: Section 7(e) permits processing only “as long as necessary” for the claim. Indefinite retention violates the ground. Compliance: Delete within 30 days after judgment or settlement. Document deletion to demonstrate compliance.
Obligations That Apply Even Under Section 7
Do not misinterpret Section 7 as a free pass. The following obligations apply regardless of the ground:
- Transparency: Inform data subjects within a reasonable timeframe that their data is being processed under Section 7 (not consent). Use the notification template in the registry above.
- Data Minimization: Collect only data strictly necessary for the stated ground. If Section 7(d) permits tax-filing data, do not collect marketing preferences.
- Retention Limits: Delete data as soon as the ground expires (30–90 days depending on the ground). Indefinite retention is non-compliant.
- Data Subject Rights: Even without consent, data subjects retain rights to access, correction, and erasure (subject to the ground’s scope). A tenant can request data correction under Section 7; you must comply.
- Lawfulness Outside DPDPA: Section 7 permission does not override other laws. If tenant privacy is protected under state-specific statutes, those laws still apply.
- Contractual Duties: If your contract with a data subject (e.g., a tenant agreement) restricts processing, honor those restrictions even if Section 7 permits processing.
Penalties and Enforcement
Violating Section 7—claiming a ground without justification, processing beyond the stated ground, or retaining data indefinitely—results in penalties under Sections 8 (Principles) and 12 (Data Subject Rights), reaching up to ₹150 crore per violation class.
In class-action scenarios, a single unsupported Section 7 claim affecting 500 tenants multiplies liability across the class. Regulatory audits almost always examine Section 7 registries first, as they are high-risk areas.
Frequently Asked Questions
Q1: Can I use Section 7 to process buyer data without consent? A: Only if one of the six grounds applies. “Conducting due diligence” or “assessing the buyer” is not a ground; those require consent under Section 5. If local property law mandates background checks (rare), Section 7(d) may apply—consult legal counsel. Otherwise, obtain written consent from the buyer before processing.
Q2: I acquired a property portfolio via M&A. Do the previous owners’ tenants need to re-consent? A: No, Section 7(c) permits transfer without fresh consent if processing continues for the original purpose (rental management). However, if you intend new purposes (cross-selling, investment products, etc.), obtain fresh consent for those purposes. Document the data transfer and purpose continuity in your Section 7 registry.
Q3: How long can I retain Section 7 data after the ground expires? A: Retention must stop immediately. If a legal claim is resolved, delete data within 30 days of judgment. If a State function ends, delete within 90 days. If an emergency passes, delete within 30 days. Document deletion in your registry to demonstrate compliance to regulators and courts.
Q4: My tenant agreement says I can collect income data for rent assessment. Is that Section 7? A: No. A contractual obligation is not a legal obligation under Section 7(d). Compliance with law means compliance with statute or court order, not contract. If there is no statute or regulatory rule mandating income verification, obtain explicit consent under Section 5.
Q5: If I’m a property manager hired by an owner, whose Section 7 documentation is required—mine or the owner’s? A: Both. You (the manager) must maintain a Section 7 registry documenting your grounds for processing. The owner must maintain one documenting their grounds. Each entity must justify their own processing. If the manager processes on behalf of the owner without independent grounds, the manager must contractually commit to processing only as directed by the owner, and that commitment must be reflected in both registries.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →