DPDPA 2023 · Section 4

DPDPA 2023 Section 4: Grounds for Processing Personal Data

Section 4 of the Digital Personal Data Protection Act, 2023 establishes that a Data Fiduciary in India may process the personal data of a Data Principal only for a lawful purpose, and only on one of two grounds: (a) the consent of the Data Principal, or (b) for certain "legitimate uses" notified under the Act. This section is the gateway provision of the DPDPA — every act of collection, storage, sharing, or analytics by schools, hospitals, hotels, photographers, event firms, HR teams, and media houses must trace back to one of these two grounds.

Key facts

Statute	Digital Personal Data Protection Act, 2023
Section	Section 4 — Grounds for processing personal data
Effective	Phased rollout 2025-2026 (post Draft DPDP Rules 2025)
Penalty ceiling	Up to ₹250 crore per breach instance under Schedule
Applies to	All Data Fiduciaries processing digital personal data in India
Lawful grounds	Consent (Sec 6) OR Legitimate Uses (Sec 7) — no third option

What Section 4 says

Section 4 is deliberately narrow. It requires (i) a lawful purpose — meaning one not expressly forbidden by law — and (ii) anchoring that processing in either valid consent under Section 6 or one of the closed-list "legitimate uses" enumerated under Section 7 (voluntary provision, employment, medical emergency, disaster response, State functions). There is no general "legitimate interest" balancing test as in the EU GDPR. A wedding photographer publishing guest photos, a school sharing CCTV with a vendor, a hotel enriching guest profiles for marketing, an HR team running background checks, or a marathon organiser posting finisher photos — each must map to consent or a notified legitimate use, or stop. Section 4 sits upstream of notice, retention, and Data Principal rights.

"A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,— (a) for which the Data Principal has given her consent; or (b) for certain legitimate uses." — DPDPA 2023, Section 4(1). Explanation: "lawful purpose" means any purpose which is not expressly forbidden by law.

What it means in practice

Every processing activity must have a documented lawful purpose before data is collected — not bolted on later.
Only two legal grounds exist: consent under Section 6, or legitimate uses listed in Section 7. Nothing else qualifies.
Unlike GDPR, India does NOT permit a generic 'legitimate interest' justification — the legitimate uses are a closed statutory list.
Existing data collected before the Act commences must also be tied to a Section 4 ground via fresh notice and consent where consent is the basis.
Implied consent, pre-ticked boxes, or 'continued use means acceptance' clauses fail Section 4 read with Section 6.
Processing for one purpose cannot be silently extended to another (e.g., wedding photos used for ad campaigns) without a fresh Section 4 ground.

Who Section 4 applies to

Wedding and event photographers handling guest, client and vendor data
Event management companies running conferences, weddings, brand activations
Schools, coaching institutes and universities (with Section 9 child-data overlay)
Marathon, sports and race event organisers capturing bib photos and timing data
Corporates and HR teams processing employee, candidate and contractor data
Hospitals, clinics and healthcare chains handling patient records
Hotels, resorts and hospitality groups managing guest PII and loyalty data
Retail brands and D2C companies running CRM, loyalty and personalisation
Media houses, news organisations and OTT platforms processing subscriber data
Advertising agencies, photo studios and content production houses handling talent and consumer data

Common violations

Wedding photographer publishing guest photos without consent

Uploading identifiable images of wedding guests to an Instagram portfolio or studio website without consent and without a notified legitimate use violates Section 4 read with Section 6.

School sharing student data with edtech vendors

A school passing student names, parent contacts or CCTV footage to a third-party app for 'analytics' without verifiable parental consent fails Section 4 and triggers Section 9 child-data penalties.

Hotel using check-in data for marketing

A hotel chain re-purposing passport, address and stay-history data collected for check-in to send promotional WhatsApp campaigns has no Section 4 ground unless fresh consent is taken.

Marathon organiser selling finisher photos to sponsors

Sharing identifiable race-day photographs with sponsors or training-app partners without notice and consent breaches Section 4(1)(a).

HR team running covert background checks

A corporate processing candidate social media, credit or criminal data beyond what is necessary for employment, without notice or a Section 7 legitimate use, fails Section 4.

Hospital sharing patient lists with pharma reps

A healthcare chain disclosing patient contact details or diagnoses to pharmaceutical sales partners without consent and outside a medical-emergency legitimate use is a Section 4 violation.

Penalty for breach

A breach of Section 4 typically cascades into breaches of consent (Sec 6), notice (Sec 5), and Data Fiduciary obligations (Sec 8). Under the Schedule to the DPDPA 2023, the Data Protection Board of India can impose monetary penalties up to ₹250 crore for failure to take reasonable security safeguards and ₹50 crore to ₹200 crore for other categories. Penalties are determined per Section 33 considering nature, gravity, duration, and repetitive nature of the breach. There is no criminal liability, but reputational and class-action style complaints to the Board are anticipated.

Use the DPDPA Penalty Calculator to estimate your exact exposure.

Frequently asked questions

Does Section 4 allow 'legitimate interest' processing like the EU GDPR?

No. India's DPDPA deliberately rejected open-ended legitimate interest. Section 4(1)(b) only permits the closed list of 'legitimate uses' specified in Section 7, such as voluntary provision, employment, medical emergency, and State functions.

Can a wedding photographer rely on the client's contract as a ground under Section 4?

A contract with the couple covers their data, but Section 4 still requires consent or a Section 7 ground for guests, vendors, and venue staff whose images are captured and later published. A contract alone does not extend to third parties.

Are schools allowed to process student data under Section 4 without explicit consent?

Schools must obtain verifiable consent from a parent or lawful guardian under Section 9 before processing a child's personal data. Section 4 sets the ground; Section 9 adds the child-specific overlay including a prohibition on tracking and targeted advertising.

Can a hotel process guest data for fraud prevention under Section 4?

Only if it fits a Section 7 legitimate use such as compliance with a legal obligation, or if guest consent has been obtained. A generic 'fraud prevention' justification is not a standalone ground under Indian law.

Does Section 4 apply to employee data processed by a corporate HR team?

Yes. Section 7(i) recognises processing for employment-related purposes as a legitimate use, but the processing must still be necessary, proportionate, and accompanied by a Section 5 notice to the employee.

Can a hospital process patient data in a medical emergency without consent?

Yes. Section 7(f) and 7(g) permit processing for medical treatment, health services during an epidemic, or threat to life, satisfying the Section 4(1)(b) legitimate-use ground.

What happens to data collected before the DPDPA came into force?

Legacy data must be brought under a valid Section 4 ground. Where consent is the basis, the Data Fiduciary must issue a fresh Section 5 notice and obtain renewed consent in clear and plain language, in English or any Eighth Schedule language.

Related sections

Not sure if your workflow complies with Section 4?

Free 48-hour DPDPAReady audit — we map your exact workflow against this section and quantify exposure.

Get your free audit →

VERIFIED • DPDPAReady Editorial Desk • 20 JUN 2026

Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.