DPDPA 2023 · Section 7

Section 7 of the DPDPA 2023: Legitimate Uses

Section 7 of the DPDPA 2023 lets a Data Fiduciary process personal data without consent only for specified legitimate uses such as voluntarily provided data, State benefits, legal obligations, medical emergencies, and employment. It is the exhaustive carve-out to Section 6 and binds every Data Fiduciary in India.

Key facts

Statute	Digital Personal Data Protection Act, 2023
Section	Section 7
Chapter	Chapter II - Obligations of Data Fiduciary
Effective	Phased rollout 2025-2026
Penalty ceiling	Up to Rs 250 crore per instance
Applies to	All Data Fiduciaries in India

What Section 7 says

Section 7 is the only lawful basis for processing personal data without consent under the DPDPA, and the list is exhaustive - there is no 'legitimate interest' balancing test as in GDPR. The recognised uses are: (a) data voluntarily provided for a specified purpose where consent has not been refused; (b) State provision of subsidies, benefits, services, certificates, licences or permits; (c) performance of any function under law; (d) compliance with a judgment or order; (e) medical emergencies; (f) public health measures; (g) disaster or public order safety; and (h) employment purposes, including safeguarding the employer from loss or liability.

A Data Fiduciary may process personal data of a Data Principal for any of the following uses: (a) for the specified purpose for which the Data Principal has voluntarily provided her personal data and has not indicated that she does not consent to such use; (b) for the State and any of its instrumentalities to provide any subsidy, benefit, service, certificate, licence or permit; (c) for the performance by the State of any function under any law; (d) for compliance with any judgment, decree or order; (e) for responding to a medical emergency involving a threat to life or immediate threat to the health of any Data Principal or any other individual; (f) for taking measures to provide medical treatment or health services during an epidemic, outbreak of disease, or any other threat to public health; (g) for taking measures to ensure safety during any disaster, or any breakdown of public order; and (h) for the purposes of employment, or those related to safeguarding the employer from loss or liability. - DPDPA 2023, Section 7

What it means in practice

The list of legitimate uses is closed - if your processing does not fit clauses (a) to (h), you must obtain consent under Section 6.
Clause (a) 'voluntarily provided' is narrow: the Data Principal must have handed over data for a specified purpose and not refused that use - silence is not blanket permission.
Clause (h) covers employment, payroll, attendance, performance management, and protecting the employer from loss, fraud or liability, but does not extend to marketing to employees.
Medical emergency and public health clauses (e), (f), (g) apply to hospitals, event medics, schools and any organiser handling on-ground incidents.
Section 7 does not exempt a Data Fiduciary from notice transparency, security safeguards, breach reporting, or Data Principal rights.
Children's data (Section 9) and Significant Data Fiduciary obligations (Section 10) continue to apply even when Section 7 is the lawful basis.

Who Section 7 applies to

Wedding photographers and photo studios capturing guest imagery and client KYC
Event management companies handling attendee registrations, RSVPs and vendor data
Schools and educational institutions processing student, parent and staff records
Marathon and sports event organisers collecting runner medical declarations and bib data
Corporates and HR teams running payroll, background checks and employee monitoring
Hospitals, clinics and healthcare chains responding to medical emergencies
Hotels and hospitality groups handling guest IDs, loyalty data and CCTV footage
Retail brands and shopping chains operating loyalty programs and in-store cameras
Media houses, news organisations and ad agencies processing subject and talent data
Government contractors and welfare-delivery partners disbursing State subsidies and benefits

Common violations

Wedding photographer reusing guest faces for portfolio marketing

Photos voluntarily posed for at a wedding fall under clause (a) only for the wedding deliverable. Repurposing the same images for Instagram ads or studio brochures exceeds the specified purpose and requires fresh consent.

School publishing student data on public websites

A school invoking clause (a) to publish student names, photos or achievements on a public website without verifiable parental consent violates Section 7 read with Section 9, since the use exceeds the specified educational purpose.

Marathon organiser sharing runner data with sponsors

Medical declarations and contact details collected for race-day safety qualify under (a) and (e). Passing the same database to nutrition or apparel sponsors for marketing is outside Section 7 and triggers Section 6 consent obligations.

Corporate HR using employee data for unrelated insurance cross-sell

Clause (h) covers employment and safeguarding the employer, not third-party product marketing. HR sharing employee data with affiliated insurers or fintech partners for cross-sell is a Section 7 overreach.

Hotel using CCTV and ID-scan data for guest profiling

Guest ID capture is permitted for statutory check-in (clause c) and safety (clause g). Mining the same data to build behavioural profiles for targeted upsell campaigns falls outside legitimate use.

Hospital sharing emergency-admission data with media

Clause (e) authorises processing to respond to a medical emergency, not disclosure to news outlets, PR teams or ad agencies. Such disclosure is unlawful processing under Section 7.

Penalty for breach

Breach of Section 7 obligations is adjudicated by the Data Protection Board of India under Section 33 of the DPDPA 2023. Penalties under the Schedule can reach up to Rs 250 crore per instance for failure to take reasonable security safeguards, up to Rs 200 crore for breach of additional obligations regarding children, and up to Rs 50 crore for breach of other provisions, with each instance assessed separately.

Use the DPDPA Penalty Calculator to estimate your exact exposure.

Frequently asked questions

Is 'legitimate interest' from GDPR available under Section 7?

No. The DPDPA does not recognise a general 'legitimate interest' basis. Only the eight specific uses listed in Section 7(a)-(h) are valid grounds for processing without consent.

Can a wedding photographer rely on Section 7(a) to use photos for marketing?

No. Section 7(a) only covers the specified purpose for which data was voluntarily provided. Guests posed for wedding coverage, not portfolio marketing - reuse for promotion needs explicit consent under Section 6.

Does Section 7(h) let HR teams share employee data with vendors?

Only for employment-related purposes or safeguarding the employer from loss or liability. Sharing for unrelated commercial cross-sell, ad targeting, or vendor marketing is outside Section 7.

Can a school invoke Section 7 to process student data?

Schools can rely on Section 7 only for narrow specified purposes. Children's data is additionally governed by Section 9, which requires verifiable parental consent for most processing and bars behavioural tracking and targeted advertising.

Can a hospital use patient data without consent in an emergency?

Yes. Section 7(e) permits processing to respond to a medical emergency involving a threat to life or immediate threat to health, of the Data Principal or any other individual.

Do marathon organisers need consent for medical declarations?

On-ground emergency response qualifies under clause (e) and safety during a disaster under clause (g). However, retention beyond the event, analytics, or sharing with sponsors needs Section 6 consent.

Does Section 7 exempt Data Fiduciaries from breach notification?

No. Even when processing under Section 7, obligations under Section 8 - security safeguards, breach notification to the Board and affected Data Principals, and accuracy - continue to apply in full.

Related sections

Not sure if your workflow complies with Section 7?

Free 48-hour DPDPAReady audit — we map your exact workflow against this section and quantify exposure.

Get your free audit →

VERIFIED • DPDPAReady Editorial Desk • 20 JUN 2026

Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.