Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

Understand the criteria for ‘legitimate use’ under the DPDP Act and its implications for businesses handling personal data.

The Digital Personal Data Protection Act 2023, has arrived after several revisions, signifying a new era that requires stronger protection of digital personal data. This act brings a fresh approach to safeguarding digital personal data.

The DPDPA requires organisations that handle personal data to protect individuals’ privacy and practice responsible data management.

One of the main topics of debate arising from India’s data protection law is the uncertainty around what constitutes ‘legitimate uses’ for data processing.

Legal Basis to Process Personal Data

Section 4 of the Digital Personal Data Protection Act states that personal data can only be processed for a lawful purpose. This can be done

1. if the data principal has given consent, which must be freely given, specific, informed, unconditional, and unambiguous with a clear affirmative action; or
2. processing is undertaken for ‘legitimate uses’.

Although the term ‘legitimate use’ is not defined, the Act guides us through scenarios that can be considered as legitimate uses. Let’s explore these as outlined in the act.

1. For the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary

The law states the example of an Individual purchasing something from a pharmacy and providing their personal data to accept and acknowledge their payment. So the pharmacy can process their personal data for the purpose of sending the receipt. This is a lawful way of handling and processing personal data under the provisions of the DPDP Act, 2023.

2. For the state or any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed

The law gives an example of a pregnant woman signing up on an app or website to get government maternity benefits. By consenting to share her personal data for this purpose, she allows the government to process her data to check if she’s eligible for any other benefits.

3. For the performance by the State or any of its instrumentalities of any function under any law

This clause states that The data of an individual can be processed by the government or any of its agencies to fulfil their legal duties in India or to protect the country’s sovereignty, integrity, or security.

4. For fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities

A person’s data can be processed to fulfil any legal requirement in India that obligates someone to share information with the government or its agencies. However, this processing must comply with the rules for disclosing such information according to other existing laws.

5. For compliance with any judgement or decree or order issued under any law for the time being in force in India

6. For responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual

7. For taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health

In case of a toxic discharge, if a fire department believes it’s in the public’s interest and there’s a serious environmental, health, or safety concern, they can disclose information to help identify the source of the discharge and prevent impact to individual.

8. For taking measures to ensure the safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order

After a disaster like a tsunami authorities can obtain dental records (and DNA samples) of missing loved ones, to be compared with those of unidentified casualties at the scene. Such records will be released without the consent of the individual to whom the information relates.

9. For the purposes of employment or those related to safeguarding the employer from loss or liability

An employer can use personal data for work-related reasons or to protect the company from risks like corporate espionage, intellectual property theft, or dealing with classified information, even without getting permission first.

Numerous experts have noted that the clause is comparable to the concept of “deemed consent” from an earlier draft of the text, which eliminated the requirement for user consent before processing. In essence, whether or not there is a “lack of objection” to the processing of the data in question determines whether or not such use can be enforced. It adopts a stance that is in opposition to ordinary consent. use can be enforced. It adopts a stance that is in opposition to ordinary consent.

Empower Your Compliance Journey with DPDP Consultants

With the constantly changing legislation and growing concerns about data security, it is difficult for companies in various industries to attain and sustain compliance.

DPDP Consultants are here to preserve the integrity of your brand and foster trust, in addition to being a legal necessity. We take pride in having a group of seasoned professionals who are well-versed in the nuances of data privacy laws.

Our team has highly skilled experts with comprehensive knowledge of data protection rules in India, serving as DPDP consultants in the country.

DPDP Consultants create customised solutions for your organisation’s needs. In addition to the Readiness Review, they provide the skills, tools, and knowledge needed to comply with these regulations effectively.

• The DPDPA DPDPA Readiness Review program, helps organisations understand how the Digital Personal Data Protection Act 2023, will affect all parts of the organisation.
• The Data Principal Consent Management (DPCM) tool, offered as a SAAS model, ensures valid consent, automating personal data consent requests and establishing a robust system for tracking and handling such requests within companies.
• For existing contracts, the Contract Review service ensures alignment with DPDP specifications, necessitating revisions when necessary.
• They also provide comprehensive DPDPA Compliance Assistance, establishing internal audit frameworks for regulatory alignment.
• They assist in conducting DPIAs to assess and mitigate risks in data processing. Their Data Protection Impact Assessment (DPIA) tool automates the process, allowing concerned individuals/DPOs to conduct DPIAs through a user-friendly platform. It tracks identified risks and ensures all concerned are informed about mitigation progress.
• The Data Principal Grievance Redressal (DPGR) tool enables data principals to raise their rights through a user-friendly platform, accessed manually or automatically by Data Protection Officers/concerned persons. This reduces response time and ensures compliance.
• They offer a training program to educate staff on the new regulation, ensuring DPDP Act compliance. Their Data Protection Awareness Program (DPAP) enables regular and mandatory awareness sessions, followed by assessments, ensuring every employee understands the DPDP Act and the repercussions of non-compliance

Looking for expert advice from top consultants?

Whether you need guidance on legal compliance consulting or tool-based technical solutions, DPDP Consultants can help you with the best professional services in the industry. Get tailored insights and practical solutions to help you succeed.

For News updates, expert insights, and practical tips on DPDP compliance and personal data security please subscribe to our newsletter Privacy Talks.