Section 7 of the Digital Personal Data Protection Act, 2023
Lawful Purpose, Grounds for Processing, Legitimate Use, Consent, Data Processing
Introduction
The Digital Personal Data Protection Act, 2023 (DPDP Act) stipulates that the processing of any personal data must have a lawful purpose as provided under Section 4 of the DPDP Act. Furthermore, such processing should be in accordance with the legislation.
In other words, Section 4 stipulates the grounds of processing data and provides that the data can be processed only for a lawful purpose with the consent of the Data Principal or for the legitimate uses stipulated under Section 7 of the DPDP Act. The aim of this article is to deal with the specific legitimate uses stipulated under Section 7 of the legislation.
What is a lawful purpose?
Section 4(1) of the DPDP Act permits Data Fiduciaries to process the personal data for a lawful purpose. This entails that personal data cannot be processed for purposes which are prohibited by any law, regulation or rule in force in India.
As per Section 4 of the DPDP Act, personal data of the Data Principal can be processed for a lawful purpose if:
- Data Principal has consented to the processing of the personal data.
- The processing is required as per the legitimate uses stipulated under the DPDP Act.
What are the legitimate uses for processing data under the DPDP Act?
Section 7 of the DPDP Act permits the processing of personal data without the explicit consent of the Data Principal. These legitimate uses are limited to specific instances such as those where obtaining the consent of the Data Principal is not necessary or where it is not practical to obtain the consent of the Data Principal under the given circumstances. These legitimate uses include:
It is stipulated under Section 7(a) of the DPDP Act, where a Data Principal willingly discloses her personal data to a Data Fiduciary for a specified purpose and does not articulate any objection to the processing of said personal data.
Illustration:
X, a customer shared his contact details with a pharmacy and requested a virtual receipt of the medicines he purchased. In this case, X voluntarily shared his contact details with the pharmacy for a specific purpose. In the given situation, the pharmacy can use the contact details of the customer, X only for the purposes of sharing the receipt. They are not required to take permission from the customer for using his contact details for this specific purpose.
The same is stipulated under Section 7(b). It provides for circumstances where the Data Principal has previously consented to the processing of her personal data by the State or any of its instrumentalities for availing any subsidy, benefit, service, certificate, license or permit, or where the personal data of the Data Principal is available in either in a digital format or in a physical format which can be digitalised, from a database, register, book or other document, which is maintained by the government or its instrumentalities.
Illustration:
X, a senior citizen, has registered himself on a government health application. He shares this personal data on the application for availing the benefits programme rolled out by the government. In such circumstances, the government can process the personal data of X to understand if he is eligible to avail such benefits under the scheme.
The provision provides that the State or any of its instrumentalities is obligated to perform the functions as required by the law for the time being in force. Under the given circumstances, it is crucial to safeguard the sovereignty and integrity of India along with the security of the nation.
Illustration:
An illustration of the same can be where the income tax department, a government authority, is processing the personal financial data of the individuals as required under the Income Tax Act, 1961 for the purposes of tax assessment.
Processing is permitted without consent to comply with any judgment, decree, or order issued by a court of law, or for claims related to civil matters.
Processing of personal data is permitted without consent when necessary to respond to an immediate threat to the life or health of the Data Principal or any other individual. This also applies to instances where it is necessary to take measures to provide medical treatment during an epidemic, outbreak of disease, or threat to public health.
Personal data can be processed without consent to provide safety measures and assistance to individuals during a disaster or breakdown of public order.
Illustration:
In emergency situations such as floods, government and aid organizations are legally permitted to access and utilize personal data from existing databases. This includes information like home addresses, phone numbers, and emergency contacts. By leveraging this data, authorities can quickly identify and locate individuals who may be at risk, enabling them to carry out targeted evacuations and other life-saving measures.
The DPDP Act permits the processing of personal data without obtaining the data principal's consent for purposes related to employment. This includes but is not limited to:
- Employment procedures
- Protection of the employer from loss or liability
- Prevention of corporate espionage
- Maintaining confidentiality of trade secrets
- Protection of intellectual property
- Administration of employee-related services and benefits
Illustration:
Company Z's practices of conducting employee background checks, which include verifying education, employment history, and criminal records, as well as monitoring professional email and internet usage, are permissible under the DPDP Act. These activities align with the legitimate use provisions for employment purposes, as they ensure a safe workplace, protect trade secrets, and mitigate potential liability for the company.
Conclusion
The DPDP Act mandates that personal data processing have both a lawful purpose and valid grounds. While data processing typically requires the Data Principal's consent, the DPDP Act outlines specific "legitimate uses" that allow data processing without explicit consent. These include state functions, legal obligations, court orders, medical emergencies, disaster relief, and employment-related activities.
Need Expert DPDPA Implementation Support?
Get personalized guidance on implementing Section 7 compliance requirements for your organization.