The legal ground under DPDPA that justifies an organisation's processing of personal data.
Under DPDPA Section 4, personal data can only be processed for a lawful purpose. The primary lawful bases are: consent of the Data Principal (Section 6), and certain legitimate uses without consent (Section 7). Unlike GDPR which lists six lawful bases, DPDPA is simpler — consent is the default, with specific enumerated exceptions. Every processing activity must be mapped to one of these lawful bases, and this mapping must be documented in the organisation's records.
Every piece of personal data you process must have a documented lawful basis. Processing without a valid basis is unlawful and attracts penalties. You cannot retroactively assign a basis — it must be identified before processing begins.
A Chennai SaaS company documents: user profile data (basis: consent), payroll data (basis: legitimate use — employment contract), tax filings (basis: legitimate use — legal obligation), and marketing emails (basis: consent — separate opt-in required).
Unlike GDPR, DPDPA does not have a standalone "legitimate interest" basis that allows processing without consent based on business justification. The exceptions under Section 7 are narrowly defined.
DPDPA Shield automates Consent Management. See how →