Specific situations under DPDPA Section 7 where personal data can be processed without obtaining consent.
Section 7 of DPDPA enumerates specific situations where processing is permitted without Data Principal consent. These "legitimate uses" include: processing necessary for an employment relationship, processing by the State for delivery of subsidies/services/benefits, legal obligation compliance, medical emergencies, ensuring safety during disasters, and fraud prevention by a State entity. These are exhaustive — no additional legitimate uses can be claimed beyond what the Act specifies.
If your processing activity falls within a legitimate use category, you can process without consent — simplifying compliance. However, the list is narrow. Most commercial processing will still require consent, and you must document which legitimate use exception applies.
A Bengaluru employer processes employee PAN numbers for tax deduction (legitimate use: legal obligation), processes emergency contact details (legitimate use: medical emergency), and processes performance data for reviews (legitimate use: employment relationship). Marketing their own products to employees still requires separate consent.
Legitimate use is NOT the same as GDPR's "legitimate interest." DPDPA's legitimate uses are a closed, narrow list — not an open-ended balancing test. Commercial interests alone never qualify.
DPDPA Shield automates Consent Management. See how →