Exemption allowing government entities to process personal data for delivery of subsidies, services, and benefits.
Under DPDPA Section 7(b), the State and its instrumentalities can process personal data without consent when necessary for providing subsidies, benefits, services, certificates, licences, or permits. Rule 5 of Rules 2025 provides additional safeguards: processing must be proportionate, data must not be retained beyond the purpose, and security safeguards still apply. This exemption covers Aadhaar-linked welfare schemes, government portals, and public service delivery.
If your startup is a government technology vendor (GovTech), this exemption may apply to your client's processing activities. However, it does NOT exempt the vendor itself — you still need DPAs and security safeguards as a processor.
A GovTech startup building a state welfare disbursement portal processes beneficiary Aadhaar and bank details under the State processing exemption. The startup itself (as processor) still needs a DPA with the state agency and must implement full security safeguards.
Government contractors and GovTech vendors do NOT inherit the State exemption. Only the State instrumentality itself can claim this basis. The vendor remains a processor with full DPDPA obligations.