Can employees consent freely in an employment context?

Consent in employment is complicated by power imbalances. The DPDP Act requires consent to be "free." Where consent cannot be truly free, document contractual necessity or legal obligation as the processing basis instead.

Do we need separate consent for performance analytics?

If employee data collected for payroll is repurposed for performance analytics, that constitutes a new processing purpose under Section 5. You need either fresh consent or a documented alternative legal basis.

What happens to employee data after termination?

Personal data must be deleted when the processing purpose is fulfilled. Post-termination, only data required for tax compliance, legal disputes, or regulatory obligations may be retained, with documented justification.

HR Tech

DPDP Compliance for HR Tech Platforms

Employee personal data including salary information, identity documents, and performance records falls under the DPDP Act. Your clients' employees are data principals with enforceable rights.

High Risk: Employee data rights compliance

500M+

Indian workforce participants

3,000+

HR Tech startups in India

250 Cr

Maximum DPDP penalty per incident

Obligations

Your DPDP Obligations as a HR Tech Company

The DPDP Act 2023 imposes specific requirements based on how your organisation processes personal data. These are the obligations most relevant to hr tech operations.

Employment Context Consent

Section 6 requires free consent. In employment contexts, consent may not be truly "free" due to power imbalances. Legitimate interest and contractual necessity must be documented as alternative legal bases.

Employee Data Rights

Sections 11-14 grant employees the right to access, correct, and erase their personal data. Performance reviews, salary data, and identity documents are all subject to these rights.

Purpose Limitation

Employee data collected for payroll processing cannot be repurposed for performance analytics or workforce planning without separate consent or documented legal basis.

Data Retention Controls

Employee data must be deleted when the employment relationship ends and retention periods expire. Tax and labour law retention requirements must be documented.

Processor Obligations

As a platform processing data on behalf of employer clients, you carry processor obligations. Data processing agreements must define purpose, scope, and security requirements.

Cross-border Transfers

Global HR platforms transferring Indian employee data to servers outside India must comply with DPDP cross-border transfer provisions and destination country restrictions.

Timeline

Your Compliance Roadmap

Key milestones between now and full DPDP enforcement in May 2027.

Now

Audit employee data processing

Map all personal data fields, processing purposes, and third-party sharing across your HR platform.

Q3 2026

Legal basis documentation

Document consent vs. contractual necessity vs. legal obligation for each processing activity.

Nov 2026

Consent Manager registration

Deadline to register with the Data Protection Board as a Consent Manager.

Q1 2027

Rights fulfilment system

Implement employee data access, correction, and erasure workflows for your platform.

May 2027

Full DPDP enforcement

The Act is fully enforceable. Employee data violations carry penalties up to 250 crore.

Penalty Exposure for HR Tech Companies

Section 33 of the DPDP Act prescribes penalties based on violation type. These are the maximum amounts per incident.

Employee data breach Up to ₹250 Cr

Failure to honour employee data rights Up to ₹200 Cr

Processing beyond employment purpose Up to ₹50 Cr

Calculate your specific exposure

Recommended Plan

Starter for HR Tech

Starter tier supports up to 50K data principals with the consent management and audit trail functionality HR Tech platforms need for employee data compliance.

Implementation

₹25,000 one-time

₹2,999 /month

Up to 50K data principals
Consent collection and management
Basic audit trail
Email support

Start with a free assessment Compare all plans

Resources

Essential Reading for HR Tech

Deep dives into the DPDP provisions most relevant to your sector.

Data Principal Rights

Data Principal Rights Under the DPDP Act: What Your Customers Can Demand

The DPDP Act 2023 grants individuals enforceable rights over their personal data. Every Indian business must build systems to honour these rights within defined timelines.

7 min read min read

Compliance Areas

Data Fiduciary Obligations Under the DPDP Act 2023

If your business determines the purpose of processing personal data, you are a Data Fiduciary. The DPDP Act imposes seven categories of obligation. This is what compliance requires.

8 min read min read

Implementation Guides

Building a Privacy Program from Scratch for DPDP Compliance

A structured approach to building a data protection program that meets the DPDP Act 2023 requirements. From gap assessment through operational compliance in 90 days.

8 min read min read

Understand your HR tech compliance position.

The free DPDP Gap Assessment takes 10 minutes. You receive a personalised compliance report with your score and a prioritised action list.

Get Your Free Assessment Talk to a compliance specialist