Data protection for HR in India
Reviewed by Mellow Editorial Team, HR & payroll content team
When you collect, store or share employee data as an employer in India, you are bound by the Digital Personal Data Protection Act, 2023 (DPDPA). The law places clear obligations on organisations that determine the purpose and means of processing personal data — a role the DPDPA calls a "Data Fiduciary."
What the DPDPA means for HR teams
The DPDPA received Presidential assent in August 2023. The Central Government has been notifying provisions and rules in phases; by 2026 the core framework applies to employers handling employee data digitally.
As an employer, you are a Data Fiduciary. Your employees — current, former and prospective — are Data Principals. The law gives them specific rights, and it places specific duties on you.
The most immediate shift from older practice is this: you can no longer rely on buried consent buried in an employment contract. Consent must be free, specific, informed and unambiguous. It must be sought in plain language, and employees must be able to withdraw it as easily as they gave it.
Consent and lawful grounds for processing
HR processes touch personal data constantly: collecting Aadhaar or PAN for payroll, processing bank details, maintaining performance records, running background checks. Each of these needs a lawful basis.
Under the DPDPA, lawful bases include:
- Consent — obtained before or at the point of collection, for a specified purpose.
- Legitimate uses — the Act recognises processing that is necessary for the performance of a contract (the employment contract), compliance with a legal obligation, or for certain employer functions without requiring fresh consent each time. Processing salary data to meet TDS obligations or EPF contributions falls squarely within this category.
In practice, this means you need a purpose register: a documented record of every category of employee data you collect, why you collect it, and which lawful basis you rely on. Auditors and, eventually, the Data Protection Board of India can ask for this.
Notices you must issue to employees
Before or at the point of collecting personal data, you must give employees a Data Processing Notice. This is not the same as a privacy policy buried on your intranet. It must tell the employee:
- What personal data is being collected
- The purpose for which it is being processed
- How they can exercise their rights
- How they can contact you or your Data Protection Officer (if you have appointed one)
The DPDPA rules specify that this notice must be in English or any language listed in the Eighth Schedule of the Constitution, and it must be clear enough to be understood without legal training. Where employees were given data to you before the Act applied, you are required to send them a retroactive notice.
Employee rights you must be able to honour
The DPDPA grants Data Principals four rights that HR teams need operational processes to fulfil:
1. Right to access — an employee can request confirmation that you hold their data and ask for a summary of it.
2. Right to correction and erasure — they can ask you to correct inaccurate data or erase data you no longer need.
3. Right to grievance redressal — they must have a way to raise a complaint with you, and you must respond.
4. Right to nominate — employees can nominate another person to exercise their rights in the event of death or incapacity.
You need a defined process for each of these — who receives the request, who is authorised to act on it, and within what timeframe. The rules are expected to prescribe specific timelines; build in a response workflow now rather than improvise when requests arrive.
Cross-border data transfers and third-party vendors
Many HR platforms, payroll processors and background-check providers are based outside India or process data on servers abroad. The DPDPA permits cross-border transfer of personal data to countries that the Central Government approves. Transfers to restricted countries are not permitted.
Before you sign a contract with any third-party HR vendor, confirm where they store and process data, whether those countries are on the approved list, and what contractual safeguards they apply. Require them to process data only for the purposes you specify — the DPDPA holds you responsible for what your processors do with data you hand them.
This matters especially if you use a global payroll or employer-of-record platform that routes Indian employee data through servers abroad.
Penalties and the Data Protection Board
Non-compliance is not a theoretical risk. The DPDPA establishes the Data Protection Board of India as the adjudicatory body. Penalties under the Act can reach significant sums for failures such as not implementing reasonable security safeguards, not notifying the Board of a personal data breach, or processing children's data without verifiable parental consent.
The Board can investigate complaints, initiate proceedings on its own motion and impose financial penalties. HR-related breaches — a payroll data leak, an unlawful background check, or failing to respond to an access request — are exactly the category of incidents the Board is designed to address.
---
Run HR and payroll in India with Mellow
Mellow brings HR, payroll and 12 AI agents into one platform — built to handle India properly, with payroll included, from £4 per employee per month. The AI agents don't just answer questions; they generate contracts, run cost estimates and draft letters for you.
[Start a free trial →](/register)