DPDPA Employee Data & HR Compliance: The Complete Guide for Indian Employers

Introduction

Every employer in India — from a five-person startup to a multinational corporation with 50,000 employees — is a Data Fiduciary under the Digital Personal Data Protection Act (DPDPA), 2023. The moment an organisation collects a job applicant's resume, stores an employee's Aadhaar number for EPFO compliance, processes salary through a payroll system, or shares health insurance data with a group insurer, it is processing personal data and must comply with the DPDPA's full obligation set. Yet according to EY India's 2026 DPDP readiness survey, only 23% of Indian employers have assessed their HR data processing activities for DPDPA compliance. The remaining 77% are operating on the assumption — increasingly dangerous — that employment data is somehow exempt from India's data protection law. It is not. This guide provides a comprehensive analysis of DPDPA obligations as they apply to employee data, HR systems, and workplace privacy, giving Indian employers a practical roadmap for compliance.

Employee Data as Personal Data: What the DPDPA Covers

The DPDPA's definition of personal data is expansive: 'any data about an individual who is identifiable by or in relation to such data.' In the employment context, this captures virtually every piece of information an employer holds about its workforce. The breadth of employee personal data often surprises organisations that have not previously viewed HR records through a data protection lens. According to NASSCOM's compliance analysis, the average Indian employer processes between 50 and 120 distinct personal data attributes per employee across the employment lifecycle — from recruitment to exit. Each of these data points carries classification, protection, and retention obligations under the DPDPA.

• Identity documents — Aadhaar number, PAN card, passport, voter ID, driving licence — collected for KYC, tax compliance, and identity verification
• Financial data — bank account details, salary structure, tax declarations, investment proofs, loan deductions, and ESOP records processed through payroll systems
• Health records — pre-employment medical reports, annual health check-up results, health insurance claims, disability declarations, and COVID vaccination records
• Contact information — home address, personal phone number, emergency contact details, and personal email addresses
• Background verification data — criminal record checks, previous employment verification, educational credential verification, credit history, and reference check responses
• Performance and behavioural data — performance reviews, disciplinary records, training completion, attendance logs, and keystroke/productivity monitoring data
• Biometric data — fingerprint scans, facial recognition data, and iris scans used for attendance and access control systems
• Family information — spouse and dependent details collected for insurance, tax exemptions, and emergency contacts

Employer as Data Fiduciary: Full Liability Under the DPDPA

Under the DPDPA, the employer is the Data Fiduciary — the entity that determines the purpose and means of processing employee personal data. This designation carries the full weight of the Act's obligations, including security safeguards, purpose limitation, data minimisation, and breach notification. Critically, the employer's liability extends to all data processors in the HR chain: payroll providers, HRIS vendors, background verification companies, health insurance administrators, and any other third party that processes employee data on the employer's behalf. As the IAPP's operational analysis emphasises, the DPDPA does not allow employers to contractually transfer their data protection obligations to processors — the employer remains liable even if a breach occurs at a third-party vendor's systems. This has profound implications for how employers structure their HR technology stack and vendor relationships. The data governance framework must encompass the entire processing chain, with contractual safeguards, regular audits, and incident response coordination agreements with every processor.

• Liability for processor breaches — if a payroll vendor or BGV company suffers a breach exposing employee data, the employer faces DPDPA penalties of up to ₹250 crore, not the vendor
• Security safeguard obligation — employers must implement 'reasonable security safeguards' across all systems storing employee data, including on-premises HRIS, cloud payroll, and third-party platforms
• Purpose limitation — employee data collected for one purpose (e.g., payroll) cannot be repurposed for another (e.g., productivity monitoring) without fresh consent or a valid legitimate use exemption
• Data retention limits — employee data must be deleted when it is no longer necessary for the purpose for which it was collected, unless retention is required by another law (e.g., tax records under the Income Tax Act)

Consent vs. Legitimate Use: The Employment Exemption

One of the most nuanced aspects of DPDPA compliance for employers is the interplay between consent and the 'legitimate uses' exemption. Section 7 of the DPDPA provides that personal data may be processed without consent for certain 'legitimate uses,' including where 'the Data Principal voluntarily provides personal data to the Data Fiduciary and has not indicated that consent has been withdrawn.' The DPDP Rules 2025 further clarify that employment-related processing falls under legitimate use when it is necessary for the purpose of employment, including recruitment, onboarding, payroll, benefits administration, and statutory compliance. However, this exemption is narrower than many employers assume. According to PwC's regulatory analysis, the legitimate use exemption covers data processing that is strictly necessary for the employment relationship — it does not provide blanket authorisation for all employee data processing.

• Covered by legitimate use — payroll processing, tax deduction, EPFO contributions, statutory reporting, workplace safety compliance, and contractual obligation fulfilment
• Requires separate consent — employee wellness programme enrolment, internal social media platforms, employee referral programme participation, and optional benefits like gym memberships or meal cards
• Grey area requiring legal assessment — productivity monitoring, email surveillance, CCTV in workplace common areas, GPS tracking of field employees, and AI-based performance analytics
• Prohibited without explicit consent — sharing employee data with marketing partners, using employee data for product testing, and processing employee social media data for HR decisions

Background Verification: The BGV Company Compliance Gap

Background verification is a critical — and often overlooked — DPDPA compliance challenge. Indian employers routinely engage third-party BGV companies to verify candidates' educational credentials, employment history, criminal records, and credit history. This process involves transferring highly sensitive personal data (Aadhaar, PAN, educational certificates, previous employer records) to a data processor who then contacts multiple downstream sources. Under the DPDPA, the employer remains the Data Fiduciary throughout this chain and bears full liability for any data protection failures by the BGV company or its sub-processors. According to DSCI's 2026 assessment, only 31% of Indian BGV companies have implemented DPDPA-compliant data handling practices, and fewer than 15% have formal data processing agreements that meet the Act's requirements. This creates a significant liability exposure for employers who share candidate data with non-compliant verification providers.

• Notice to candidates — before initiating background verification, the employer must provide clear notice to the candidate about what data will be shared, with whom, and for what purpose
• Purpose limitation — BGV data must be used solely for the hiring decision and cannot be retained or repurposed after the verification is complete, whether or not the candidate is hired
• Data processing agreements — formal contracts with BGV companies must specify data protection obligations, security requirements, sub-processor restrictions, breach notification procedures, and data deletion timelines
• Candidate access rights — under Data Principal rights, candidates can request access to the personal data collected during BGV and can challenge inaccurate information
• Cross-border BGV — for candidates with international education or work history, BGV data may cross borders, triggering Section 16 transfer requirements

HRIS and Payroll System Compliance

Human Resource Information Systems (HRIS) and payroll platforms are the central repositories of employee personal data in most organisations. Whether an employer uses SAP SuccessFactors, Oracle HCM, Darwinbox, Keka, greytHR, or any other platform, the DPDPA's obligations apply fully to the data stored and processed within these systems. The employer, as Data Fiduciary, must ensure that the HRIS vendor — as a data processor — meets the Act's security and processing requirements. A Gartner HR Technology Survey found that 68% of organisations do not have formal data processing agreements with their HRIS vendors that address data protection obligations. For Indian employers, this gap must be closed before the November 2026 Phase 2 deadline.

• Data processing agreements — formal agreements with HRIS and payroll vendors specifying what data is processed, for what purposes, security standards, breach notification procedures, and data return/deletion upon contract termination
• Access controls — role-based access ensuring that only authorised HR personnel can access specific employee data categories. Access control auditing must log who accessed what data and when
• Data minimisation in system configuration — configure HRIS to collect only necessary fields rather than using default configurations that capture excessive data
• Retention policy implementation — configure automated data deletion for former employee records based on statutory retention requirements (e.g., 8 years for tax records, 5 years for EPFO records) rather than indefinite retention
• Audit trail and logging — ensure the HRIS maintains comprehensive audit logs of all data access, modifications, exports, and deletions for compliance auditing purposes

Cross-Border Employee Data Transfers: The MNC Challenge

Multinational corporations operating in India face a particularly complex DPDPA compliance challenge: cross-border employee data transfers. When a global HRIS like Workday or SAP SuccessFactors stores Indian employee data on servers outside India, or when a US-headquartered parent company accesses Indian subsidiary employee records for global reporting, Section 16 of the DPDPA governs these transfers. Currently, the government has not published a restricted country list, meaning data can flow to any jurisdiction. However, MNCs must maintain documentation of all cross-border transfers, including the categories of employee data transferred, the receiving entities, and the legal basis. According to Chambers and Partners, MNCs should prepare for the possibility that the restricted country list could be published at short notice, potentially requiring immediate data localisation for certain employee data categories.

• Global HRIS data flows — map all employee data stored or processed outside India, including primary HRIS servers, backup/DR sites, analytics platforms, and global reporting systems
• Intra-group data sharing — document all instances where Indian employee data is shared with parent company, sister subsidiaries, or global shared services centres, specifying the purpose and legal basis for each transfer
• Transfer documentation — maintain records of all cross-border transfers including data categories, recipient entities, jurisdictions, purposes, and security safeguards in place
• Contingency planning — develop a data localisation contingency plan that can be activated if India adds employee data destination countries to the restricted list, including alternative hosting arrangements within India
• Employee notification — ensure employees are informed about cross-border transfers of their data, including the jurisdictions involved and the safeguards in place, as part of the DPDPA notice requirements

Building an Employee Data Protection Programme

A comprehensive employee data protection programme requires coordination across HR, IT, legal, and compliance functions. The programme should be established as a formal governance structure with clear accountability, not an ad-hoc collection of policies. According to EY India, organisations that implement structured employee data protection programmes before the DPDPA enforcement deadline achieve 62% faster compliance and 40% lower implementation costs compared to those that scramble after enforcement begins. The programme should cover the entire employee data lifecycle — from candidate application to post-exit data retention — and must be regularly reviewed and updated as the regulatory landscape evolves.

• Data inventory and mapping — conduct a comprehensive data discovery exercise to identify all employee personal data across HR systems, shared drives, email, chat platforms, and physical records
• Privacy notice for employees — issue a clear, comprehensive employee privacy notice explaining what data is collected, why, how it is processed, who it is shared with, and how employees can exercise their Data Principal rights
• Consent management framework — establish clear processes for obtaining consent where required (beyond legitimate use), managing consent records, and honouring withdrawal requests
• Vendor assessment programme — evaluate all HR technology vendors and service providers for DPDPA compliance, execute data processing agreements, and conduct periodic compliance audits
• Incident response plan — develop an employee data breach response plan that addresses CERT-In 6-hour notification, DPDPA reporting, and employee communication
• Training and awareness — train HR teams on DPDPA obligations, data handling best practices, and incident reporting procedures. Training should be mandatory and recurrent
• DPO appointment — for employers likely to be designated as Significant Data Fiduciaries, appoint a Data Protection Officer with clear authority over employee data protection

How Kraver.ai Helps Employers Achieve HR Data Compliance

Kraver.ai's platform provides end-to-end DPDPA compliance for employee data processing. Our automated data discovery engine scans HRIS platforms, payroll systems, shared drives, email servers, and collaboration tools to build a complete inventory of employee personal data — including shadow data that HR teams may not know exists. Our data classification module automatically categorises employee data by sensitivity level, identifying high-risk categories like Aadhaar numbers, health records, and biometric data that require enhanced protection. For consent management, our platform distinguishes between processing activities covered by the legitimate use exemption and those requiring explicit employee consent, generating compliant consent flows for each. Our compliance auditing module provides continuous monitoring of HR data processing activities against DPDPA requirements, flagging deviations in real-time. And for MNCs, our cross-border transfer module maps all international employee data flows and provides automated documentation that meets Section 16 requirements.

Conclusion

Employee data protection is not an optional add-on to DPDPA compliance — it is a core obligation that every Indian employer must address. The data that HR departments process is among the most sensitive personal data in existence: Aadhaar numbers that can enable identity theft, health records that can affect livelihoods, financial data that can enable fraud, and performance records that can shape careers. The DPDPA makes clear that employers bear full Data Fiduciary liability for this data — including when it is processed by third-party payroll providers, BGV companies, or global HRIS platforms. With the Phase 2 compliance deadline of November 2026 approaching, employers who have not yet assessed their HR data processing activities for DPDPA compliance are running out of time. The compliance journey for employee data is complex but achievable — and the cost of non-compliance, with penalties reaching ₹250 crore, far exceeds the investment in getting it right. Kraver.ai is purpose-built to help Indian employers navigate this journey, from initial gap assessment to full compliance and ongoing monitoring.