Legitimate Uses - The Alternative to Consent
Section 7 of the DPDPA establishes the second of two lawful grounds for processing digital personal data - 'certain legitimate uses' that do not require the Data Principal's consent. While consent under Section 6 is the primary basis for most commercial data processing, Section 7 recognises that certain categories of processing are necessary for the functioning of government, the economy, and society, and requiring individual consent in every instance would be impractical or counterproductive. These legitimate uses are not blanket exemptions - each is narrowly defined and subject to specific conditions. An organisation invoking Section 7 must demonstrate that its processing activity falls squarely within one of the nine enumerated categories. Over-reliance on legitimate uses or expansive interpretation of their scope is likely to be scrutinised closely by the Data Protection Board. This post analyses each of the nine categories, provides practical scenarios, and outlines the boundaries that organisations must respect.
Category 1: Voluntary Data for a Specified Purpose (Section 7(a))
Section 7(a) permits processing where the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and the processing is for the specified purpose for which the data was provided. This covers scenarios where a Data Principal voluntarily provides data and has not withdrawn consent, but the interaction may not have involved a formal Section 6 consent mechanism. For example, when an individual voluntarily shares their business card at a conference, the recipient can reasonably process that contact information for the purpose of professional follow-up. When a customer voluntarily provides feedback through a survey with a stated purpose, processing that feedback for the stated purpose falls under this category. The key limitations are twofold: the data must be genuinely voluntarily provided (not extracted through mandatory fields or coercion), and processing must be limited to the purpose for which it was provided. Using a voluntarily shared business card email for mass marketing would exceed the specified purpose.
Category 2: State Functions and Subsidies (Section 7(b))
Section 7(b) covers processing necessary for the State or any State Instrumentality to provide a subsidy, benefit, service, certificate, licence, or permit. This is the government services legitimate use. When the Income Tax Department processes PAN and income data to issue refunds, when the Passport Seva Kendra processes personal details for passport issuance, when a state government processes Aadhaar data for Direct Benefit Transfer, or when a municipal corporation processes resident data for property tax administration - all of these fall under Section 7(b). The scope covers any function where the government is delivering a service or benefit to individuals. This exemption is necessary because government services often involve mandatory data processing that cannot be made contingent on individual consent - a citizen cannot meaningfully 'consent' to the processing required for their tax return when filing is legally mandatory. However, this legitimate use does not give government agencies unlimited processing rights - processing must still be necessary for the specific function and cannot be extended to unrelated purposes.
- Covers subsidies, benefits, services, certificates, licences, and permits by the State
- Applies to Central Government, State Governments, Union Territories, and all State Instrumentalities
- Processing must be necessary for the specific government function - not for unrelated purposes
- Does not exempt government agencies from other DPDPA obligations like security safeguards and breach notification
Categories 3-5: Legal Compliance, Courts, and Medical Emergencies
Section 7(c) permits processing necessary for compliance with any law or any order or judgment of any court or tribunal in India. When a company processes employee data to comply with labour law reporting requirements, or when a bank processes customer data under RBI's Know Your Customer norms, this legitimate use applies. Section 7(d) covers processing necessary for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual. A hospital processing an unconscious patient's Aadhaar data to identify them and access emergency medical records falls under this category. Section 7(e) extends this to processing necessary for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or similar health threats. This provision gained particular relevance in the context of pandemic response, where rapid processing of personal data - contact tracing, vaccination records, quarantine enforcement - was essential. These three categories cover the legal compliance and emergency scenarios where consent would be impossible, impractical, or contrary to the individual's own interests.
- Section 7(c) - compliance with any Indian law, court order, or tribunal judgment
- Section 7(d) - medical emergency involving threat to life or immediate health threat
- Section 7(e) - medical treatment or health services during epidemics or disease outbreaks
Categories 6-7: Employment and Safety (Section 7(f)-(g))
Section 7(f) permits processing necessary for the purpose of employment or those related to safeguarding the employer from loss or liability, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, provision of any service or benefit to the employee, and verification of attendance. This is one of the most broadly used legitimate uses in practice. Every employer in India processes employee personal data - names, addresses, bank details, PAN numbers, attendance records, performance evaluations, and more. Requiring individual consent for each of these processing activities would be impractical and could create a power imbalance where employees feel pressured to consent. Section 7(f) resolves this by providing a legitimate use basis for employment-related processing. However, it is not unlimited - processing must be 'necessary' for employment purposes or employer safeguarding. Using employee data for marketing purposes or sharing it with unrelated third parties would exceed this scope. Section 7(g) covers processing necessary for ensuring safety of or providing assistance or services to individuals during a disaster or breakdown of public order. This covers emergency response scenarios such as natural disasters, terrorist attacks, or civil unrest.
- Section 7(f) covers employment processing including benefits, attendance, confidentiality, and loss prevention
- Employers cannot extend Section 7(f) to unrelated purposes like marketing or profiling beyond employment needs
- Section 7(g) covers disaster response and breakdown of public order scenarios
- Both categories require a 'necessity' test - processing must be genuinely needed for the stated purpose
Categories 8-9: Fair and Reasonable Processing and Public Interest
Section 7(h) permits processing for any fair and reasonable purpose as may be prescribed. This is a delegated legitimate use - the Central Government will specify through rules what constitutes 'fair and reasonable' processing that does not require consent. This provision provides flexibility for the Government to add new legitimate use categories as needs evolve, without amending the primary legislation. The specific fair and reasonable purposes have not yet been prescribed at the time of writing, and organisations should monitor government notifications closely. Section 7(i) permits processing for any purpose related to or connected with a reasonable purpose for which personal data is shared with the Government. When a citizen shares data with a government portal for one service, and the data needs to be processed for a connected government service, this legitimate use may apply. The contours of these two categories will be significantly shaped by the rules and government notifications, making it essential for compliance teams to stay updated on regulatory developments. Organisations can refer to the Ministry of Electronics and Information Technology (MeitY) portal for official notifications.
Limitations and Boundaries - What Legitimate Uses Do Not Permit
Legitimate uses are exceptions to the consent requirement, but they are not exceptions to the DPDPA's other obligations. A Data Fiduciary relying on Section 7 must still comply with security safeguards under Section 8, data breach notification obligations, Data Principal rights (though some may be limited in certain contexts), and the general requirement to process data only for lawful purposes. Legitimate uses do not authorise unlimited retention - data processed under Section 7 should still be retained only as long as necessary for the purpose. They do not authorise unrestricted sharing - data processed for employment purposes cannot be freely shared with third parties unless the third party's processing also has a lawful basis. And critically, legitimate uses cannot be used as a backdoor to avoid consent for commercial data processing that does not fit within the nine categories. An e-commerce company cannot claim that marketing emails to customers constitute 'fair and reasonable processing' without a specific government notification supporting that position. When in doubt, consent remains the safer legal ground.
- All other DPDPA obligations - security, breach notification, rights - still apply
- Data retention must be limited to what is necessary for the purpose
- Third-party sharing requires independent lawful basis, not blanket legitimate use
- Legitimate uses cannot be stretched to cover commercial processing that should rely on consent
- The burden of demonstrating applicability falls on the Data Fiduciary
Building a Legitimate Uses Assessment Framework
To safely rely on Section 7, organisations should build a structured legitimate uses assessment framework. For each processing activity for which you intend to rely on a legitimate use rather than consent, document the following: which specific Section 7 category applies, why the processing is necessary for that purpose (not merely convenient), what data is being processed and whether it is limited to what is necessary, how long the data will be retained, what safeguards are in place, and why consent is not the more appropriate legal ground. This assessment should be reviewed and approved by your Data Protection Officer or legal team, stored in your processing register, and updated whenever the processing activity changes. The Data Protection Board will expect organisations relying on legitimate uses to demonstrate rigorous analysis, not mere assertion. A robust assessment framework protects the organisation in the event of a regulatory inquiry and ensures that legitimate uses are not being over-extended beyond their statutory scope.
How Kraver.ai Helps
Kraver.ai's legitimate uses assessment module guides your team through a structured analysis for each processing activity where you intend to rely on Section 7 instead of consent. The platform prompts you to identify the specific legitimate use category, document the necessity justification, define data minimisation boundaries, and set retention limits. Our AI engine cross-references your assessment against the statutory language of Section 7 and flags potential over-extensions or misapplications. For employment-related processing under Section 7(f), Kraver.ai provides pre-built templates covering common HR processing activities - payroll, attendance, benefits administration, performance management, and loss prevention - with compliant documentation. The platform also monitors government notifications for new fair and reasonable purposes prescribed under Section 7(h), automatically alerting your team when new legitimate use categories become available. All legitimate use assessments are stored in your audit-ready processing register alongside consent-based activities, giving you a complete and defensible record of your lawful basis for every processing activity.