Code: Section 4 DPDP Act
(1) A person may process the personal data of a Data Principal only in accordance
with the provisions of this Act and for a lawful purpose,—
(a) for which the Data Principal has given her consent; or
(b) for certain legitimate uses.
(2) For the purposes of this section, the expression “lawful purpose” means any
purpose which is not expressly forbidden by law.
Explanation of Section 4 DPDP Act
Section 4 of the Digital Personal Data Protection Act (DPDP), 2023, establishes the foundational principles for processing personal data. It mandates that personal data must be processed lawfully and only under two legal bases: with the consent of the Data Principal or under specific legitimate uses permitted by the Act.
Key Points:
- Processing must be in accordance with the DPDP Act.
- Legal grounds for processing include:
- Consent of the Data Principal.
- Certain legitimate uses as defined under the Act.
- A “lawful purpose” is any purpose not expressly prohibited by law.
Illustration
Example 1: Consent-Based Processing
A fitness application requests permission from a user to collect their location and health data to provide personalized workout recommendations. Once the user gives consent, the company is authorized to process the data under Section 4(1)(a).
Example 2: Legitimate Use Without Consent
A government authority processes data of citizens during a natural disaster to deliver emergency relief. This is considered a legitimate use under Section 4(1)(b), even without explicit consent.
Common Questions and Answers on Section 4 DPDP
1. What does “lawful purpose” mean under the DPDP Act?
It refers to any purpose that is not explicitly forbidden by law. If the processing is not prohibited, it may be considered lawful under this section.
2. Can personal data be processed without consent?
Yes, under specific circumstances defined as legitimate uses, such as legal obligations, emergencies, or state functions, data may be processed without obtaining prior consent.
3. Who is considered a Data Principal?
A Data Principal is the individual to whom the personal data relates. For example, a customer whose personal details are collected by a company.
4. What are the consequences of processing data without legal grounds?
Processing personal data without a lawful basis may result in non-compliance with the DPDP Act and attract penalties or legal action as per the enforcement provisions.
Conclusion
Section 4 of the DPDP Act sets clear boundaries for the lawful processing of personal data. By requiring either consent or a legitimate use, it ensures accountability, transparency, and protection of individual rights in the digital environment. Understanding and complying with this section is essential for all organizations handling personal data.
For more detailed legal interpretations and compliance guidance, visit ApniLaw.
