Code: Section 7 DPDP Act
A Data Fiduciary may process personal data of a Data Principal for any of following
uses, namely:—
(a) for the specified purpose for which the Data Principal has voluntarily
provided her personal data to the Data Fiduciary, and in respect of which she has not
indicated to the Data Fiduciary that she does not consent to the use of her personal
data.
Illustrations.
(I) X, an individual, makes a purchase at Y, a pharmacy. She voluntarily provides Y her
personal data and requests Y to acknowledge receipt of the payment made for the purchase
by sending a message to her mobile phone. Y may process the personal data of X for the
purpose of sending the receipt.
(II) X, an individual, electronically messages Y, a real estate broker, requesting Y to
help identify a suitable rented accommodation for her and shares her personal data for this
purpose. Y may process her personal data to identify and intimate to her the details of
accommodation available on rent. Subsequently, X informs Y that X no longer needs help
from Y. Y shall cease to process the personal data of X;
(b) for the State and any of its instrumentalities to provide or issue to the Data
Principal such subsidy, benefit, service, certificate, licence or permit as may be
prescribed, where––
(i) she has previously consented to the processing of her personal data
by the State or any of its instrumentalities for any subsidy, benefit, service,
certificate, licence or permit; or
(ii) such personal data is available in digital form in, or in non-digital form
and digitised subsequently from, any database, register, book or other document
which is maintained by the State or any of its instrumentalities and is notified
by the Central Government,
subject to standards followed for processing being in accordance with the policy
issued by the Central Government or any law for the time being in force for governance
of personal data.
Illustration.
X. a pregnant woman, enrols herself on an app or website to avail of government’s
maternity benefits programme, while consenting to provide her personal data for the purpose
of availing of such benefits. Government may process the personal data of X processing to
determine her eligibility to receive any other prescribed benefit from the government;
(c) for the performance by the State or any of its instrumentalities of any function
under any law for the time being in force in India or in the interest of sovereignty and
integrity of India or security of the State;
(d) for fulfilling any obligation under any law for the time being in force in India
on any person to disclose any information to the State or any of its instrumentalities,
subject to such processing being in accordance with the provisions regarding
disclosure of such information in any other law for the time being in force;
(e) for compliance with any judgment or decree or order issued under any law
for the time being in force in India, or any judgment or order relating to claims of a
contractual or civil nature under any law for the time being in force outside India;
(f) for responding to a medical emergency involving a threat to the life or
immediate threat to the health of the Data Principal or any other individual;
(g) for taking measures to provide medical treatment or health services to any
individual during an epidemic, outbreak of disease, or any other threat to public
health;
(h) for taking measures to ensure safety of, or provide assistance or services to,
any individual during any disaster, or any breakdown of public order.
Explanation.—For the purposes of this clause, the expression “disaster” shall
have the same meaning as assigned to it in clause (d) of section 2 of the Disaster
Management Act, 2005; or
(i) for the purposes of employment or those related to safeguarding the employer
from loss or liability, such as prevention of corporate espionage, maintenance of
confidentiality of trade secrets, intellectual property, classified information or provision
of any service or benefit sought by a Data Principal who is an employee.
Explanation of Section 7 DPDP Act
Section 7 of the Digital Personal Data Protection Act, 2023 identifies scenarios where a Data Fiduciary can lawfully process personal data without explicit consent from the Data Principal. These situations are recognized as “legitimate uses” due to their public interest, legal obligation, or operational necessity.
Key Provisions:
- Covers voluntary data provision where no objection is raised.
- Enables the government to use existing data for public services, subsidies, and benefits.
- Allows lawful processing during emergencies or national threats.
- Empowers data use for fulfilling court orders and legal mandates.
- Protects employers’ operational integrity and data assets.
These provisions balance individual privacy rights with practical, societal, and administrative necessities.
Illustrations
Example 1: Pharmacy Receipt
X visits a pharmacy and provides her mobile number for receipt confirmation. The pharmacy can process her personal data to send the receipt.
Example 2: Government Benefit Eligibility
X enrolls in a maternity program and consents to data use. The State may also use her data to assess her eligibility for other health schemes.
Example 3: Emergency Healthcare
During a dengue outbreak, hospitals may process patient data without prior consent to provide urgent care and coordinate treatment during the epidemic.
Example 4: Workplace Confidentiality
An IT company processes employee data to prevent IP theft and ensure data security as part of internal policy.
Common Questions and Answers on Section 7 DPDP
- What is meant by “legitimate use” under the DPDP Act?
Legitimate use refers to specific circumstances where personal data can be processed without explicit consent, such as government service delivery, emergencies, or employment needs.
- Can a private company process personal data under this section?
Yes, in certain cases such as employment-related activities or where the data has been voluntarily provided without objection.
- Is consent always required for government schemes?
Not always. If the individual previously consented or if the data is already available in a notified government database, further consent may not be needed.
- Can personal data be processed during health emergencies?
Yes. Section 7(f) and 7(g) permit data processing during medical emergencies, epidemics, or threats to public health.
- Are there limitations on the use of employee data by employers?
Yes. The use must relate to employment purposes or safeguarding against loss, espionage, or to maintain confidentiality and protect intellectual property.
Conclusion
Section 7 of the Digital Personal Data Protection Act, 2023 provides practical flexibility for data processing without undermining the individual’s privacy. It ensures that while consent remains central to the data protection regime, exceptions are made for broader legal, administrative, and public health objectives. This balanced approach strengthens the effectiveness of data governance in India.
For more legal insights and the complete DPDP Bare Act, visit ApniLaw.
