Table of contents
By-Research Team
July 10, 2026 | 9 min read | DPDP
Grounds for Processing Personal Data Under the DPDP Act, 2023
Organizations collect customer, employee, and vendor information every day. But collecting personal data doesn't automatically give an organization the right to use it. Under India's Digital Personal Data Protection (DPDP) Act, 2023, every instance of personal data processing must be backed by a lawful purpose.
This is where many organizations get confused.
Compliance teams familiar with the GDPR often look for "legitimate interests" or "legitimate purpose" as a legal basis for processing. However, the DPDP Act takes a different approach, i.e., ‘lawful purpose’.
This guide explains what lawful purpose means, how it differs from the GDPR's legitimate interests, and how organizations can determine the correct legal basis before processing personal data.
What Is Personal Data Processing Under the DPDP Act?
Personal data processing refers to any operation performed on digital personal data, including its collection, recording, organization, storage, use, sharing, disclosure, retrieval, transfer, or erasure. Under the DPDP Act, these activities are lawful only when carried out for a lawful purpose in accordance with the Act.
Think of personal data processing as the entire lifecycle of information—not just collecting it.
For example, when an e-commerce company collects a customer's delivery address, stores it in a CRM, shares it with a logistics partner, and later deletes it after the retention period, each of these actions constitutes processing of personal data.
Common examples of personal data processing include:
- Collecting customer information through online forms.
- Storing employee records in HR systems.
- Using customer preferences for service delivery.
- Sharing data with payroll providers or cloud vendors.
- Deleting personal data after the purpose has been fulfilled.
Key takeaway: Every stage of personal data processing requires a valid legal foundation—not just the initial collection.
Why Does the DPDP Act Require a Lawful Purpose for Processing?
The DPDP Act permits personal data processing only when it serves a lawful purpose. DPDP Act Section 4 establishes this as the foundational principle of the Act, ensuring organizations process personal data only when the law expressly allows it.
Section 4 states that a Data Fiduciary may process personal data only for a lawful purpose and only where the individual has either given consent or the processing falls within one of the Certain Legitimate Uses under Section 7.
This reflects the principle of purpose limitation.
Organizations cannot collect personal data for one objective and later use it for an unrelated purpose simply because the data is already available.
For instance, if a customer shares their email address to receive an order confirmation, the organization cannot automatically use that email for promotional campaigns unless another lawful basis under the Act exists.
What Is Considered a Lawful Purpose Under the DPDP Act?
A lawful purpose is a purpose that is permitted under the DPDP Act. Organizations cannot define their own lawful purposes. Instead, personal data processing becomes lawful only when it is supported by valid consent under Section 6 or falls within one of the Certain Legitimate Uses under Section 7.
This distinction is important.
Many organizations assume that if a business objective appears reasonable, it automatically qualifies as a lawful purpose. That assumption can lead to compliance failures.
Instead, organizations should view lawful purpose as an umbrella concept supported by two statutory legal bases:
- Consent: The Data Principal voluntarily agrees to the processing after receiving a clear notice.
- Certain Legitimate Uses: The Act permits processing without consent in specific situations defined under Section 7.
Everything else flows from these two legal grounds.
Is "Lawful Purpose" and "Legitimate Purpose" Same?
No. The DPDP Act does not recognize the GDPR’s concept of “Legitimate Interest” as a standalone legal basis. Instead, it requires a lawful purpose supported by either consent or the Certain Legitimate Uses specifically listed under Section 7.
This is one of the most common misconceptions among organizations operating across multiple jurisdictions.
Under the GDPR, Article 6 identifies Legitimate Interests as one of six legal bases for processing personal data. Organizations may rely on this basis after conducting a balancing test between their legitimate interests and the individual's rights.
The DPDP Act follows a different policy approach.
Rather than allowing organizations to determine their own legitimate interests, the Act provides a closed statutory list of situations where processing without consent is permitted.
| GDPR | DPDP Act |
|---|---|
| Recognizes Legitimate Interests as a legal basis | Does not recognize Legitimate Interests as a standalone legal basis |
| Organizations perform a balancing test | Organizations must rely on statutory Certain Legitimate Uses under Section 7 |
| Flexible interpretation | Limited, specific situations defined by law |
This distinction is significant for multinational organizations. Understanding this difference helps organizations avoid applying GDPR compliance strategies directly to India's privacy framework.
Certain Legitimate Uses Under DPDP Act Section 7
The DPDP Act allows organizations to process personal data without consent only in specific situations listed under Section 7. These are called "Certain Legitimate Uses." Unlike the GDPR's broad Legitimate Interests basis, these are limited statutory exceptions that organizations cannot expand or interpret on their own.
Consent is the default rule under the DPDP Act. However, lawmakers recognized that obtaining consent isn't always practical or necessary. Section 7 therefore identifies specific situations where the law itself authorizes processing.
Think of Certain Legitimate Uses as emergency exits in a building. They're available when the circumstances justify them—but they aren't meant to replace the main entrance.
Some common situations where consent may not be required include:
- Voluntary provision of personal data: When an individual voluntarily provides their personal data for a specified purpose and has not indicated that they do not consent to its use for that purpose.
- Employment-related purposes: Processing necessary for recruitment, safeguarding employers against loss or liability, maintaining confidentiality of trade secrets, or providing employee benefits.
- Medical emergencies: Processing required to respond to a medical emergency involving an individual.
- Disasters and public safety: Processing necessary during epidemics, natural disasters, or other public emergencies to protect life, health, or public order.
- Compliance with legal obligations: Processing required to comply with judgments, legal requirements, or obligations imposed under applicable laws.
Consent vs Certain Legitimate Uses
Organizations should rely on consent unless their processing activity clearly falls within one of the Certain Legitimate Uses specified under Section 7. Choosing the correct legal basis before processing begins is essential for demonstrating compliance and reducing regulatory risk.
Many organizations make the mistake of starting with the question:
"Can we avoid collecting consent?"
Instead, they should ask:
"What legal basis does the DPDP Act provide for this processing activity?"
The answer determines the organization's compliance obligations.
| Consent (Section 6) | Certain Legitimate Uses (Section 7) |
|---|---|
| Individual's permission is required. | Consent is not required. |
| Supported by a privacy notice. | Processing is permitted by law. |
| Can be withdrawn by the Data Principal. | Cannot be substituted with consent where Section 7 applies. |
| Default legal basis under the DPDP Act. | Limited statutory exceptions only. |
| Common for marketing, analytics, loyalty programs, and optional services. | Common for employment, medical emergencies, legal compliance, and disaster response. |
Practical examples
| Scenario | Appropriate Legal Basis |
|---|---|
| Sending promotional emails | Consent |
| Processing payroll information | Certain Legitimate Uses |
| Responding to a medical emergency | Certain Legitimate Uses |
| Personalizing customer recommendations | Consent |
| Sharing data to comply with a court order | Certain Legitimate Uses |
Key takeaway: If you're unsure whether Section 7 applies, obtaining valid consent is generally the safer compliance approach.
How Should Organizations Choose the Right Legal Basis for Processing Personal Data?
Organizations should determine the legal basis before collecting or using personal data—not afterwards. Documenting this decision demonstrates accountability and helps ensure every processing activity aligns with the DPDP Act.

A practical decision framework can simplify compliance.
-
Identify the personal data
Determine whether the information qualifies as digital personal data under the DPDP Act.
-
Define the processing purpose
Document why the personal data is being processed. Avoid vague objectives such as "business improvement."
-
Check whether Section 7 applies
Does the processing fall within one of the Certain Legitimate Uses?
If yes, document the applicable provision.
If no, proceed to the next step.
-
Obtain valid consent
Ensure consent satisfies the requirements under Section 6 and is supported by a clear privacy notice.
-
Maintain evidence
Record the legal basis, purpose, notices, and supporting documentation. This creates an audit trail and strengthens regulatory defensibility.
Conclusion
The DPDP Act shifts the conversation from "Can we process this data?" to "Why are we processing this data?" That shift is deliberate. Every processing activity must stand on a lawful foundation, whether through valid consent or one of the limited Certain Legitimate Uses recognized under Section 7.
For organizations, this means compliance starts long before personal data enters a database. Businesses that embed this discipline into their privacy governance are better positioned to reduce regulatory risk, build customer trust, and demonstrate accountability under India's evolving data protection framework.
Key Takeaways
- Personal data processing includes every activity performed on digital personal data, from collection and storage to sharing and deletion.
- Under the DPDP Act, organizations can process personal data only for a lawful purpose. Collecting personal data alone does not make processing lawful.
- A lawful purpose must be supported by either valid consent (Section 6) or one of the Certain Legitimate Uses under Section 7.
- The DPDP Act does not recognize the GDPR's "Legitimate Interests" as a standalone legal basis. Organizations cannot determine their own "legitimate purpose" for processing personal data.
- Consent is the default legal basis for most processing activities, while Section 7 applies only to specific statutory exceptions where consent is not required.
- Before processing personal data, organizations should identify, document, and retain evidence of the applicable legal basis to demonstrate DPDP compliance.
Related Blog





