India

What are legitimate uses of personal data without consent?

8 legitimate us

Exemptions under DPDP Act

72 hours

Breach reporting deadline

₹250 cr

Max penalty

2023

Act enacted

The Short Answer

Under India's Digital Personal Data Protection Act, 2023, personal data may be processed without consent for specific legitimate uses — including compliance with law, judicial proceedings, medical emergencies, and employment-related purposes — provided such processing is necessary and proportionate.

What the Law Says

The Digital Personal Data Protection Act, 2023 (DPDP Act) permits processing of personal data without consent in certain specified situations — known as 'legitimate uses' — where consent is not required if processing is necessary and fulfils strict statutory conditions.

Section 8 of the DPDP Act lists eight circumstances where personal data may be processed without consent. These include: (i) compliance with any law or legal obligation; (ii) responding to a medical emergency; (iii) employment-related processing (e.g., payroll, attendance); (iv) performance of duties by government officials; (v) judicial, legislative, or regulatory functions; (vi) security of the State; (vii) prevention, detection, investigation, or prosecution of offences; and (viii) other purposes specified by the Central Government via notification.

Crucially, even where consent is not required, data fiduciaries must still adhere to core obligations: purpose limitation, data minimisation, reasonable security safeguards, and accountability. The Act also mandates that any processing under these exemptions must be 'necessary and proportionate' to the stated purpose.

Section 9 further requires that where personal data is processed without consent under Section 8, the data fiduciary must maintain records justifying the exemption and be prepared to demonstrate compliance upon request by the Data Protection Board.

Statutory Text
Personal data may be processed without the consent of the data principal for the following purposes: (a) compliance with any law…; (b) responding to a medical emergency…; (c) employment-related purposes…; (d) performance of any function of the State…; (e) judicial, legislative or regulatory functions…; (f) security of the State…; (g) prevention, detection, investigation or prosecution of any offence…; (h) such other purpose as may be prescribed.
— Digital Personal Data Protection Act, 2023, s. 8 — Processing of personal data without consent

Statutory Text
Where personal data is processed without the consent of the data principal… the data fiduciary shall maintain records of such processing and be able to demonstrate compliance with the provisions of this Act.
— Digital Personal Data Protection Act, 2023, s. 9 — Obligations in case of processing without consent

Sources

statuteDigital Personal Data Protection Act, 2023, s. 8 — Processing of personal data without consent statuteDigital Personal Data Protection Act, 2023, s. 9 — Obligations in case of processing without consent

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.