Legitimate Use Under The Digital Personal Data Protection Act, 2023 ' Decoding The Employment Puzzle

Published date20 November 2023
Subject MatterEmployment and HR, Privacy, Contract of Employment, Data Protection
Law FirmAZB & Partners
AuthorAZB & Partners

The Digital Personal Data Protection Act, 2023 ("Act"), after many iterations, has come as a breath of fresh air and marks the beginning of a fresh era that demands the implementation of a more robust safeguarding of digital personal data. The Act has immediately made its impact being felt across the industry and represents a departure from the existing lenient data protection requirements, which impose minimal consequences for non-compliance.

Regardless of the industry that any organization operates in, it will regularly need to handle and safeguard personal data of employee as a basic requirement. While the Act is yet to come into effect, all organizations need to utilize this transitioning phase to revaluate their internal processes established for protection of their employee data and work towards adapting the new changes (including within their existing policies) to be prepared when the Act comes into effect.

To implement the changes introduced under the Act regarding employee personal data, one of the key debate points which has surfaced is of treatment of employment as a 'legitimate use' for data processing. We highlight below some of the key issues that employers may need to reflect upon as well as examine whether a balancing act is required by organizations between considering employment as a legitimate use v. obtaining specific consents from the employee as a data principal to safeguard the organization.

Legal basis for employer to process employee data

The Act provides that personal data can be processed only for a lawful purpose for which (i) the data principal has either given her consent, which consent must be free, specific, informed, unconditional and unambiguous with a clear affirmative action; or (ii) such processing is undertaken for a 'legitimate use'. While the term legitimate use has not been defined, the Act provides guidance on various scenarios which can be considered as legitimate use, which includes employment. From an employment context, the Act allows organizations to process personal data of individuals without prior consent for broadly three purposes: (a) for the purposes of employment; or (b) for safeguarding itself from loss or liability in the capacity of an employer (e.g. prevention of corporate espionage, trade secrets etc.); and (c) for provision of any service or benefit sought by the employees.

But do the above mean organizations now have a blanket exemption from processing their employee data without consent under...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT