Legitimate Uses Under DPDP: When You Can Process Data Without Consent

Section 7 of the Digital Personal Data Protection Act, 2023 is the provision Indian businesses will search for when they ask: "Can we process this personal data without consent?"

The short answer is: sometimes, but only in the situations Section 7 actually lists.

Legitimate uses under DPDP are not the same as GDPR legitimate interests. Section 7 is a closed list of consent exceptions. If your processing activity does not fit one of those grounds, you need valid consent under Section 6 or you need to redesign the workflow.

This distinction matters because many teams will be tempted to use Section 7 as a broad business convenience clause once DPDP enforcement gets closer. That would be a mistake. Section 7 can remove the need for consent, but it does not remove the rest of the DPDP compliance framework. You still need purpose control, security safeguards, data retention limits, processor contracts, breach response, and the ability to explain your decision later.

Quick Answer: What Are Legitimate Uses Under DPDP?

Legitimate uses under DPDP are the specific situations listed in Section 7 of the DPDP Act where a Data Fiduciary may process personal data without consent. These include voluntary provision for a specified purpose, certain State functions, legal compliance, court orders, medical emergencies, public health situations, disasters, and employment purposes.

For a business, the most practical Section 7 grounds are usually:

• voluntary provision for a specified purpose
• legal compliance
• court or tribunal orders
• employment purposes
• medical or public-health emergencies, if the business operates in healthcare or emergency response

Most marketing, analytics, profiling, advertising, and unrelated reuse still needs consent.

The Fast Section 7 Decision Test

Before relying on a legitimate use, ask these questions in order:

1. Which exact Section 7 ground are we relying on?
2. Is the processing necessary for that ground, or merely useful to the business?
3. Is the purpose narrow enough to explain in one sentence?
4. Has the Data Principal objected, withdrawn the context, or indicated non-consent?
5. Are we adding any secondary use, such as marketing, profiling, analytics, or sharing?
6. Can we show records explaining why consent was not required?

If the answer is vague at any step, use consent instead.

Section 7 Is Not GDPR Legitimate Interest

This is the most important comparison for teams using GDPR templates.

Under GDPR, legitimate interests can sometimes justify processing after a balancing test. The controller identifies a legitimate interest, checks whether processing is necessary, and weighs that interest against the rights of the data subject.

The DPDP Act does not work that way.

Under DPDP, there is no general legitimate interest basis. A business cannot say, "This is reasonable for us, so we can process without consent." Section 7 gives specific grounds. If your use case is outside those grounds, there is no balancing test to rescue it.

Question	DPDP Section 7	GDPR Legitimate Interests
Is it a closed list?	Yes	No
Is there a balancing test?	No general balancing test	Yes
Can ordinary business interest justify processing?	Not by itself	Sometimes
Is marketing automatically covered?	No	Sometimes, depending on context
What should teams document?	Exact Section 7 ground and purpose	Legitimate Interest Assessment

The practical rule is simple: do not import GDPR legitimate-interest language into DPDP notices, records, or product decisions.

The Nine Section 7 Grounds, With Business Examples

1. Voluntary Provision For A Specified Purpose

This is the most useful ground for private businesses, and also the easiest to misuse.

Section 7(a) applies when a Data Principal voluntarily provides personal data for a specified purpose and has not indicated that they do not consent to that use.

Good examples:

• A customer provides an email address to receive an order confirmation.
• A buyer gives a phone number to receive a payment receipt.
• A prospect fills a form asking a real estate broker to send available rental options.

Bad examples:

• Adding that same email address to a promotional newsletter.
• Using a receipt phone number for WhatsApp marketing.
• Sharing inquiry data with partners after the original request has ended.

The boundary is purpose. If the person gave the data for one narrow action, Section 7(a) does not authorise every later use your team finds valuable.

Records to keep:

• where the data was provided
• what the user asked for
• the exact specified purpose
• when the purpose ended
• whether the user later objected or withdrew the request context

2. State Benefits, Services, Certificates, Licences, Or Permits

Section 7(b) is mainly for the State and its instrumentalities. It allows processing for government subsidies, benefits, services, certificates, licences, or permits in the circumstances described by the Act.

This is not a general private-sector shortcut.

A private vendor supporting a government programme should not assume it can independently rely on this ground. The better approach is to document whether the vendor is acting as a processor for the relevant government Data Fiduciary, what contract governs the processing, and which data categories are strictly required.

Records to keep:

• government programme or service involved
• legal authority or scheme document
• whether the business is a processor or independent fiduciary
• the data fields required for the benefit or service

3. State Functions, Sovereignty, Integrity, And Security Of The State

Section 7(c) covers processing by the State or its instrumentalities for functions under law, or in the interest of sovereignty, integrity, or security of India.

For most commercial businesses, this ground will not be the basis for ordinary processing. It may appear indirectly when a regulator, law enforcement authority, or government body requires information under legal authority.

Do not confuse this with Section 17 exemptions. Section 7 is a lawful basis to process without consent. Section 17 can exempt certain processing from some provisions of the Act. Those are different legal ideas.

Records to keep:

• written government or legal request, if any
• statutory authority cited
• data categories disclosed
• purpose and recipient
• internal approval trail

4. Compliance With Indian Law

Section 7(d) covers processing required to fulfil an obligation under Indian law to disclose information to the State or its instrumentalities.

Examples:

• tax reporting
• statutory filings
• financial-sector reporting
• regulated record submission
• mandatory disclosure to a lawful authority

This ground should be tied to a real legal obligation, not a broad claim that "compliance needs this data." If the law does not require the processing or disclosure, Section 7(d) may not help.

Records to keep:

• law, rule, circular, order, or regulatory requirement
• data fields disclosed
• recipient authority
• retention requirement, if any
• date and internal owner

5. Court Orders, Decrees, Judgments, And Certain Foreign Civil Claims

Section 7(e) allows processing for compliance with judgments, decrees, or orders under Indian law, and certain judgments or orders relating to contractual or civil claims under foreign law.

Examples:

• responding to a court order
• producing documents in litigation
• complying with an arbitral award or tribunal direction
• preserving data required for a civil contractual dispute

The key boundary is formality. A threatening legal email from another company is not the same as a court order. A properly issued order or legally grounded claim process deserves different treatment.

Records to keep:

• copy of the order, decree, judgment, or formal legal request
• scope of data required
• legal team approval
• date of disclosure
• retention or litigation-hold decision

6. Medical Emergencies

Section 7(f) permits processing to respond to a medical emergency involving a threat to life or immediate threat to health.

Examples:

• an unconscious patient arrives at a hospital and staff access emergency medical details
• an ambulance service uses location and contact details to respond to a life-threatening incident
• a clinic shares critical information needed to prevent immediate harm

This ground is not for ordinary healthcare marketing, convenience analytics, or routine patient engagement. The emergency must be real and time-sensitive.

Records to keep:

• emergency context
• why consent could not be obtained first
• data accessed
• who accessed it
• when normal consent or notice was later provided, where practical

7. Public Health Threats

Section 7(g) covers measures to provide medical treatment or health services during an epidemic, disease outbreak, or other threat to public health.

Examples:

• outbreak response
• contact tracing where legally supported
• emergency vaccination coordination
• public-health service delivery during an epidemic

This is not a general health-data analytics ground. The processing should connect to an actual public-health situation.

Records to keep:

• public-health context
• authority or programme involved
• data categories used
• safeguards applied
• end date or review date for processing

8. Disasters And Breakdown Of Public Order

Section 7(h) allows processing for measures to ensure safety or provide assistance during a disaster or breakdown of public order.

Examples:

• flood rescue coordination
• relief distribution
• missing-person identification after a disaster
• emergency communications during public-order breakdown

The processing should be time-bound. Once the disaster or public-order situation ends, continued use needs a new basis.

Records to keep:

• disaster or public-order event
• assistance or safety purpose
• data fields used
• recipients
• deletion or retention decision after the emergency

9. Employment Purposes And Employer Protection

Section 7(i) permits processing employee personal data for employment purposes, safeguarding the employer from loss or liability, and providing services or benefits sought by the employee.

Likely covered:

• payroll
• attendance and leave administration
• benefits requested by the employee
• access control
• background verification tied to employment
• investigations into misconduct or trade-secret risk
• security monitoring needed to protect confidential information

Risky or likely not covered without consent:

• broad employee surveillance with no tight purpose
• wellness programmes employees did not seek
• marketing uses of employee data
• unrelated profiling
• social-event or community use that is not an employment necessity

Records to keep:

• employment purpose
• data categories used
• internal policy basis
• proportionality or necessity note
• retention period

What Obligations Still Apply When Section 7 Applies?

Section 7 does not make the DPDP Act disappear.

Even if you can process without consent, the Data Fiduciary should still prepare for these obligations:

• security safeguards under Section 8
• valid contracts with Data Processors
• breach notification if personal data is compromised
• retention and erasure when purpose ends
• grievance redressal
• internal records showing the lawful basis
• rights handling where the relevant right applies

The safest working assumption is this: Section 7 changes the consent question, not the accountability question.

Section 7 Examples For Common Business Teams

Team	Use Case	Likely Basis	Safer Decision
Product	Send order receipt after checkout	Section 7(a)	Keep to receipt/order purpose only
Marketing	Add checkout email to newsletter	Consent	Do not rely on Section 7(a)
HR	Process payroll and tax deduction	Section 7(i) and legal compliance	Document employment and statutory basis
Security	Investigate suspected insider data theft	Section 7(i)	Limit data access to the investigation scope
Legal	Preserve records for litigation	Section 7(e)	Use legal hold with narrow scope
Finance	File required reports to regulator	Section 7(d)	Cite the specific legal requirement
Healthcare	Treat unconscious emergency patient	Section 7(f)	Log emergency access and later regularise
Operations	Share user list with affiliate partner	Consent	Section 7 usually does not fit

The Proof Businesses Should Keep

The DPDP Act does not give a detailed recordkeeping template for Section 7 decisions. But if the Data Protection Board asks why personal data was processed without consent, you will need a clear answer.

For each Section 7 processing activity, keep a simple legal-basis record:

• processing activity name
• exact Section 7 ground relied on
• specified purpose
• personal data categories used
• why the data is necessary
• whether the Data Principal can object or stop the processing
• retention period
• systems and vendors involved
• owner who approved the basis
• date reviewed

This is the practical difference between "we think this is legitimate" and "we can show why this was a legitimate use under Section 7."

Common Mistakes With DPDP Legitimate Uses

Mistake 1: Using Section 7(a) For Marketing

If a customer gives you an email to receive a receipt, that does not mean they agreed to promotional email. Marketing should usually have a separate consent flow.

Mistake 2: Treating Employee Data As Automatically Covered

Employment processing is broad, but not unlimited. Payroll, benefits, access control, and loss prevention are much easier to defend than broad monitoring or unrelated profiling.

Mistake 3: Saying "Legitimate Interest" In A DPDP Notice

That phrase belongs to GDPR, not DPDP. Use "legitimate uses under Section 7" only when you can identify a specific ground.

Mistake 4: Forgetting The End Date

Many legitimate-use situations are temporary. A medical emergency ends. A rental inquiry ends. A disaster response ends. Once the purpose ends, reassess retention and further processing.

Mistake 5: Not Documenting The Decision

If the only explanation lives in one lawyer's memory or one Slack thread, the business has not built a defensible process.

FAQ

What are legitimate uses under the DPDP Act?

Legitimate uses are the situations listed in Section 7 of the DPDP Act where personal data may be processed without consent. They include voluntary provision for a specified purpose, certain State functions, compliance with law, court orders, medical emergencies, public health threats, disasters, and employment purposes.

Is DPDP legitimate use the same as GDPR legitimate interest?

No. DPDP legitimate uses are a closed statutory list under Section 7. GDPR legitimate interests is a broader lawful basis that depends on a balancing test. Indian businesses should not copy GDPR legitimate-interest language into DPDP documentation.

Can I use Section 7 for marketing?

Usually no. If the Data Principal gave personal data for a narrow purpose, such as receiving a receipt or account update, using it for marketing usually requires separate consent under Section 6.

Does Section 7 remove all DPDP obligations?

No. Section 7 can remove the need for consent for a specific processing activity, but the Data Fiduciary should still comply with security, retention, processor-contract, breach-notification, and grievance obligations.

What should a business document before relying on Section 7?

Document the exact Section 7 ground, specified purpose, data categories, necessity, retention period, systems involved, vendors involved, and the internal owner who approved the basis. This record becomes important if a Data Principal or regulator challenges the processing.

Bottom Line

Section 7 is useful because not every data-processing activity can or should wait for consent. But it is narrow by design.

If you can name the exact ground, explain the purpose, limit the data, and preserve proof, Section 7 can reduce unnecessary consent friction. If you cannot, use consent. That conservative approach is more credible, more defensible, and better aligned with how DPDP compliance will be judged once enforcement begins.