4.(1) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,β
(a) for which the Data Principal has given her consent; or
(b) for certain legitimate uses.
(2) For the purposes of this section, the expression βlawful purposeβ means any purpose which is not expressly forbidden by law.
SCROLL DOWN FOR LEGAL INTERPRETATION
Please keep in mind that this form is only for feedback and suggestions for improvement. Unfortunately, questions will not be answered.
The Foundational Legal Basis for All Data Processing Activities
Section 4. Grounds for processing personal data:
4.(1) A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,β
(2) For the purposes of this section, the expression "lawful purpose" means any purpose which is not expressly forbidden by law.
Section 4 of the Digital Personal Data Protection Act, 2023 is arguably the most foundational provision of the entire legislation. It establishes the fundamental legal principle that governs all personal data processing in India: no processing without a lawful ground.
Section 4 creates a positive obligation regime. Unlike a permissive framework where everything is allowed unless prohibited, the DPDPA establishes that personal data processing is prohibited unless it falls within one of the two specified grounds AND serves a lawful purpose.
This provision represents a paradigm shift in Indian data protection law, moving from sector-specific regulations to a comprehensive, rights-based framework that applies across all sectors and all forms of personal data processing.
The legislative intent behind Section 4 is multi-fold:
Empowering Data Principals with control over their personal data by requiring either their consent or a legitimate justification for processing.
Providing clear, unambiguous grounds for processing, eliminating interpretive confusion and regulatory arbitrariness.
Balancing individual privacy rights with legitimate business, governmental, and societal needs through the "legitimate uses" ground.
Creating an accountability mechanism where Data Fiduciaries must justify their processing activities under one of the specified grounds.
Section 4(1) establishes a binary framework for lawful processing. Every processing activity must fall under one (and only one) of these two grounds:
"for which the Data Principal has given her consent"
Key Characteristics:
Typical Use Cases:
"for certain legitimate uses"
Key Characteristics:
Typical Use Cases:
Every processing activity must be justified under one of these two grounds. There is no third option, no "implied consent," no "business necessity" outside legitimate uses, and no "industry practice" exception. If your processing doesn't fit into either ground, it is unlawful under DPDPA.
Section 4(2) provides a crucial definition that applies to both grounds of processing. It defines "lawful purpose" as:
"any purpose which is not expressly forbidden by law"
This definition employs a negative formulationβdefining lawfulness by what it is NOT rather than what it IS. This approach has significant implications:
By defining lawful purpose negatively, Section 4(2) creates a presumption of lawfulness. Unless a specific law expressly forbids a purpose, that purpose is considered lawful for data processing. This is a more liberal approach compared to requiring explicit legal authorization for each purpose.
| Criminal Activities | Processing data for committing fraud, identity theft, money laundering, terrorism, or any criminal offense |
| Prohibited Discrimination | Using data to discriminate based on caste, religion, race, sex in ways prohibited by the Constitution or specific laws |
| Violating Statutory Prohibitions | Purposes that violate specific prohibitions in laws like IT Act, Indian Penal Code, or sector-specific regulations |
| Child Safety Violations | Processing children's data in ways forbidden by POCSO Act or child protection laws |
| Constitutional Violations | Purposes that infringe fundamental rights in ways not saved by reasonable restrictions |
β Lawful Purposes (Not Expressly Forbidden):
β Unlawful Purposes (Expressly Forbidden):
Having a "lawful purpose" (Section 4(2)) is necessary but not sufficient. You must BOTH:
Example: Sending marketing emails may be a lawful purpose (not forbidden), but you still need consent (Section 4(1)(a)) to make the processing lawful.
Consent is the primary ground for processing personal data under the DPDPA. When processing is based on consent, the Data Principal exercises their autonomy by making an informed choice about whether to allow the processing.
While Section 4(1)(a) establishes consent as a ground, Section 6 of DPDPA elaborates on the attributes and requirements of valid consent. For Section 4 purposes, consent must be:
Given voluntarily, without coercion, deception, or making the service conditional on consent for unrelated processing
Based on clear notice (Section 5) about what data is being collected and for what purpose
Purpose-specific, not blanket consent for "any and all uses"
Clear affirmative action, not implied or inferred from silence or inaction
Data Principal can withdraw consent as easily as it was given
Scenario: ShopEasy, an e-commerce platform, processes customer data for various purposes.
β Consent-Based Processing:
β Legitimate Use Processing (No Consent Required):
Implementation: ShopEasy provides separate consent checkboxes for each consent-based purpose and clearly explains which processing occurs regardless of consent for service delivery.
If consent obtained as the basis for processing under Section 4(1)(a) is invalid (fails to meet Section 6 requirements), the entire processing becomes unlawful. This can result in:
The second ground for processing personal data is "certain legitimate uses" as specified in Section 7 of the DPDPA. This ground recognizes that in many situations, obtaining consent is either impractical, impossible, or would undermine important public or private interests.
Legitimate uses represent a carefully calibrated exception to the consent requirement. They are not a broad "legitimate interest" standard (as in GDPR), but rather a closed list of specific circumstances where processing without consent is justified by law.
| Legitimate Use Category | Description | Examples |
|---|---|---|
| State Functions (Section 7(a)) |
Processing by the State or instrumentality of State for specified functions, services, benefits, licenses, permits, or certificates | Aadhaar verification, passport issuance, welfare scheme implementation |
| Legal Rights/Claims (Section 7(b)) |
Processing necessary for compliance with any law or for instituting, pursuing, defending legal claims | Litigation records, regulatory filings, statutory record-keeping |
| Court Orders (Section 7(c)) |
Processing for compliance with any judgment, decree, or order of any Court or Tribunal in India | Discovery in litigation, compliance with court-mandated disclosures |
| Medical Emergency (Section 7(d)) |
Processing to provide medical treatment or health services during medical emergency | Emergency room treatment, ambulance services, epidemic response |
| Disaster Response (Section 7(e)) |
Processing to respond to any breakdown of public order | Natural disaster relief, public safety during emergencies |
| Employment (Section 7(f)) |
Processing by employer for recruitment, termination, provision of service/benefit, or verification of attendance | Payroll, attendance, performance evaluation, background verification |
| Safety and Security (Section 7(g)) |
Processing for ensuring safety and security, including preventing/detecting unlawful activity and ensuring network security | CCTV surveillance, fraud prevention, cybersecurity monitoring |
| Business Transfer (Section 7(h)) |
Processing for mergers, acquisitions, demergers, or other business restructuring | Due diligence in M&A, asset transfers, corporate reorganizations |
| Publicly Available (Section 7(i)) |
Processing of personal data made publicly available by Data Principal or under any law | Public social media posts, government gazette publications |
| Other Prescribed Uses (Section 7(j)) |
Any other legitimate use as may be prescribed by the Central Government | To be specified in DPDP Rules |
Unlike consent (which can be obtained for any lawful purpose), legitimate uses are strictly limited to the categories specified in Section 7. Organizations cannot invoke "business necessity" or "legitimate interest" outside these enumerated categories.
Scenario: CarePlus Hospital receives an unconscious patient in the emergency room at 2 AM.
Processing Under Legitimate Use (Section 7(d) - Medical Emergency):
Why No Consent Required: Medical emergency legitimate use (Section 7(d)) allows processing without consent when obtaining consent is impossible or would delay critical care.
Post-Emergency: Once patient regains consciousness and emergency is over, hospital must obtain consent for:
Company: TechCorp India, a software development company with 500 employees
Challenge: Determining which employee data processing requires consent vs. falls under legitimate use
Analysis Under Section 7(f) - Employment:
Legitimate Use (No Consent Required):
Consent Required:
Outcome: TechCorp implemented a dual-track consent system - automatic legitimate use processing for employment essentials, separate consent mechanism for optional/promotional uses.
Key Learning: Section 7(f) covers employment relationship essentials, but extends only to what is reasonably necessary for that relationship. Optional benefits and non-essential uses require consent.
Company: QuickLoan, a digital lending platform
Processing Activity: Loan application and disbursement
Section 4(1)(b) - Legitimate Use Basis:
| Credit Assessment | Processing credit bureau data, bank statements (Section 7(b) - necessary for contract performance) |
| KYC Verification | Aadhaar, PAN verification (Section 7(b) - legal compliance under PMLA) |
| Fraud Prevention | Device fingerprinting, IP tracking (Section 7(g) - safety and security) |
| Legal Records | Retaining loan agreements (Section 7(b) - legal compliance under RBI regulations) |
Section 4(1)(a) - Consent Required:
| Cross-sell Products | Marketing insurance, investment products via email/SMS |
| Behavioral Analysis | Tracking app usage patterns for personalization beyond credit assessment |
| Third-party Sharing | Sharing data with partner merchants for co-branded offers |
Compliance Approach: QuickLoan's application clearly separates essential processing (with legitimate use justification) from optional processing (with granular consent checkboxes).
Company: LearnBright, online education platform for K-12 students
Special Consideration: Processing children's data (under 18 years)
β οΈ Parental Consent Requirement:
For children under 18, consent must be obtained from parents/guardians (Section 9 DPDPA). This applies to all consent-based processing under Section 4(1)(a).
No Consent Required (Legitimate Use):
Parental Consent Required:
Implementation: LearnBright requires verified parental consent before enrollment, with separate consent modules for optional features.
Platform: ConnectIndia, a social networking platform
Complexity: Diverse processing purposes requiring different legal grounds
| Processing Activity | Legal Ground | Rationale |
|---|---|---|
| Account creation and authentication | Legitimate Use | Necessary for service delivery (contract performance) |
| Content moderation for illegal content | Legitimate Use | Section 7(b) - legal compliance (IT Act intermediary obligations) |
| Security monitoring for hacking attempts | Legitimate Use | Section 7(g) - network security |
| Processing publicly posted content | Legitimate Use | Section 7(i) - made publicly available by Data Principal |
| Algorithmic feed curation | Consent | Optional personalization feature |
| Targeted advertising | Consent | Not necessary for service, requires explicit consent |
| Sharing data with third-party advertisers | Consent | Third-party disclosure requires consent |
| Location tracking for nearby friends | Consent | Optional feature, sensitive data |
Compliance Challenge: ConnectIndia must clearly segregate core platform functions (legitimate use) from optional, consent-based features, ensuring users can opt out of consent-based processing without losing access to essential features.
Company: VitalAI, an AI-powered health monitoring startup
Product: Wearable device and app for continuous health tracking with AI-driven insights
Initial Approach (Non-Compliant):
VitalAI initially took a blanket consent approach with a single checkbox: "I agree to VitalAI processing my health data for service delivery, personalization, research, and partner collaborations."
Problem Identified:
Revised Compliant Approach:
β Legitimate Use Processing (No Consent):
β Consent-Based Processing (Granular Consent):
Outcome:
Key Learning: Distinguishing between legitimate use and consent-based processing, with granular consent options, actually improves user experience and trust while ensuring compliance.
Company: MegaMart, a large retail chain with 200 stores across India
Issue: Determining lawful ground for CCTV surveillance and facial recognition
Processing Activities:
Legal Analysis Under Section 4:
β Activity 1: CCTV Recording
Ground: Legitimate Use - Section 7(g) (safety and security)
Rationale: Theft prevention, staff safety, incident investigation
Requirements: Clear signage informing about CCTV surveillance, retention limited to 90 days unless needed for investigation
β Activity 2: Facial Recognition for Security
Ground: Legitimate Use - Section 7(g) (preventing unlawful activity)
Rationale: Identifying known shoplifters, preventing repeat theft
Requirements: Database limited to individuals with proven shoplifting history, regular review and deletion, heightened security measures for biometric data
β Activity 3: Customer Analytics
Ground: Consent Required - Section 4(1)(a)
Rationale: Foot traffic analysis and dwell time tracking go beyond security necessity and constitute business analytics
Requirements: Cannot rely on legitimate use; must obtain explicit consent or use anonymized data that doesn't identify individuals
β Activity 4: Marketing Demographics
Ground: Consent Required - Section 4(1)(a)
Rationale: Using CCTV footage to infer customer demographics for marketing is not a legitimate use
Alternative: Use voluntary surveys or loyalty program data with consent instead
Final Implementation: MegaMart maintains CCTV under Section 7(g), implements clear signage, limits facial recognition to security purposes only, and abandoned plans for marketing analytics using CCTV data without explicit consent.
Key Learning: Section 7(g) safety and security legitimate use is narrowly construedβit covers genuine security needs but doesn't extend to business intelligence or marketing purposes.
Agency: State Transport Department's DigiDL portal (Digital Driving License)
Objective: Digitization of driving license application and renewal process
Processing Activities:
Section 4 Analysis for Government Processing:
Section 7(a) - State Functions
ALL core processing activities fall under Section 7(a) as they are for "issuance of license or permit" - an expressly enumerated State function.
Implication: No consent required from applicants for any data processing necessary for license issuance.
However, Transparency Required:
While Section 7(a) eliminates consent requirement, Section 8 still requires:
Consent Still Required For:
Implementation Approach: DigiDL portal displays clear notice that data collection is for license issuance (State function, no consent needed), but provides separate opt-in checkboxes for optional services.
Key Learning: Government processing under Section 7(a) is broad for enumerated State functions, but doesn't extend to optional or commercial activities.
Inventory all personal data processing activities across your organization - what data, from whom, for what purpose, how long retained
For each processing activity, clearly define and document the specific purpose. Ensure each purpose is lawful (not expressly forbidden by law)
Determine whether each processing activity falls under consent (Section 4(1)(a)) or legitimate use (Section 4(1)(b)). Document the rationale
For consent-based processing: Design compliant consent mechanisms. For legitimate use: Document necessity justification and implement appropriate safeguards
Create and maintain comprehensive records of processing activities, legal grounds, consent records, and compliance assessments
Regularly review processing activities, legal grounds, and compliance status. Update as business operations evolve
β Question 1: Is the purpose expressly forbidden by law?
β If YES: Processing is unlawful regardless of ground (STOP)
β If NO: Proceed to Question 2
β Question 2: Does it fall under Section 7 legitimate uses?
β If YES: Check if processing is NECESSARY for that legitimate use
β’ If necessary: Use Section 4(1)(b) - Legitimate Use
β’ If not necessary: Proceed to Question 3
β If NO: Proceed to Question 3
β Question 3: Can you obtain valid consent?
β If YES: Use Section 4(1)(a) - Consent (ensure compliance with Section 6)
β If NO: Processing is not permissible under DPDPA (STOP)
β Special Note: Power Imbalance
If there's significant power imbalance (employer-employee, government-citizen), consent may not be freely given. Prefer legitimate use if available.
Issue: Assuming that use of service implies consent for all processing
Why it fails: Section 6 requires explicit, unambiguous consent. Continued use of service doesn't equal consent for processing beyond what's necessary for service delivery
Compliant approach: Obtain explicit consent for optional processing; rely on legitimate use for essential processing
Issue: Stretching legitimate use categories to avoid seeking consent
Why it fails: Legitimate uses are narrowly construed and require genuine necessity
Example of abuse: Claiming "safety and security" (Section 7(g)) as ground for marketing analytics
Compliant approach: Use legitimate use only when genuinely necessary; obtain consent for optional or business-oriented processing
Issue: Making service access conditional on consent for unrelated processing
Example: "Accept all cookies and marketing emails or you cannot create an account"
Why it fails: Violates "freely given" requirement of consent (Section 6)
Compliant approach: Separate essential processing (legitimate use) from optional processing (granular consent)
Issue: Using data collected for one purpose for a different purpose without fresh legal ground
Example: Collecting email for order confirmation, later using it for marketing without new consent
Why it fails: Violates purpose limitation principle; new purpose requires new legal ground
Compliant approach: Either seek fresh consent for new purpose or anonymize data before secondary use
| Section 3 | Obligations of Data Fiduciary - Section 4 grounds must be established before any obligations arise |
| Section 5 | Notice - Required before seeking consent under Section 4(1)(a) |
| Section 6 | Consent - Elaborates attributes of valid consent for Section 4(1)(a) processing |
| Section 7 | Legitimate Uses - Defines specific legitimate uses referenced in Section 4(1)(b) |
| Section 8 | General Obligations - Apply to all processing regardless of legal ground |
| Section 11 | Rights of Data Principal - Must be respected for all Section 4 compliant processing |
| Section 33 | Penalties - Processing without valid Section 4 ground triggers penalty provisions |
Answer: No. Each processing activity should rely on ONE legal ground. You cannot use legitimate use as a "backup" if consent is withdrawn. Choose the appropriate ground based on the nature and necessity of processing.
Exception: Different aspects of a broader activity may use different grounds. For example, account creation (legitimate use for authentication) and personalized recommendations (consent for analytics).
Answer: This is a serious compliance issue. You should:
Preventive Measure: Always conduct legal ground assessment before commencing new processing activities.
Answer: Yes, Section 4 applies, BUT Section 7(i) provides a legitimate use ground for data "made publicly available by the Data Principal."
Important Limitations:
Example: Can process public social media posts for sentiment analysis, but cannot create detailed private profiles for sale to third parties.
Answer: A purpose is expressly forbidden if:
Not "expressly forbidden": Purposes that are merely unethical, controversial, or commercially disadvantageous but not legally prohibited.
Best Practice: When in doubt, seek legal counsel for purposes involving sensitive data or novel use cases.
Answer: Yes, BUT with important caveats:
Section 9 Interaction: Section 9 requires verifiable parental consent for processing children's data, BUT this applies only to consent-based processing under Section 4(1)(a).
Legitimate use processing (Section 4(1)(b)) of children's data:
Example: School processing student data for educational administration (Section 7 - necessary for service delivery) doesn't require parental consent, but school offering optional personalization features (consent-based) does require parental consent.
Answer: No. This is a critical compliance error called "ground switching."
The Rule: If you chose consent as the legal ground and consent is withdrawn, you MUST stop processing. You cannot retroactively claim legitimate use as an alternative ground.
Why: The choice of legal ground must be made upfront based on the nature and necessity of processing. Legitimate use requires genuine necessity, not just business preference. Allowing ground switching would undermine consent's value.
Proper Approach: If processing serves dual purposes (e.g., fraud prevention AND marketing), clearly separate them from the start - use legitimate use for fraud prevention, consent for marketing. Then withdrawal of marketing consent doesn't affect fraud prevention processing.
Answer: Section 4 establishes the grounds for processing, including cross-border transfers. However:
For Consent-Based Transfers (Section 4(1)(a)):
For Legitimate Use Transfers (Section 4(1)(b)):
Additional Requirements: Cross-border transfers may be subject to additional restrictions or requirements under Section 16 and future rules.
All personal data processing requires BOTH a lawful purpose AND one of two legal grounds (consent or legitimate use)
Only two grounds: Consent (Section 4(1)(a)) or Legitimate Uses (Section 4(1)(b)) - no third option exists
Defined negatively: any purpose not expressly forbidden by law is lawful (permissive approach)
Legitimate uses are limited to categories in Section 7 - cannot be expanded by interpretation
π‘ Key Takeaway: Section 4 is the gateway provision that must be satisfied before any personal data processing. Without a valid legal ground under Section 4, all processing is unlawful regardless of how well other DPDPA requirements are met. Organizations must conduct rigorous legal ground assessments for each processing activity and document their compliance with Section 4's dual requirements: lawful purpose + appropriate legal ground.
This interpretation is provided for educational and informational purposes only and does not constitute legal advice. While every effort has been made to ensure accuracy, the Digital Personal Data Protection Act, 2023, and the DPDP Rules, 2025, are subject to interpretation by competent authorities and courts. Organizations should consult qualified legal counsel for specific compliance guidance tailored to their operations. Section 4 requirements may evolve through regulatory guidance, judicial interpretation, and amendments. The author and DPDPA.com assume no liability for actions taken based on this information.