Every company in India with employees is processing personal data under DPDP — payroll details, Aadhaar numbers, PAN cards, bank accounts, performance reviews, health insurance records, termination letters. Employees and job candidates are Data Principals with full rights under the law.
Applies to: In-house HR teams • Recruitment agencies • Staffing firms • Background verification companies • HRMS/payroll software providers • Any company with even one employee.
The Employee Data Blind Spot
Most DPDP discussions focus on customer data. But there's a massive blind spot: every employer in India processes enormous amounts of personal data about their own employees — and most have no compliance in place for it.
Think about what your HR team holds right now:
- Aadhaar and PAN numbers of every employee
- Bank account details for salary transfers
- Home addresses and emergency contact details
- Medical history (for health insurance, ESI)
- Performance reviews and disciplinary records
- Salary history and increment records
- Thousands of CVs from job applicants — most rejected, many stored for years
- Background verification reports
- Termination letters and exit interview notes
⚠️ The Myth: "DPDP is about customer data, not employee data." WRONG. Employees are explicitly Data Principals under DPDP. They have the same rights as customers — the right to access their data, the right to correction, and the right to erasure after employment ends.
Who Is Affected
- Startups with 5 employees: Still processing Aadhaar, PAN, salaries — DPDP applies
- Mid-size companies (50–500 employees): HRMS systems, payroll software, recruitment pipelines
- Large enterprises: Complex compliance obligations across departments
- Recruitment agencies: Databases of thousands of candidates — massive DPDP exposure
- Staffing firms: Processing data of contract workers across multiple client companies
What Employee & Candidate Data Is Covered?
Pre-Employment Data
- CV and resume (name, address, phone, email, work history, education)
- Cover letters and application forms
- LinkedIn and social profiles (if sourced by recruiter)
- Assessment test results and scores
- Interview notes and evaluations
- References and referee contact details
- Background verification reports
- Offer letter details (salary, joining date, role)
Active Employee Information
- Aadhaar number (mandatory for PF, ESI, tax)
- PAN card number
- Bank account details (salary account)
- Home address and emergency contacts
- Salary, CTC, and compensation details
- Leave records (including medical leaves)
- Performance reviews and appraisal records
- Disciplinary records and warnings
- Health insurance policy details
- Medical history (for group health insurance, ESI)
- Attendance and location data (if tracked)
- Device usage data (if company devices monitored)
- Training records and certifications
Ex-Employee Information
- Relieving letters and experience certificates
- Full and final settlement records
- Tax records (Form 16, TDS)
- PF and gratuity records
- Exit interview notes
- Non-compete and NDA records
- Reference check responses (if your company is asked)
DPDP Through the Employee Lifecycle
When Candidates Apply
Your obligations begin the moment a candidate submits their CV.
- Add a privacy notice to your job application form: "By applying, you consent to us processing your personal data for recruitment purposes. Read our Privacy Policy: [link]"
- State clearly how long you'll keep their CV if they're not selected (e.g., "We retain CVs for 6 months for future opportunities, then delete")
- If you source candidates from LinkedIn or job portals, you're still processing their data — your privacy policy must cover this
- Do NOT share candidate CVs externally without their consent
During the Hiring Process
- Interview notes and evaluations are personal data — store securely, limit access to hiring team only
- Video interview recordings require explicit consent before recording
- Assessment test results must be secured and not shared beyond hiring team
- Rejected candidates: Delete interview notes and assessments within 6 months of rejection
- Do NOT collect protected category data during interviews (health, marital status, family planning — legally prohibited AND DPDP-sensitive)
Collecting Employee Data at Joining
- Collect only what is necessary (Aadhaar, PAN, bank details, address)
- Share a clear privacy notice explaining how employee data will be used
- Get explicit consent for uses beyond legal/payroll requirements (e.g., publishing employee photos on company website)
- Secure sensitive documents (Aadhaar copies, PAN copies) — do not store as plain email attachments
- Limit access: only HR and finance who need the data should have it
Day-to-Day Employee Data
- Payroll data must be encrypted and access-controlled
- Performance reviews: accessible only to manager, HR, and the employee themselves
- Health/medical leave data: treat as sensitive — do not share with colleagues or clients
- If monitoring employee devices or attendance location: disclose clearly in employment contract and get consent
- Do NOT share employee salary details with other employees without consent
- Do NOT share employee health conditions with colleagues — even "to explain an absence"
When an Employee Leaves
- Revoke access to systems immediately upon exit
- Retain only what's legally required (tax records, PF, gratuity)
- Delete personal data not required for legal purposes within 90 days of exit
- Ex-employees retain the right to request their data and to erasure of non-legally-required data
- Do NOT share ex-employee performance or conduct data with other employers without consent (reference checks need careful handling)
Recruitment Agency Compliance
Recruitment agencies face heightened DPDP risk because they maintain databases of tens of thousands of candidate profiles, regularly share candidate data with client companies, often keep CVs for years without candidate knowledge, and source candidates from multiple channels.
Consent at Every Touchpoint
- When a candidate registers with your agency: Get explicit consent to store and share their profile
- Be specific: "We will share your CV with companies hiring for roles matching your profile. Do you consent?"
- When sourcing from LinkedIn or Naukri: get consent before sharing their profile with client companies
- Candidates must be able to withdraw consent and have their profile deleted
CV Database Management
- CVs cannot be stored forever — set a retention period (e.g., 1-2 years)
- Send annual re-consent emails: "Your profile is in our database. Do you want to stay active? Reply YES."
- Delete profiles of candidates who don't respond or opt out
- Encrypt your candidate database — it contains thousands of people's personal data
Client Data Sharing
- Only share candidate profiles with clients for roles the candidate has consented to
- Ensure client companies sign a Data Processing Agreement (DPA) before receiving candidate data
- You are responsible if you share data with a client who mishandles it
- Do NOT share candidates' current salary details with client companies without the candidate's explicit consent
Background Verification Under DPDP
Background verification (BGV) is standard in Indian hiring — but it creates significant DPDP obligations.
⚠️ Criminal and financial data are among the most sensitive categories. A failed background check that leaks a candidate's criminal record or financial history can cause irreparable harm. DPDP requires the highest level of care for this data.
Candidate Consent Is Mandatory
- You CANNOT conduct background checks without explicit candidate consent
- Consent must specify: what will be checked, who will conduct it, what data will be shared with BGV agency, how results will be used
- Do NOT share BGV reports with anyone beyond the hiring decision-makers
- If a candidate fails BGV, they have the right to know what data was used
- Delete BGV reports after hiring decision is made (within 30-90 days)
- BGV agencies are your Data Processors — ensure they have adequate security and DPDP compliance
Sensitive HR Data: Categories Requiring Extra Care
Health & Medical Data
- Medical leave reasons (do not ask employees to justify medical absences beyond what's legally required)
- Health insurance claim history (treat as sensitive — do not share with managers or colleagues)
- Pre-employment medical tests (if conducted — share only with HR, not hiring managers)
- Disability information (if disclosed for accommodation purposes — share only on need-to-know)
- Mental health disclosures (employee wellbeing programmes — treat with maximum confidentiality)
Financial & Salary Data
- Individual salary details must never be accessible to non-HR staff
- Payroll spreadsheets with all salaries must be encrypted and access-controlled
- Salary slips are personal data — share only with the individual employee and authorised finance/HR
- Current/expected salary data in recruitment — handle carefully, do not share without consent
Biometric Data (Attendance Systems)
- Fingerprint attendance systems collect biometric data — the most sensitive category
- Inform employees clearly before collecting biometric data
- Get explicit written consent for biometric collection
- Store biometric data with maximum encryption
- Delete biometric data promptly after employment ends
- Provide an alternative for employees who cannot or will not provide biometrics
How Long to Keep Employee Data
| Data Type | Retention Period | Action After |
|---|---|---|
| Tax records (Form 16, TDS) | 7 years | Delete securely |
| PF & gratuity records | 5–7 years | Delete securely |
| Employment contracts | 3–5 years after exit | Delete securely |
| Performance reviews | 2 years after exit | Delete securely |
| Home address, bank details | Delete within 90 days of exit | Delete promptly |
| Health/medical data | Delete within 90 days of exit | Delete promptly |
| Biometric data | Delete on last working day | Delete immediately |
| Rejected candidate CVs | 6 months after rejection | Delete or get re-consent |
| BGV reports | 30–90 days after hiring decision | Delete securely |
| Interview notes | 6 months after interview | Delete securely |
⚠️ The "Just in Case" Trap: HR teams often keep all employee data indefinitely "just in case there's a dispute." DPDP does not permit this. Keep only what's legally required, for the legally required duration. Delete the rest on schedule.
Top HR & Recruitment DPDP Violations
The mistake: Recruitment agency has a database of 50,000 candidate CVs accumulated over 10 years. No one ever deletes profiles. Candidates from 2014 are still in the system without their knowledge.
Why illegal: Storing personal data indefinitely without consent or legal basis violates DPDP retention requirements.
Fix: Set 1-2 year retention policy. Send re-consent emails annually. Delete non-responsive profiles on schedule.
The mistake: Recruiter shares a candidate's CV with a client company without informing the candidate or getting their consent for that specific sharing.
Why illegal: Candidates consented to the recruitment agency processing their data — not to sharing with unnamed third parties.
Fix: Always inform candidates before sharing their profile with a specific company. Get explicit consent.
The mistake: HR sends the full company payroll spreadsheet (with all employee salaries, Aadhaar numbers, bank accounts) to a shared drive accessible to all staff. A disgruntled employee downloads it and leaks it.
Why illegal: Failure to implement reasonable security safeguards for sensitive financial and identity data.
Fix: Encrypt payroll data. Restrict access to finance and HR only. Never share payroll in unprotected shared drives.
The mistake: Employee takes medical leave for cancer treatment. HR tells the employee's manager "she has cancer, so please be understanding." The employee did not consent to HR disclosing this.
Why illegal: Health data is sensitive. Disclosure without consent, even with good intentions, is a DPDP violation.
Fix: Ask the employee what they want their manager to know. Share only what the employee explicitly consents to disclose.
The mistake: Company conducts social media background checks on candidates without disclosing this. Or shares candidate's criminal background check result with the hiring manager's team (5 people) instead of just HR.
Why illegal: BGV requires explicit consent. Sensitive BGV results must be on a strict need-to-know basis.
Fix: Add BGV consent to offer letter. Share BGV results only with final decision-maker and HR. Delete after decision.
The mistake: Ex-employee who left 3 years ago submits a DPDP data deletion request. HR says "we keep all records forever for legal protection." The ex-employee files a complaint with the Data Protection Board.
Why illegal: Beyond legal retention requirements, ex-employees have the right to deletion of their personal data.
Fix: Follow the retention schedule. Delete non-legally-required data on schedule. Respond to deletion requests within 30 days.
HR & Recruitment DPDP Compliance Checklist
| Compliance Item | Status |
|---|---|
| Privacy notice on job application forms | ☐ |
| Employee privacy policy published (in offer letter or HR handbook) | ☐ |
| Candidate consent for CV sharing (before sending to client companies) | ☐ |
| BGV consent process (explicit written consent before verification) | ☐ |
| CV database retention policy (delete after 6-12 months if not hired) | ☐ |
| Payroll data encrypted & access-controlled | ☐ |
| Aadhaar / PAN copies secured (not plain email attachments) | ☐ |
| Role-based access on HRMS (managers can't see salary of other teams) | ☐ |
| Health data access restricted (only HR, not managers or colleagues) | ☐ |
| Biometric consent process (written consent before fingerprint enrolment) | ☐ |
| Employee device monitoring disclosed (in contract if monitoring) | ☐ |
| Exit data deletion schedule (delete non-legal data within 90 days of exit) | ☐ |
| Data deletion request process (can respond to ex-employee requests) | ☐ |
| HR team trained on DPDP | ☐ |
FAQ for HR Teams & Recruiters
Does DPDP apply to employee data?
Yes. Employees are Data Principals under DPDP. Employers processing payroll data, Aadhaar numbers, PAN cards, performance reviews, and health records must comply. There is no employer exemption.
Do recruitment agencies need to comply with DPDP?
Yes. Recruitment agencies process large volumes of candidate personal data. They are Data Fiduciaries and must obtain consent, secure candidate databases, and delete profiles after the retention period.
Can employers conduct background checks under DPDP?
Yes, but only with explicit candidate consent. Consent must specify what will be checked, who conducts it, what data will be shared, and how results will be used.
How long can employers keep ex-employee data?
Tax records: 7 years. PF/gratuity: 5-7 years. Employment contracts: 3-5 years. Home addresses and health data: delete within 90 days of exit. Biometric data: delete on last working day.
Can I tell a manager why an employee is on medical leave?
Only with the employee's consent. Ask the employee what they want disclosed. Share only what they explicitly approve. Health conditions are sensitive data — never share without consent, even with good intentions.
What if an ex-employee asks to delete their data?
You must delete all personal data that isn't legally required to be retained. You can keep tax records, PF records, and employment contracts for their required periods. Everything else must be deleted and you must confirm deletion to the ex-employee.
Can I source candidates from LinkedIn without their consent?
You can view public profiles, but once you store their data in your ATS or CRM, DPDP applies. You must inform them their data is in your system and get consent before sharing their profile with client companies.