Summary

  • The Digital Personal Data Protection Act introduces a nuanced framework for data protection in India.
  • The Act covers specific provisions for consent exceptions, general exemptions, and state-specific relaxations. 
  • Consent exceptions include scenarios like voluntary data sharing and employment-related processing, where consent obligations can be bypassed.
  • General exemptions to the DPDP Act cover broader scenarios like BPO activities and corporate restructuring.
  • State exemptions apply to government bodies performing state functions, allowing data processing without standard DPDP Act requirements.
Close Button

What are the Exemptions under the DPDP Act?

Anahad Narain

Founder's Office
June 9, 2026

Summary

  • The Digital Personal Data Protection Act introduces a nuanced framework for data protection in India.
  • The Act covers specific provisions for consent exceptions, general exemptions, and state-specific relaxations. 
  • Consent exceptions include scenarios like voluntary data sharing and employment-related processing, where consent obligations can be bypassed.
  • General exemptions to the DPDP Act cover broader scenarios like BPO activities and corporate restructuring.
  • State exemptions apply to government bodies performing state functions, allowing data processing without standard DPDP Act requirements.

Summary

  • The Digital Personal Data Protection Act introduces a nuanced framework for data protection in India.
  • The Act covers specific provisions for consent exceptions, general exemptions, and state-specific relaxations. 
  • Consent exceptions include scenarios like voluntary data sharing and employment-related processing, where consent obligations can be bypassed.
  • General exemptions to the DPDP Act cover broader scenarios like BPO activities and corporate restructuring.
  • State exemptions apply to government bodies performing state functions, allowing data processing without standard DPDP Act requirements.

What Are the Exemptions Under the DPDP Act?

Consent is the default under the DPDP Act. But it isn't always required. The Act carves out specific situations where you can process personal data without consent — or continue to retain data even after a customer asks you to delete it.

These exemptions are real. But they're also narrower than most compliance teams assume.

There are three types of exemptions under the DPDP Act:

  • Legitimate Uses — where you can process data without obtaining consent
  • Regulatory Retention — where you can retain data even after consent is withdrawn or a deletion request is raised
  • General Exemptions — where most DPDP obligations cease to apply entirely

When Can You Process Data Without Consent - Legitimate Uses

Consent is the primary ground for processing personal data. But the Act recognises six situations — called "legitimate uses" — where processing without consent is permitted.

  1. Voluntary Sharing of Personal Data: If the customer has shared their data with you voluntarily, for a specific purpose, you can process it - for that purpose.

Eg: A customer emails your support team with their address and personal details for a grievance. You can process that data without consent, only to resolve the complaint and not for any other purpose.

  1. Fulfilling Legal Obligations: When you are required by the law to disclose the data to the government or any government body. 

Eg: PMLA requires you to report suspicious transactions to the FIU, you can disclose customer data to FIU without consent.

  1. Compliance with Judicial Orders: When a court order, decree, or judgment requires you to share the data.

Eg: A court orders you to produce a customer's transaction records as evidence in a case. You can share this data without the customer's consent.

  1. Employment-Related Processing: When it is required for employment purposes i.e. to protect the employer from loss or liability or to provide services or benefits to employees. 

Eg: A company processes an employee's bank account details to disburse their salary or processes employee attendance and leave records to manage payroll.

  1. Responding to Health and Other Emergencies: For responding to a medical emergency or to provide medical services during a public health emergency. 

Eg: During a pandemic, healthcare providers might share patient data with government agencies to track and allocate resources effectively.

  1. Disasters and Breakdown of Public Order: To provide safety or help during a disaster or a breakdown of public order.

  2. Processing by Government Bodies: The government or any government body can process personal data to (i) issue of subsidies, benefits, services, etc. or (ii) carry out its functions under law, or in the interest of national sovereignty, integrity, or security.

Can I collect KYC data without consent?

No. KYC is mandated by law for onboarding, but that does not make it a legitimate use under the DPDP Act.

The legal obligation exemption applies only to disclosures to the government or compliance with court orders — not to internal KYC collection for your own onboarding process. Since KYC serves your business purpose, consent must be obtained. If the customer refuses, you can end the journey there.

Note: The legitimate use exception only removes the consent requirement. All other DPDP obligations — data security, grievance redressal, data principal rights — continue to apply.

What To Do When a Customer Asks You to Delete Data You're Required to Keep - Regulatory Retention

Under the DPDP Act, when a customer withdraws consent or requests deletion, you must stop processing and delete their data. But as a regulated entity, you are often bound by laws like PMLA or RBI's KYC Master Directions that require you to retain customer data for fixed periods.

This appears to be a blatant contradiction - what do you do? The DPDP Act provides a specific exception. 

Section 6(6) permits processing for a legal or regulatory purpose even after consent is withdrawn. Section 8(7) permits retention of data for compliance with any law, even after a deletion request.

So you can retain data for regulatory purposes after a withdrawal or deletion request. But two conditions apply:

  • You can only use that retained data for the regulatory purpose. Not for marketing, not for servicing, not for anything else.
  • You must delete the data when the regulatory retention period ends.

RBI requires me to retain KYC data for 5 years after account closure. Can a customer force me to delete it earlier?

RBI's KYC Master Directions require banks to retain KYC records for a minimum of five years after account closure. If a customer requests deletion during that period, the bank can continue to retain the data under Section 8(7). The deletion request does not override the regulatory retention obligation.

When Do Most DPDP Obligations Stop Applying - General Exemptions

General exemptions go further than legitimate uses. Under Section 17(1), businesses exempt under this category are relieved of most DPDP obligations — including the requirement to obtain consent, respond to deletion requests, and provide grievance redressal.

The specific scenarios are:

  1. Enforcing Legal Rights: When processing is necessary to enforce a legal right or claim.
    Eg: A customer defaults on a loan The lender can process the data to send legal notices and pursue recovery - even if the customer has requested withdrawal of the data.
  2. Required by Courts and Regulatory Bodies: When data is required by courts, tribunals, or regulatory bodies, as per the law. 

Eg: SEBI directs a stockbroker to produce transaction records of a customer under investigation. The broker can retain this data for this specific purpose and share it even after customer withdraws consent.

  1. Prevention and Investigation of Offences: For prevention, detection, investigation, or prosecution of any offence or violation of law. 

Eg: A company detects some suspicious transactions in the accounts, it can process relevant personal data to investigate under PMLA.

  1. Business Process Outsourcing (BPO): When an Indian entity processes personal data of individuals outside India under a contract with a foreign entity. 

Eg: An Indian IT services firm provides customer support services to a U.S. e-commerce company with foreign customers. They don’t need to collect consent from the foreign customers.

  1. Corporate Restructuring and Mergers: When necessary for a court-approved merger, demerger, amalgamation, or transfer of undertaking. 

Eg: Two companies merge under a court-approved order. Customer data can be transferred to the merged entity without fresh consent.

  1. Loan Default Investigations: To ascertain financial information, assets, and liabilities of a person who has defaulted on a loan, in accordance with law.

Eg: A lender needs to assess the assets and liabilities of a borrower who has defaulted. They can process financial data to determine recovery options.

  1. National Security and Sovereignty: Processing undertaken by any government body notified by the Central Government in the interest of national sovereignty, security, or public order. 

Eg: A government-notified intelligence agency processes communication data of individuals suspected of posing a threat to national security.

  1. Research, Archiving, and Statistics: For research, archiving, or statistical purposes, provided no individual decisions are made on the basis of this data, and subject to standards set out in the DPDP Rules. 

Eg: A credit bureau uses anonymised borrower data to publish industry-wide default rate statistics, without making any individual-level decisions based on the data.

Can I use the research exemption for customer analytics and marketing?

No. Analysing customer data to understand individual preferences and target them with products or marketing does not qualify. The research exemption explicitly prohibits using processed data to make decisions about specific individuals. Customer analytics and targeting do exactly that.

Quick Reference: What's Exempt and What Still Applies

The table below is a quick reference guide showing what is exempted and what still applies under each exception:

Exception Exempt from What applies
Legitimate Uses Consent requirement - Withdrawal, - Retention, - Deletion - Information about data, - Grievance Redressal, - All other DPDP obligations
Regulatory Retention Right to withdraw consent; Right to erasure/deletion - Consent, - Withdrawal, - Retention, - Deletion - Information about data, - Grievance Redressal, - All other DPDP Obligations
General Exemptions
- Consent,

- Withdrawal,

- Retention,

- Deletion

- Information about data,
Grievance Redressal

- Data Security obligations;

- Responsibility for Data Processor actions
Note: This article is for informational purposes only and does not constitute legal advice. Consult your legal counsel for advice specific to your situation.

Explore Leegality Consent Manager for your Business

Schedule a Demo Call

Compliance Deadline:

0 weeks away