DPDP Compliance & Workforce Screening in India: What Employers Need to Know

Key Takeaways

• What is the DPDP Act in India?
  The Digital Personal Data Protection Act (DPDP) provides a statutory framework for the collection, use, processing, storage, and transfer of personal data in digital form within India.
• Why is it important for employers to comply with the DPDP Act?
  Employers should comply with their obligations under the Act to build candidate and employee trust, protect their reputation, and avoid the financial penalties for non-compliance.
• What are employers’ responsibilities regarding candidate and employee data?
  Employers in India have Data Fiduciary hiring responsibilities, meaning they are responsible for collecting, using, processing, storing, and transferring their candidates’ and employees’ personal data according to the privacy principles set forth in the Act.
• Is consent required for background screening under the DPDP Act?
  While the DPDP Act provides an exception for employment purposes, many employers still provide notice and consent as a best practice to support transparency and recordkeeping.

Over the past decades, India has exploded onto the world stage, becoming a global leader in business and innovation. From research and development to information security and customer support, India provides employers with vast pools of top talent and technical expertise. However, these workforce opportunities take place in a complex and ever-evolving regulatory landscape, which employers must learn to navigate to stay compliant.

Candidate and employee privacy, in particular, can be challenging. Until recently, India lacked a clear overarching framework for the collection and processing of personal data, leaving employers in the dark regarding their obligations. In 2023, the Parliament of India passed the Digital Personal Data Protection Act (DPDP), which sets forth requirements for protecting individuals’ personal data. The Act, and the DPDP Rules introduced in 2025, provide employers with the guidance they need to protect candidates’ data privacy while hiring in India.

Under the Act, mishandling candidate data can have costly consequences. Employers should therefore familiarise themselves with their obligations under the Act in order to safeguard candidates’ and employees’ privacy, build workforce trust, and protect themselves against potential financial and reputational loss. Read on to find out more about what the DPDP Act specifically entails for data privacy and hiring in India.

What is the DPDP Act and how does it impact workforce screening in India?

Under the DPDP Act, employers act as Data Fiduciaries, responsible for managing candidate and employee data in accordance with regulatory requirements.

Overview of the DPDP Act – Principles and Scope

The Act provides a statutory framework for the collection, use, processing, storage, and transfer of personal data in digital form within India. It also includes the processing of this data outside India if it is in connection with offering goods or services to individuals within India. DPDP compliance for employment screening in India requires employers to be mindful of their obligations under the law.

Like other data protection regulations around the world, including Europe’s General Data Protection Regulation (GDPR), the Act defines three roles pertaining to the processing of personal data, each with their own responsibilities:

• The Data Fiduciary is the person who determines the purpose and means of processing data. In an employment context, this would be an individual’s current or potential employer.
• The Data Processor is any person who processes personal data on behalf of the Data Fiduciary. In an employment context, this would be any third-party company who is contracted by the employer to complete screening or other employment-related services.
• The Data Principal is the individual to whom the personal data pertains. In an employment context, this includes candidates and employees.

The Act protects individuals’ right to privacy by requiring Data Fiduciaries, including current and potential employers, to treat their personal information in a fair, transparent, and accountable manner.

Employer responsibilities under the DPDP Act

To protect individuals’ personal data, the DPDP Act sets forth several obligations which Data Fiduciaries, including employers, must respect to remain compliant.

Lawful collection. Under the Act, Data Fiduciaries may only collect and process data for a lawful purpose, either with the Data Principal’s consent or for certain legitimate uses. “Legitimate uses,” as defined in the Act, include employment purposes, such as safeguarding the employer from loss or liability.

Purpose limitation. Personal data may only be used for the specified purpose, and insofar as it is reasonably considered necessary to achieve this purpose. This means, for example, that employers may not collect their employees’ personal data for payroll purposes and later reuse it to sign them up for promotional newsletters.

Accuracy. Data Fiduciaries who use personal data to make a personal decision regarding a Data Principal or disclose it to another Data Fiduciary must take steps to ensure this data is complete, consistent, and accurate. In an employment context, this means employers must, for example, carefully assess the information they use to complete the background check to confirm it belongs to the right individual.

Data security and storage. Data Fiduciaries must put in place reasonable safeguards to prevent personal data breaches. For employers, this could involve using encryption, access controls, secure servers, and other security measures to protect candidate and employee data against unauthorized use and access.

Data retention. If a Data Principal withdraws their consent to their personal data being used, Data Fiduciaries must erase it, unless they need to retain it to comply with their legal obligations. In addition, data should be erased once it no longer serves the purpose for which it was collected. Data Fiduciary and Data Processor are required to retain personal data, traffic data and other logs of the processing for a minimum period of one year from the date of such processing. A notice must be provided to the Data Principal at least 48 hours before erasure.

Transparency. The Data Fiduciary must publish the contact information of a Data Protection Officer or another person who can answer Data Principals’ questions about their personal data on the Data Fiduciary’s behalf. In addition, the Data Fiduciary must put in place a mechanism to redress any grievances Data Principals may have about the way their personal data was processed.

Reporting. In the event of a personal data breach, Data Fiduciaries must notify affected Data Principals, as well as the Data Protection Board of India.

Audit. Significant Data Fiduciaries must appoint an independent data auditor to carry out audits and evaluate their compliance with the Act’s dispositions.

Whenever a Data Fiduciary requests an individual’s consent to collect and process their personal data, they are required under the Act to provide a notice informing this individual of the purposes and means of data processing, as well as the manner by which the individual can complain to the Data Protection Board in case of a grievance. However, the Act specifically exempts Data Fiduciaries from the consent requirement when they are collecting and processing data for employment purposes. While employers may not be strictly required to provide notice and obtain their candidates’ consent under the DPDP before collecting their personal data as part of the hiring and background screening process, they may still opt to do so as a best practice, to facilitate recordkeeping and create a paper trail in case of a grievance.

When a notice is provided to a candidate or employee, it must include:

• A description of which personal data is being collected and for what purpose;
• Instructions for exercising their rights under the Act;
• Instructions for making a complaint to the Data Protection Board of India.

Data Fiduciaries’ responsibilities regarding notice and consent can be administered through a Consent Manager, who should be registered with the Data Protection Board. In such cases, the Consent Manager acts as a point of contact for Data Principals, allowing them to give, manage, review, and withdraw their consent.

Explore our workforce screening and compliance resources to learn more.

Candidate and Employee Rights Under the DPDP

Data Principals, including candidates and employees, have rights under the DPDP Act which employers are required to respect.

Right to access. Data Principals must be able to request a summary of the personal data that is being processed, as well as the processing activities. They must also be provided with the identities of all Data Fiduciaries and Data Processors to whom the data has been shared, and any other information related to their personal data and its processing, as prescribed. This means that if a candidate is undergoing a background check, they must be able to request a summary of the personal data used to run the check, the screening services involved, and the identity of the third-party background screening providers contracted to run the check (if applicable).

Right to correction. Data Principals have the right to request for their personal data to be corrected, updated, or completed. If a candidate believes their background check was completed under the wrong date of birth, for example, they can request for this information to be rectified.

Right to erasure. Data Principals have the right to request for their data to be erased, in which case the Data Fiduciary should comply, unless they are legally obligated to retain the data.

Right to grievance. If Data Principals are unhappy with the manner in which their personal data has been collected or processed, they may file a grievance with the Data Fiduciary, who must provide them with the means to do so and respond to the grievance appropriately. Data Principals must approach the Data Fiduciary with their grievance before escalating it to the Data Protection Board.

It is worth noting that Data Principals, including candidates, also have obligations under the Act. They are forbidden from impersonating another individual, from suppressing material information from their personal data, and from filing frivolous grievances. In addition, the Act requires them to provide only verifiably authentic information. This gives employers some degree of protection against candidate identity fraud and other fraudulent or bad faith behaviours.

Workforce screening and compliance considerations in India

Section 7 of the Act allows employers to collect and process personal data in order to safeguard themselves from loss or liability. While workforce screening is therefore a legitimate use of personal data, employers should keep in mind a few compliance considerations when selecting background screening services in India.

Identity verification

Since employers are responsible under the Act to take steps to confirm that their candidates’ and employees’ data is accurate before processing it, identity verification has become a question of compliance, not just risk mitigation. Employers need to verify identity to confirm that background checks are completed on the right person and that they are not unwittingly hiring an impostor.

While some employers may still rely on in-person identity verification, these processes are increasingly inefficient and unwieldy, especially for large organizations and those that hire remotely. Instead, many employers are turning to digital identity verification solutions that rely on a combination of document review, liveness detection, data intelligence, and matching an individual’s selfie to their identity document in order to confirm candidates are who they say they are.

Criminal and employment checks

While background screening for employment purposes may be considered legitimate use of personal data, employers may wonder if they must complete the background check themselves or if they are allowed to order workforce screening solutions in India through third parties.

Under Section 8 of the Act, Data Fiduciaries may engage a Data Processor to process personal data on their behalf, as long as they enter into a valid contract. This means that employers may conclude an agreement with a background screening firm to complete the required background checks. Employers should take steps to confirm that their background screening provider has put in place safeguards to protect their candidates’ and employees’ personal information in accordance with DPDP’s dispositions.

Cross-border data considerations

Section 16 of the DPDP Act provides that the Central Government of India may, upon notification, restrict Data Fiduciaries from transferring personal data to another country or territory. Otherwise, no specific limitations are imposed on cross-border data transfers. If the jurisdiction to which the data is being transferred has stricter privacy guidelines than India, employers may observe these guidelines instead.

Our regional experts can help you build a background screening program designed to meet your specific requirements. Click here to explore our solutions.

Building a compliant and scalable hiring process

Following the new DPDP guidelines, hiring and background screening in India presents compliance risks, especially for employers hiring remotely or at high volumes. Mishandling candidate and employee data can result in fines of up to 250 crore rupees. Employers should therefore work closely with their legal and compliance advisors to put in place hiring and background screening processes designed to facilitate compliance at scale.

Consistency also remains a concern for employers who hire outside of India. The DPDP Act’s dispositions regarding candidate and employee consent are less strict than those of many other major international privacy frameworks. Europe’s General Data Protection Regulation (GDPR) and the U.S.’s Fair Credit Reporting Act (FCRA), for example, require employers to provide individuals with a notice and get their consent before processing their personal data, even if this data is used for legitimate employment purposes.

To reduce risks of non-compliance, employers may want to put in place a consistent notice and consent process that takes into account the strictest applicable requirements for all candidates and employees, regardless of where they are hired. For example, employers who hire both in India and in Europe may want to provide notice and consent for all new hires, even if the DPDP Act does not strictly require consent when a background check or employment verification in India is conducted for employment purposes.

Embedding compliance into workflows

To facilitate compliance and reduce risks of violations and data breaches, employers may wish to implement a Privacy by Design program. Privacy by Design takes a proactive approach to risk management by embedding compliance directly into systems and workflows.

To design compliant processes and systems, employers should ask themselves some questions:

• Which personal data will be collected, and for what purpose?
• At what point of the hiring process will personal data be collected?
• Will a notice be provided to candidates and employees before collecting their personal data? If so, how?
• How will data be stored, and for how long?
• What safeguards will be put in place to protect personal data?

Once these questions have been answered, notice, consent, data collection, and background screening processes can be set up to take into account compliance requirements. If a notice is required before completing background checks, for example, the online platform used to collect candidates’ information can be configured to automatically present them with a notice at the start of the process. Systems can be set up to automatically delete data once the retention period has elapsed.

Compliance is not an individual undertaking. HR teams should work with their compliance and legal advisors to confirm they are aligned. These advisors may require privacy impact assessments (PIAs) to be conducted to determine whether processes and systems are compliant and identify gaps. Employers completing criminal background checks through third parties should look for a background screening provider who can help them integrate compliance considerations into their workflows and stay up to date on an evolving regulatory landscape.

Supporting the candidate experience

Compliance with DPDP requirements does not only help protect employers against risk and reputational loss. It also lets candidates know that their potential employer takes their privacy seriously and is dedicated to protecting their personal data. By building data collection, notice, consent, and background screening processes that are transparent, fair, compliant, and user-friendly, employers can make a strong first impression on candidates and turn a potential liability into a competitive advantage.

The DPDP Act defines how candidate and employee data must be handled in India. Employers act as Data Fiduciaries, with clear responsibilities regarding transparency, accountability, and data stewardship. All workforce screening in India must align with the Act’s data privacy requirements and respect Data Principals’ rights to access, correct, and erase their personal information.

Structured processes help support compliance and reduce risk, which is why HR teams should collaborate with their legal and compliance advisors to put in place thorough hiring and screening guidelines. Organizations should also work closely with their background screening provider to build a robust identity and screening program that takes into account DPDP data protection requirements.

Learn how First Advantage supports organisations in managing workforce screening and data protection requirements in India. Contact us.

Frequently Asked Questions

What is a Data Fiduciary?
According to the DPDP, a Data Fiduciary is the person who determines the purpose and means of processing data, which includes employers processing candidate data for employment purposes.

Is candidate consent required for background checks?
The DPDP normally requires notice and consent for all personal data collection, though it specifically provides an exception for data collected for employment purposes. While DPDP compliance for employment screening in India may not strictly require obtaining candidate consent, employers may still choose to provide notice for recordkeeping and due diligence reasons.

How should employers handle candidate data?
Employers should collect and process candidate data for lawful purposes only, take steps to verify the data’s accuracy and safeguard it against unauthorized use and access, and respect candidates’ rights in relation to their data, including the right to access, correct, and delete it.

What are the risks of non-compliance?
Data Fiduciaries, including employers, who fail to take reasonable security safeguards to prevent personal data breaches may be fined up to 250 crore rupees. Failure to notify the Data Protection Board of India or affected individuals of a personal data breach can incur additional fines of 250 crore rupees. Other instances of non-compliance may result in fines of 50 crore rupees.

Is consent required for background screening under DPDP?
While the DPDP Act provides an exception for employment purposes, many employers still provide notice and consent as a best practice to support transparency and recordkeeping.