DPDP Act: Managing Employee Personal Data

Employee Data Under DPDP

The DPDP Act applies to employee personal data — names, addresses, Aadhaar, PAN, bank details, and performance records.

Key Requirements

• Consent: Obtain consent for data collection and processing
• Purpose limitation: Use data only for stated purposes
• Data minimisation: Collect only what is necessary
• Retention: Define retention periods (3 years post-employment typical)
• Security: Implement appropriate technical and organisational measures

Practical Implementation

• Employee consent form at onboarding
• Data access controls (HR can see all, managers see their team only)
• Automated deletion after retention period
• Employee data request process (access, correction, deletion)