DPDP Consent Template for Employee Monitoring India 2026

The 60-second answer: when monitoring needs consent vs when Section 7(i) covers you

The DPDP Act 2023 gives employers two main lawful routes for processing employee personal data: consent (Section 6) and the legitimate-use ground for employment purposes (Section 7(i)). The mistake most teams make is treating 7(i) as a blanket exemption for anything done on a work device. It is not drafted that way, the Data Protection Board has not yet tested its boundaries, and the prudent reading — the one most counsel will give you — is narrow: 7(i) comfortably covers the processing employment requires, not every form of observation employment makes possible.

Monitoring activity	Likely lawful ground	Why
Attendance, leave, payroll, statutory records	Section 7(i) likely sufficient	Core processing that employment itself requires; closest to the provision’s text.
System access & security logs on company devices	Section 7(i) arguable	Proportionate safeguarding of employer systems; keep scope security-only.
Aggregate, team-level productivity signals	Section 7(i) arguable — notice strongly advised	Low intrusion, no individual profiling; transparency still expected.
Individual productivity scoring & analytics	Grey zone — specific consent recommended	Individual profiling stretches “employment purposes”; untested before the DPB.
Screenshots / screen recording	Consent generally required	High-intrusion content capture; hard to defend as necessary for employment.
Keystroke logging	Consent required — proportionality risk even with consent	Captures passwords and personal messages; weakest proportionality case of all.
Webcam / microphone access	Consent required — highest-risk category	Reaches the body and the home; expect the strictest scrutiny.
BYOD, off-hours or location tracking	Consent required, narrowly scoped	Personal device and personal time; 7(i) reliance here is aggressive.

Two hedges belong on the record. First, the “likely / arguable” columns are a risk reading, not settled law — Section 7(i)’s scope is untested and the table deliberately errs toward consent. Second, consent does not launder disproportionate capture: under the Puttaswamy proportionality standard, courts are likely to weigh whether the monitoring was necessary at all, not just whether a box was ticked. Verify your specific matrix with counsel.

What DPDP Rule 3 requires the notice to contain

Where you do rely on consent, the consent request must be accompanied or preceded by a notice, and the DPDP Rules (the notice rule — Rule 3 in the draft numbering; confirm the notified version with counsel) set the bar for what that notice looks like. In substance, the notice must be:

Understandable and standalone — plain language, presented independently, not buried inside the employment contract or handbook;
Itemised — a specific description of each category of personal data collected, not “activity data” in the abstract;
Purpose-mapped — the specified purpose of the processing, with the uses enumerated category by category;
Rights-forward — the concrete way the employee can exercise rights, withdraw consent as easily as it was given, raise a grievance, and complain to the Data Protection Board;
Linguistically accessible — with the option to access it in English or any of the languages in the Eighth Schedule of the Constitution.

The template below is structured so each requirement maps to a numbered clause — which is also how you defend it later. If you are still drafting the underlying policy the notice summarises, start with our guide on how to write an employee monitoring policy; the notice is the employee-facing surface of that policy, not a substitute for it.

Enforcement timing: DPDP Rules obligations land in phases running to roughly mid-2027 — but consent collected today under a defective notice is the consent you will be defending then. Drafting to the full standard now is cheaper than re-papering the whole workforce later. Verify current notification status with counsel.

The annotated consent notice template (paste-ready, clause by clause)

Everything in the bordered blocks below is template text you can paste and adapt; [bracketed amber fields] are the variables you must complete. The annotation under each block explains what the clause is doing legally — read the annotations before deleting anything. This template is a starting point, not legal advice. Have qualified counsel review the adapted version against the notified DPDP Rules before circulating it to employees.

Clause 1 · Who we are and what this notice is

Notice and request for consent — workplace monitoring. This notice is issued by [legal entity name, CIN, registered address] (“the Company”, the data fiduciary under the Digital Personal Data Protection Act, 2023). It explains what personal data we collect through workplace monitoring tools, why, and the rights you have. It is separate from your employment contract, and you may read it in English or request it in [list offered Eighth Schedule languages].

Why this clauseIdentifies the data fiduciary, states that the notice is standalone (not bundled into the contract), and surfaces the language option — three distinct notice-rule expectations in one block.

Clause 2 · What we collect (itemised)

If you consent, the monitoring tool [tool name] will collect the following categories of your personal data on [company-issued devices only / specified devices] during [working-hours definition]:

[e.g. application and website names used, with timestamps]
[e.g. calendar, ticket and repository activity metadata]
[e.g. active/idle time signals]
[list every further category, one line each — if screenshots or any content capture are used, each must be its own line]

Why this clauseThe itemised-description requirement. Every capture category is its own line because each is its own processing decision — a category not listed here is a category you may not collect. Vague umbrella phrases (“usage data”) are the single most common notice defect.

Clause 3 · Why we collect it (purpose mapping)

Each category above is processed only for the following specified purposes: [map each data category to one or more named purposes, e.g. “application usage → team capacity planning and workload balancing”]. We will not use this data for any other purpose without issuing a fresh notice and, where required, obtaining fresh consent.

Why this clausePurpose limitation. The one-to-one mapping (category → purpose) is what makes the consent “specific”; it also stops monitoring data from being quietly reused for a purpose nobody was told about, such as a termination file assembled after the fact.

Clause 4 · What we do not collect

The tool, as configured by the Company, does not: log keystrokes; record or capture your screen [delete or amend if untrue]; access your webcam or microphone; read the content of emails, messages or documents; or monitor personal devices or activity outside [working-hours definition].

Why this clauseOptional but powerful: a negative-scope clause builds the trust that makes consent genuinely free — and it is only safe to include if it is true. If you cannot write this clause honestly, that is a configuration finding, not a drafting problem.

Clause 5 · Retention and deletion

Monitoring data is retained for [period, e.g. 12 months] from collection, after which it is deleted or irreversibly anonymised, unless a longer period is required by law or for [narrow named exception, e.g. an active disciplinary proceeding you have been notified of]. Withdrawal of consent triggers the process described in Clause 7.

Why this clauseThe DPDP Act expects erasure once the purpose is served; a stated period with a named exception is defensible, “as long as needed” is not. Pick a period you can technically honour — the deletion has to actually happen.

Clause 6 · Who can see it and who processes it

Access is limited to [named roles, e.g. your reporting manager (team-level views) and HR business partner (individual views on documented need)]. The data is processed on our behalf by [vendor legal name], storing data in [region, e.g. an India data-centre region] under a contract restricting use to our instructions. No monitoring data is sold or shared for advertising.

Why this clauseNames the data processor and residency — the two facts employees and auditors ask about first. If your vendor cannot give you the residency line in writing, run it through the DPDP Vendor Risk Assessment before signing anything.

Clause 7 · Your rights and how to withdraw consent

You may at any time: access a summary of your monitoring data; request correction or erasure; nominate a person to exercise your rights if you are unable to; and withdraw this consent as easily as you gave it — via [the same channel consent was given, e.g. the HR portal toggle] or by emailing [address]. On withdrawal, the monitoring described in Clauses 2–3 stops within [operational window, e.g. 7 days]; processing already carried out remains lawful, and processing the Company conducts on other legal grounds (for example payroll and statutory compliance) continues. Withdrawing consent will not, by itself, be treated as misconduct or affect your employment status.

Why this clauseThe Act requires withdrawal to be as easy as the giving of consent — mirror the channel. The no-detriment sentence is what keeps the consent “free”; deleting it largely defeats the document. The carve-out sentence prevents the false promise that all processing stops.

Clause 8 · Grievances and the Data Protection Board

Questions or complaints go first to our Grievance Officer: [name/designation, email, response timeline per the notified Rules]. If you are not satisfied with the response, you may complain to the Data Protection Board of India through its prescribed channel.

Why this clauseThe notice must state how to complain to the Board — omitting the DPB route is a notice defect even where the grievance officer is named. Confirm the response timeline against the notified Rules; do not invent one.

Clause 9 · Consent capture block

I have read this notice (version [v#, date]) in a language I understand. I consent to the collection and use of the personal data categories in Clause 2 for the purposes in Clause 3. I understand I may withdraw this consent at any time as described in Clause 7.

☐ I consent ☐ I do not consent

Name: [ ] Employee ID: [ ] Date: [ ] Signature / digital action: [ ]

Why this clauseAn affirmative, unambiguous act with a real decline option and a version stamp. No pre-ticked boxes, no “continued employment constitutes consent”. The version stamp ties this signature to the exact notice text in your consent record (next section).

Consent record-keeping: proving free, specific, informed, unambiguous, revocable

A signed form is not yet a defensible consent record. If the Data Protection Board or an auditor asks, you need to reconstruct — per employee — exactly what was shown, when, and what has happened since. Map your record to the five statutory qualities of consent:

Quality	What it means	What your record must show
Free	No coercion or detriment for refusing	The no-detriment clause as shown; a working decline path; evidence refusals were processed without penalty.
Specific	Per-category, per-purpose consent	The exact notice version (text + version number) the employee saw, with its category–purpose map.
Informed	Notice received before consent	Timestamp of notice presentation preceding the consent action; language offered.
Unambiguous	Clear affirmative act	The affirmative action itself (signature, click, toggle) — never inferred from silence or continued employment.
Revocable	Withdrawal as easy as consent	Withdrawal channel logs; for each withdrawal: date, what monitoring stopped, and when.

Operationally that means versioned notices, an immutable consent log (who, which version, when, which action), and re-consent triggered by any scope change — new capture category, new purpose, new vendor. If your monitoring vendor cannot export this evidence, put the fourteen questions in our DPDP Rules CISO questionnaire to them before renewal.

Withdrawal and grievance flow: what stops when consent stops

Withdrawal is where consent regimes fail in practice, because nobody wired the back end. The flow that survives scrutiny:

Withdrawal received through the mirrored channel (Clause 7) — log it the same day and acknowledge it to the employee.
Monitoring stops for that employee within your stated operational window — the agent is unenrolled or the profile suspended, and the stop is itself logged.
Data disposition — consent-based data follows your retention clause; do not quietly keep collecting “in the background”.
Other-ground processing continues — payroll, statutory records and security essentials grounded outside consent are unaffected; tell the employee this explicitly so the boundary is clear.
No retaliation — performance management proceeds on the evidence you still legitimately have; treating withdrawal as a red flag is the fastest way to prove the original consent was never free.

Grievances follow the Clause 8 route: grievance officer first, within the response timeline the notified Rules prescribe, then the Data Protection Board. The Board can examine the consent record from the previous section — which is the reason that section exists. Timelines and Board procedure are still settling as the Rules phase in; verify the current state with counsel.

5 consent mistakes that void it

Mistake 1

Bundled consent. One signature covering the employment contract, the handbook, the NDA and monitoring. Consent must be specific and the notice standalone — bundling is the defect regulators worldwide strike first, and the DPDP Act’s text points the same way.

Mistake 2

Employment-conditioned consent. “Consent, or we cannot continue your employment” makes the consent unfree by construction. If the monitoring is truly indispensable, the honest route is a narrow, documented Section 7(i) and proportionality analysis with counsel — not coerced paper.

Mistake 3

Dark patterns. Pre-ticked boxes, a buried decline link, consent inferred from logging in, or a “remind me later” that nags until surrender. The affirmative-act requirement fails — and your own UX logs become the evidence against you.

Mistake 4

Stale blanket consent. Consent collected in 2024 for “productivity tools”, then a new screenshot module enabled in 2026 with no fresh notice. Every scope change — category, purpose, vendor — needs a versioned re-consent; the old signature does not stretch.

Mistake 5

No working withdrawal path. The notice promises withdrawal but nobody built the toggle, the inbox is unmonitored, or monitoring continues after withdrawal. Revocability on paper only is arguably worse than no consent claim at all — it documents the gap between promise and practice.

How gStride operationalises consent-first monitoring

The cleanest way to make this template easy to honour is to shrink what it has to cover. gStride measures productivity from outcome signals — calendar, repo, ticket and focus artefacts — with no keystroke logging and screenshots off by default, so Clause 2 stays short and Clause 4 stays true. Employee-facing notice templates ship linked to each feature, monitoring is visible by design, and every AI inference carries a why-trail a grievance officer can actually answer with. Teams comparing vendors on exactly this surface usually start from the best DPDP-compliant employee monitoring software for India in 2026 shortlist.

Shorter capture list, shorter notice, fewer consent records to defend — that is the entire privacy-first thesis, applied to paperwork.

Screen the vendor before you paper the consent

The free DPDP Vendor Risk Assessment scores any monitoring vendor on the 14 questions that decide your consent burden — and the worksheet ships with the consent checklist section this template pairs with. No email required to score.

Open the DPDP Vendor Risk Assessment → Book a 15-min demo

Frequently asked questions

Do employers need employee consent for monitoring under the DPDP Act?

It depends on the monitoring. Section 7(i) of the DPDP Act 2023 permits processing for purposes of employment without separate consent, but its scope is untested before the Data Protection Board and is best read narrowly. Routine processing such as attendance, payroll and security access logs sits most comfortably inside it; intrusive monitoring such as screenshots, keystroke logging, webcam access or off-duty tracking generally calls for free, specific, informed and revocable consent with a clear notice. This is general information, not legal advice — verify your specific monitoring scope with counsel.

What must a DPDP monitoring consent notice include under Rule 3?

Under the DPDP Rules' notice requirements, the notice should be clear, in plain language, presented independently of other terms, and should include an itemised description of the personal data collected, the specified purpose for each category, how the employee can exercise their rights and withdraw consent, how to reach the grievance officer, and how to complain to the Data Protection Board. Notices should also be accessible in English or any language in the Eighth Schedule of the Constitution. Confirm the notified text of the Rules with counsel — enforcement is phasing in through about mid-2027.

Can an employee withdraw consent to monitoring — and what happens then?

Yes. Where monitoring rests on consent, the DPDP Act requires withdrawal to be as easy as giving consent. On withdrawal, the employer should stop the consent-based monitoring within a reasonable operational window, while processing that lawfully occurred before withdrawal remains valid and processing grounded elsewhere (for example statutory payroll obligations) can continue. Withdrawal should not be punished — conditioning employment on consent undermines the claim that the consent was ever free. Document the stop date and what was switched off. Verify the operational details with counsel.

Does the Section 7(i) employment exemption cover screenshots and keystroke logging?

Treat that assumption as high-risk. Section 7(i) covers processing for purposes of employment, but the Data Protection Board has not yet ruled on its boundaries, and continuous screenshots, keystroke logging and webcam capture are the categories most likely to be found disproportionate to any ordinary employment purpose — particularly read alongside the Puttaswamy proportionality standard. The conservative position most counsel take is to either obtain specific consent for high-intrusion capture or, better, not capture it at all. This page is not legal advice — verify with counsel.

Disclaimer: This article and the template it contains are general information and a drafting starting point — not legal advice, and no lawyer-client relationship is created. The DPDP Rules are being enforced in phases running to approximately mid-2027; Section 7(i)’s scope for employment purposes is untested before the Data Protection Board; penalties associated with the DPDP Act (up to INR 250 crore for the most serious violations) are statutory maxima, not predictions; and the interplay with state Shops & Establishments legislation and IT Act section 43A varies by state and facts. Have qualified counsel review any adapted version of this template before use.