What the DPDP Act actually says about monitoring employees
The Digital Personal Data Protection Act 2023 governs digital personal data in India, and it contains a clause most generic legality articles never cite. Section 7(i) lists “certain legitimate uses” for which a Data Fiduciary may process personal data without consent — including for the purposes of employment or those related to safeguarding the employer from loss or liability, with the Act itself naming examples such as prevention of corporate espionage, protection of trade secrets and intellectual property, and provision of any service or benefit sought by an employee.
That is the statutory foundation that makes employee monitoring lawful in principle in India. It is also where the easy part ends. Section 7(i) is a basis for processing, not a blanket licence: the employer remains a Data Fiduciary, and the obligations in Section 8 — reasonable security safeguards, breach intimation, accuracy, and erasure once the purpose is served — apply to every byte a monitoring tool collects, regardless of whether consent was needed to collect it.
Does Section 7(i) mean employers can skip consent entirely?
For processing that genuinely serves employment purposes — attendance, payroll, performance management, securing company systems — the better reading is yes: consent is not the basis being relied on, so consent paperwork is not what makes the processing lawful. Three caveats keep this from being a free pass.
First, scope. “Purposes of employment” is not exhaustively defined, and Indian privacy analysis still runs through the proportionality framework from the Supreme Court’s Puttaswamy judgment (2017): legitimate aim, suitability, necessity, and balancing. Monitoring that fails necessity — capturing far more than the stated purpose needs — weakens the Section 7(i) argument itself. Second, transparency. Even where consent is not required, a written, specific monitoring policy is the practical evidence that processing was for an employment purpose and within employee expectations. Third, the rest of the Act. Safeguard, breach and retention duties apply with full force, and they are where the largest penalties sit.
What the DPDP Rules 2025 add: safeguards, breach reporting, retention
The DPDP Rules notified in 2025 turn the Act’s principles into operational duties, on phased enforcement timelines — confirm the compliance dates that apply to you with counsel. For anyone running monitoring software, three clusters matter most.
Reasonable security safeguards: encryption, access control, and logging of access to personal data — which includes the monitoring archive itself. Breach intimation: notifying affected individuals and the Data Protection Board of personal data breaches, with prescribed content and timelines. Retention and erasure: keeping personal data only as long as the purpose requires. The uncomfortable implication for monitoring buyers: every screenshot, keystroke log and content capture your tooling stores is personal data you must now secure, report on if breached, and delete on schedule. The bigger the capture surface, the bigger the compliance surface.
Verdict table: permitted, needs notice, high-risk
Here is the plain-language map of where common monitoring practices sit under DPDP, assuming an India private-sector employer and company-managed devices unless stated.
| Monitoring practice | Verdict | What makes it defensible |
|---|---|---|
| Attendance, login/logout, timesheets | Generally permitted — s.7(i) | Core employment purpose; standard retention schedule |
| App/site activity on company devices, work hours | Generally permitted — s.7(i) | Written policy; proportionate to a stated purpose |
| Outcome-signal productivity analytics (calendar, tickets, repos) | Generally permitted — s.7(i) | Disclosed in policy; human review of consequential decisions |
| Screenshots at disclosed intervals | Needs notice + tight controls | Explicit policy disclosure, restricted access, short retention |
| Email/chat content scanning | Needs notice + strong justification | Tied to loss-prevention purpose; minimised scope |
| Covert screenshots / hidden agents | High-risk | Defensible only in narrow counsel-supervised investigations |
| Off-hours or personal-device tracking | High-risk | Outside employment purposes — avoid |
| Always-on webcam or audio capture | High-risk | Disproportionate for productivity — avoid |
These verdicts describe where each practice sits on the risk curve, not a clearance. Outcomes are fact-specific and enforcement practice under the Rules is still young — verify with counsel before relying on any row.
Are covert screenshots and off-hours tracking ever defensible?
Covert capture: almost never as a standing configuration. Secrecy destroys the transparency that makes the employment-purpose argument credible, and hidden surveillance of routine work is hard to pass through Puttaswamy necessity. The defensible fact pattern is narrow — a time-boxed, counsel-supervised insider-threat investigation with documented suspicion and legal-hold procedures. That is an exception run by security and legal, not a productivity feature left switched on.
Off-hours and personal-device tracking is the clearest high-risk category. An employee’s evening location, personal browsing, or the personal partition of a BYOD phone serves no plausible employment purpose, so Section 7(i) likely never attaches — leaving the processing without a lawful basis at all. If your current tool cannot technically stop capturing at the work boundary, that is a tool problem to fix before it becomes a Data Protection Board complaint.
Penalties: the Rs 250 crore figure in context
Schedule 1 of the DPDP Act sets penalty ceilings the Data Protection Board may impose per instance, calibrated to the violation: up to Rs 250 crore for failing to take reasonable security safeguards, and up to Rs 200 crore for failing to notify the Board or affected individuals of a personal data breach, with lower ceilings for other duties. The Board weighs nature, gravity and duration, so the headline figures are ceilings rather than defaults — and enforcement practice is still developing. Verify current figures and your exposure with counsel.
Why this lands on monitoring specifically — a monitoring archive is one of the densest stores of employee personal data a company holds. A leaked screenshot repository is simultaneously a safeguard failure and a notifiable breach: two penalty heads, one incident. The cheapest mitigation is collecting less — a tool that never stores keystrokes or screen content has no keystroke or screenshot archive to secure, report, or explain.
A monitoring setup that survives a DPDP review
- Write the policy first. Name every data category collected, the employment purpose it serves, the retention period, and who can access it.
- Minimise the capture surface. Prefer outcome signals — calendar load, ticket and repo flow, focus patterns — over content capture; switch off whatever the stated purpose does not need.
- Bound it to work. Company devices or work profiles, work hours, with the boundary technically enforced rather than promised.
- Keep humans in the loop. Route AI productivity inferences to a named reviewer before they touch appraisals — also the posture the EU AI Act expects from India exporters serving EU clients.
- Plan retention and breach response. Put monitoring data on an erasure schedule and include the archive in your breach-reporting runbook.
- Check the vendor. India data residency, audit logs, per-feature capture controls — score any shortlist with the free DPDP Vendor Risk Assessment.
Frequently asked questions
Is employee monitoring legal in India under the DPDP Act 2023?
Yes, with conditions. Section 7(i) of the DPDP Act 2023 permits an employer to process employee personal data without consent for the purposes of employment or for safeguarding the employer from loss or liability. The exemption removes the consent step only — security-safeguard, breach-reporting and retention duties under Section 8 and the DPDP Rules 2025 still apply in full. Verify with counsel.
Do employees have to consent to workplace monitoring under DPDP?
Generally no, where the processing genuinely falls within Section 7(i) employment purposes — consent is not the legal basis being relied on. But disclosure remains the practical standard: a written monitoring policy naming what is collected, why, and for how long is what makes the employment-purpose argument credible, and it is what a regulator or court will ask to see. Verify with counsel.
Are covert screenshots of employees legal under the DPDP Act?
Covert screenshots are the highest-risk configuration. Secret content capture is hard to square with the proportionality test from the Puttaswamy privacy judgment and undermines reliance on Section 7(i), because hidden surveillance of everyday work is difficult to defend as a necessary employment purpose. A narrow, time-boxed, counsel-supervised insider-threat investigation is a different fact pattern — treat it as the exception, never the standing policy. Verify with counsel.
Can an employer track employees after work hours or on personal devices?
Off-hours tracking and monitoring the personal side of BYOD devices sit outside any plausible employment purpose and should be treated as high-risk under DPDP. Location tracking of off-duty staff, scanning personal accounts, or capturing activity on personal partitions is difficult to justify under Section 7(i) and aggravates exposure if a complaint reaches the Data Protection Board. Verify with counsel.
What are the penalties for unlawful employee monitoring under DPDP?
Schedule 1 of the DPDP Act prescribes monetary penalties determined by the Data Protection Board, headlined by up to Rs 250 crore per instance for failing to take reasonable security safeguards and up to Rs 200 crore for failing to notify a personal data breach. Monitoring archives — screenshots, keystroke logs, content captures — are personal data stores that count against both heads if mishandled. Figures are as enacted; verify the current enforcement position with counsel.
Does Section 7(i) cover AI productivity scoring?
AI-driven productivity analytics can fit within employment purposes, but the more intrusive the input data and the more consequential the output, the weaker the fit. Outcome-signal scoring with human review sits closest to the permitted end; continuous content capture feeding automated appraisal decisions drifts toward high-risk, and for India exporters serving EU customers the EU AI Act separately treats worker-monitoring AI as high-risk under Annex III point 4. Verify with counsel.
Measure productivity without betting on consent paperwork
gStride answers the productivity question from outcome signals — no keystroke logging, screenshots off by default — so your DPDP capture surface, notice and breach exposure stay small by design.
Disclaimer: This article is general information, not legal advice. DPDP Act and DPDP Rules obligations, enforcement timelines and penalty outcomes are fact-specific and evolving; EU AI Act classification is separate and also fact-specific. Verify sections, figures and your own exposure with qualified counsel before acting.