Free DPDP Consent Template for Employee Monitoring (India)

The 60-second rule: when monitoring needs consent vs when Section 7(i) covers you

The DPDP Act 2023 gives Indian employers two main lawful routes for processing employee personal data: consent under Section 6 and the Section 7(i) legitimate-use ground for employment purposes. Section 7(i) is not a blanket monitoring exemption: its boundaries are untested before the Data Protection Board, and the prudent reading covers the processing employment requires, not every observation employment makes possible. The more intrusive the capture, the weaker the 7(i) argument — and even valid consent does not launder monitoring that fails the Puttaswamy proportionality standard.

Monitoring activity	Likely lawful ground
Attendance, leave, payroll, statutory records	Section 7(i) likely sufficient — core processing employment itself requires
System & security access logs on company devices	Section 7(i) arguable — keep the scope security-only
Individual productivity scoring & analytics	Grey zone — specific consent recommended; untested before the DPB
Screenshots / keystroke logging	Consent generally required — proportionality risk remains even with consent
Webcam, BYOD, off-hours or location tracking	Consent required, narrowly scoped — highest-risk category

This table is a risk reading, not settled law — it deliberately errs toward consent. If your monitoring sits in the bottom three rows, the template below is the notice that consent has to stand on. Verify your specific matrix with counsel.

The 9-clause consent notice template (paste-ready, annotated)

Everything in the bordered blocks is template text — copy a clause with its button, then complete every [amber field]. The note under each block says what the clause is doing legally; read it before deleting anything. This is the condensed quick-use version — the full annotated guide explains each clause’s rationale, the consent-record format and the withdrawal flow in depth. A template is a starting point, not legal advice — have qualified counsel review the adapted version against the notified DPDP Rules before circulating it.

Clause 1 · Who we are and what this notice is

Notice and request for consent — workplace monitoring. This notice is issued by [legal entity name, CIN, registered address] (“the Company”, the data fiduciary under the Digital Personal Data Protection Act, 2023). It explains what personal data we collect through workplace monitoring, why, and your rights. It is separate from your employment contract and is available in English or in [offered Eighth Schedule languages].

Why this clauseNames the data fiduciary, keeps the notice standalone (not bundled into the contract), and surfaces the language option — three distinct notice-rule expectations in one block.

Clause 2 · What we collect (itemised)

If you consent, [tool name] will collect the following categories of your personal data on [company-issued devices only / specified devices] during [working-hours definition]:

[e.g. application and website names used, with timestamps]
[e.g. calendar, ticket and repository activity metadata]
[e.g. active/idle time signals]
[every further category, one line each — screenshots or any content capture must each be their own line]

Why this clauseThe itemised-description requirement. One line per category — a category not listed is a category you may not collect. Umbrella phrases like “usage data” are the most common notice defect.

Clause 3 · Why we collect it (purpose mapping)

Each category above is processed only for the following specified purposes: [map each data category to a named purpose, e.g. “application usage → team capacity planning and workload balancing”]. We will not use this data for any other purpose without a fresh notice and, where required, fresh consent.

Why this clausePurpose limitation. The category → purpose map is what makes consent “specific” — and what stops monitoring data being quietly reused for an after-the-fact termination file.

Clause 4 · What we do not collect

As configured by the Company, the tool does not: log keystrokes; record or capture your screen [delete or amend if untrue]; access your webcam or microphone; read the content of emails, messages or documents; or monitor personal devices or activity outside [working-hours definition].

Why this clauseOptional but powerful: a truthful negative-scope clause is what makes the consent genuinely free. If you cannot write it honestly, that is a configuration finding, not a drafting problem.

Clause 5 · Retention and deletion

Monitoring data is retained for [period, e.g. 12 months] from collection, then deleted or irreversibly anonymised, unless a longer period is required by law or for [narrow named exception, e.g. an active disciplinary proceeding you have been notified of]. Withdrawal of consent triggers the process in Clause 7.

Why this clauseA stated period with a named exception is defensible; “as long as needed” is not. Pick a period your systems can actually honour — the deletion has to happen.

Clause 6 · Who can see it and who processes it

Access is limited to [named roles, e.g. your reporting manager (team-level views) and HR business partner (individual views on documented need)]. The data is processed on our behalf by [vendor legal name], stored in [region, e.g. an India data-centre region], under a contract restricting use to our instructions. No monitoring data is sold or shared for advertising.

Why this clauseVendor identity and data residency are the two facts employees and auditors ask about first. If your vendor cannot put the residency line in writing, run the DPDP Vendor Risk Assessment before signing.

Clause 7 · Your rights and how to withdraw consent

You may at any time: access a summary of your monitoring data; request correction or erasure; nominate a person to exercise your rights if you are unable to; and withdraw this consent as easily as you gave it — via [the same channel consent was given, e.g. the HR portal toggle] or by emailing [address]. On withdrawal, the monitoring in Clauses 2–3 stops within [operational window, e.g. 7 days]; processing already carried out remains lawful, and processing on other legal grounds (for example payroll and statutory compliance) continues. Withdrawing consent will not, by itself, be treated as misconduct or affect your employment status.

Why this clauseWithdrawal must mirror the consent channel. The no-detriment sentence is what keeps the consent “free” — deleting it largely defeats the document.

Clause 8 · Grievances and the Data Protection Board

Questions or complaints go first to our Grievance Officer: [name/designation, email, response timeline per the notified Rules]. If you are not satisfied with the response, you may complain to the Data Protection Board of India through its prescribed channel.

Why this clauseOmitting the Board route is a notice defect even where the grievance officer is named. Take the response timeline from the notified Rules — do not invent one.

Clause 9 · Consent capture block

I have read this notice (version [v#, date]) in a language I understand. I consent to the collection and use of the personal data categories in Clause 2 for the purposes in Clause 3. I understand I may withdraw this consent at any time as described in Clause 7.

☐ I consent ☐ I do not consent

Name: [ ] Employee ID: [ ] Date: [ ] Signature / digital action: [ ]

Why this clauseAn affirmative act with a real decline option and a version stamp. No pre-ticked boxes, no “continued employment constitutes consent” — the version stamp ties the signature to the exact notice text in your consent record.

What Rule 3 requires the notice to contain

Each numbered clause above maps to a requirement of the DPDP Rules’ notice rule (Rule 3 in the draft numbering — confirm the notified version with counsel). The checklist your adapted notice must pass:

Understandable and standalone — plain language, presented independently of the contract and handbook (Clause 1);
Itemised — every category of personal data described specifically, one line each (Clause 2);
Purpose-mapped — each category tied to a specified purpose (Clause 3);
Rights-forward — how to exercise rights, withdraw consent as easily as it was given, reach the grievance officer, and complain to the Data Protection Board (Clauses 7–8);
Linguistically accessible — English or any Eighth Schedule language on request (Clause 1).

Enforcement of the Rules phases in to roughly mid-2027 — but consent collected today under a defective notice is the consent you will be defending then. If you are still drafting the policy the notice summarises, start with how to write an employee monitoring policy; and if you are unsure monitoring is even lawful for your scenario, is employee monitoring legal covers the baseline.

Run the vendor screen before you paper the consent

Your notice is only as honest as the tool behind it. The free DPDP Vendor Risk Assessment scores any monitoring vendor on the 14 questions that decide your consent burden — interactive, no email required to score. Prefer the printable worksheet? We’ll email you the PDF.

Open the DPDP Vendor Risk Assessment →

5 mistakes that void the consent

Condensed from the deep guide — the defects that turn a signed form into worthless paper:

Bundled consent — one signature covering contract, handbook, NDA and monitoring. The notice must be standalone and the consent specific.
Employment-conditioned consent — “consent or we cannot continue your employment” makes the consent unfree by construction.
Dark patterns — pre-ticked boxes, buried decline links, consent inferred from logging in. The affirmative-act requirement fails and your UX logs prove it.
Stale blanket consent — a new capture category, purpose or vendor needs a versioned re-consent; the 2024 signature does not stretch to the 2026 screenshot module.
No working withdrawal path — a promised toggle nobody built, or monitoring that keeps running after withdrawal, documents the gap between promise and practice.

If a violation does land, the exposure is statutory: run the numbers with the free DPDP Penalty Exposure Calculator, and check whether your scale pushes you into Significant Data Fiduciary territory with the SDF workplace-monitoring guide.

Frequently asked questions

Do I need employee consent for monitoring under the DPDP Act?

Not always. Routine employment processing — attendance, payroll, statutory records, security access logs — may fall within Section 7(i), the DPDP Act 2023’s legitimate-use ground for employment purposes. High-intrusion monitoring — screenshots, keystroke logging, webcam or microphone access, BYOD or off-hours tracking — generally needs free, specific, informed and revocable consent supported by a standalone plain-language notice, because Section 7(i)’s untested scope is best read narrowly. This is general information, not legal advice — confirm your monitoring matrix with counsel.

What must a DPDP Rule 3 consent notice contain?

In substance the notice must be plain-language and standalone (not bundled into the employment contract), itemise every category of personal data collected, map each category to a specified purpose, explain how the employee can exercise rights and withdraw consent as easily as it was given, name the grievance officer, state how to complain to the Data Protection Board of India, and be accessible in English or an Eighth Schedule language. The nine clauses in the free gStride template map one-to-one to these requirements. Verify the notified text of the Rules with counsel.

Can an employee withdraw consent to monitoring?

Yes — and withdrawal must be as easy as giving consent was. Once consent is withdrawn, consent-based monitoring should stop within a stated operational window and the stop should be logged; processing that already happened lawfully stays valid, and processing grounded elsewhere (payroll, statutory records) continues. Withdrawal must not be treated as misconduct — penalising it is strong evidence the consent was never free. Verify the operational details with counsel.

Is bundled consent valid under the DPDP Act?

Treat bundled consent as invalid. DPDP consent must be free, specific, informed, unconditional and unambiguous, and the notice must be presented independently of other terms — one signature covering the employment contract, handbook, NDA and monitoring fails the specificity and standalone-notice expectations and is the defect regulators strike first. Issue the monitoring notice as its own document with its own affirmative consent action, and re-consent whenever the scope changes. Verify with counsel.

Make the notice easy to honour

gStride measures productivity from outcome signals — calendar, repo, ticket and focus artefacts — with no keystroke logging and screenshots off by default. Shorter Clause 2, truthful Clause 4, fewer consent records to defend.

Book a 15-min demo

Disclaimer: This page and the template it contains are general information and a drafting starting point — not legal advice, and no lawyer-client relationship is created. The DPDP Rules are being enforced in phases running to approximately mid-2027; Section 7(i)’s scope for employment purposes is untested before the Data Protection Board; and the interplay with state Shops & Establishments legislation and IT Act section 43A varies by state and facts. Have qualified counsel review any adapted version of this template before circulating it to employees.