Get in Touch
December 1, 2025

Guide to Privacy for Web, App & HR under DPDPA

The Digital Personal Data Protection Act, 2023 (DPDPA) requires organisations that process digital personal data in India to provide a clear, accessible privacy notice before or at the time of collection. The form and manner are set by the Act and will be supplemented by rules under the Act. Earlier government communications indicated that formal notification of the detailed rules was awaited, and organisations should track the latest notifications to ensure alignment as they take effect.

WHAT IS A PRIVACY NOTICE AND WHO IT COVERS

A Privacy Notice explains how an organisation collects, uses, processes, stores, and shares personal data, and how individuals can exercise their rights. It acts as a transparency tool to enable specific and informed consent where consent is the lawful basis, and to explain other lawful bases permitted by the Act (for example, legitimate uses for employment contexts as applicable). This Notice is intended for three key audiences: website visitors, app users, and HR stakeholders.

LEGAL BASIS AND LAYERED TRANSPARENCY
  • Organisations must provide a clear notice before or at the time of personal data collection, describing the data being collected, the purposes, and how individuals can exercise their rights and withdraw consent where applicable.
  • Detailed implementing rules under the DPDPA are expected to further specify form and manner. Organisations should monitor official notifications and adapt notices accordingly.
REQUIRED CONTENT OF THE NOTICE (STRUCTURE AND MINIMUM DETAILS)

To align with the DPDPA’s transparency and consent standards, your Notice should, at minimum, include the following elements presented in clear, plain language. The order below is recommended for clarity:

1. Enabling specific and informed consent (where consent applies)

Provide a fair and plain-language account that enables specific and informed consent. At minimum:

  • An itemised description of the personal data you collect; and
  • The specific purposes for which it is processed and the goods/services to be provided

2. Easy pathways to exercise rights and withdraw consent

Provide a link to your website and/or app privacy page(s) and describe other means by which the Data Principal can:

  • Withdraw consent;
  • Exercise rights under the DPDPA (access information, correction/erasure, grievance redressal, nomination, as applicable); and
  • Make a complaint to the Data Protection Board of India

3. Contact details for redressal

Provide contact details of your Grievance Redressal Officer or (where applicable) your Data Protection Officer: name and designation, email address, phone number, and expected timelines for response and resolution

4. Cross-border data transfers (if any)

If personal data will be transferred outside India, inform individuals of the countries/regions involved where feasible and whether such transfers are subject to any government restrictions notified under the Act/rules (if any are notified).

5. Storage and retention

State the period for which personal data will be stored, or the criteria/legal obligations that determine retention. The Act requires that personal data is not retained longer than necessary for the purpose for which it was collected

Note: Significant Data Fiduciaries may have heightened governance obligations such as appointing a DPO and conducting DPIAs; organisations should assess whether they fall into this category and implement associated controls.

DATA CATEGORIES (BY AUDIENCE)
  • Identity Data (Web, App, HR): name, email address, mobile number.
  • Contact Data (App, HR): postal address, emergency contacts.
  • Technical & Usage Data (Web, App): IP address, device ID, browser type, app logs, cookies, approximate location, session identifiers.
  • Employment & HR Data (HR): government ID details (e.g., PAN; Aadhaar only where permitted by law and necessary), qualifications, resumes, interview records, performance data, payroll data, background verification, CCTV/access control (where applicable).
  • Financial & Compliance Data (HR): salary, bank account, tax details.
  • Voluntary Data (Web, App): queries, feedback, support tickets.
PRIVACY NOTICE FOR WEBSITE USERS

When a visitor browses the website or uses forms, support pages, career pages, contact queries, or newsletter sign-ups, the organisation may collect technical information (e.g., device and browser details, IP address, approximate location, session identifiers, URL clickstream, and cookies for analytics/functionality). If a user submits a form, the information provided (e.g., name, email, phone number, message content) is processed to address that specific request.

Security logs are maintained to ensure site safety and detect unusual or malicious activity.Purposes include operating and securing the website, providing an efficient browsing experience, improving performance, and responding to user queries. Marketing or promotional messages are sent only with explicit consent (where required), and users can withdraw consent at any time using the channels described in this Notice.

A layered approach is used:

  • Short banners or pop-ups on first visit and cookie interactions, linking to the full Privacy Notice; and
  • Persistent footer links (e.g., “Privacy Notice | Cookies | Contact Support”) across the site.

Example short message: “We use cookies to improve your browsing experience. By continuing, you agree to our Privacy Notice. Manage cookie settings here.”

PRIVACY NOTICE FOR APP USERS

App users may provide identity/account details for login and service use. The app may also collect device identifiers, OS details, diagnostics, and interaction patterns to measure functionality and performance.

Depending on permissions, the app may request access to location, camera or microphone for document uploads/scanning, media storage for file attachments, and notifications.Purposes include operating the app, delivering core services, personalising experiences, and supporting region-specific features (e.g., location) or document capture (e.g., camera).

We follow layered and just‑in‑time disclosures: permissions are explained contextually at the moment of activation, with clear choices.

Example in‑app prompt: “We require access to your camera to help you upload verification documents. You may deny this permission, but the document upload feature will not function.”

Users can manage permissions via device settings and may withdraw consent (where consent is applicable) using the channels described in this Notice.

PRIVACY NOTICE FOR HR STAKEHOLDERS

For candidates, interns, contractors, and employees, we collect identification and contact information (e.g., name, address, phone, email) and professional data (e.g., resumes, interview records). Where necessary and lawful, we may collect government ID details for verification and compliance (e.g., PAN; Aadhaar only where permitted by applicable law and necessary), and, after enrolment, we collect bank, tax, benefits, attendance, and payroll details. For workplace security and compliance, we may process CCTV and access-control records where applicable and lawfully implemented.

Key information is provided at relevant touchpoints: during job applications, onboarding documentation, internal policy handbooks, IT access setup, and via employee portals/dashboards. Some employment processing may rely on lawful bases other than consent where permitted by the DPDPA (e.g., legitimate uses in the employment context), which will be explained in the Notice or related HR policies.

RECORD‑KEEPING AND ACCOUNTABILITY

Robust documentation is essential to demonstrate compliance with the DPDPA’s accountability framework. Organisations should:

  • Maintain verifiable documentation showing how personal data is collected, processed, secured, and retained in line with stated purposes and applicable legal bases
  • Keep accurate consent records where consent is relied upon, including withdrawals and the impact on processing
  • Preserve grievance redressal records (complaints received, response timelines, actions taken, closure outcomes)
  • Maintain clear retention schedules and deletion protocols so personal data is not retained longer than necessary for its purpose
  • Track vendor/third‑party data sharing (including cross‑border transfers, if any) to demonstrate control and accountability
  • Assess whether you are a Significant Data Fiduciary and, if so, implement additional governance such as appointing a DPO and conducting DPIAs in accordance with the Act and applicable rules

Public and practitioner commentary has consistently underscored the importance of these governance measures under the DPDPA, with the forthcoming or evolving rules expected to further operationalise these obligations.

AMLEGALS REMARKS

Moving away from dense legalese to layered, user‑friendly notices makes it easier for people to understand how their data is used, strengthens trust, and reduces operational complexity. Consolidating requirements for website, app, and HR users in one coherent framework improves transparency and readiness. As India’s privacy framework under the DPDPA matures, organisations that prioritise clarity, accessibility, and ongoing communication will be better prepared for compliance and stronger in their relationships with users and employees.

Please reach out to us at rohit.lalwani@amlegals.com in case of any query.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

 

Disclaimer & Confirmation

As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:

    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.

However, the user is advised to confirm the veracity of the same from independent and expert sources.

I Agree I Disagree