Grounds of Processing Personal Data

Paraphrased legal text

A Data Fiduciary may process personal data of a Data Principal only in accordance with the provisions of this Act, and for a lawful purpose for which the Principal has given consent, or for certain legitimate uses set out in §7. There is no other lawful ground.

What this means in plain English

• There are exactly two lawful bases: consent (§5-§6) or a §7 legitimate use.
• Legitimate-interest, contract-necessity, and balancing tests from GDPR do NOT carry over.
• Bundled or implicit consent fails §4 from the start.
• If you cannot point to a specific consent record or a specific §7 ground per purpose, the processing is unlawful.

Penalty if you get this wrong

Unlawful processing exposes every downstream activity built on it. Failure-to-safeguard penalties up to ₹250 crore can stack onto unlawful-ground findings.

How ProtectComply solves it

Consent Management + Readiness Assessment

• Per-purpose consent records pinned to the specific ground (§6 vs §7)
• Readiness Assessment flags every processing activity without a declared lawful basis
• RoPA entries require a lawful-basis field before they can be saved
• AI gap analysis surfaces purposes drifting from their declared ground