Legitimate Uses

Paraphrased legal text

A Data Fiduciary may process personal data of a Data Principal for specified legitimate uses including voluntary disclosure for a specified purpose, performance of a State function, compliance with a judgment or order, medical emergency, epidemic / disaster response, and employment-related purposes — without separate consent under §6.

What this means in plain English

• §7 carves out narrow grounds where consent under §6 is not required.
• Each ground is purpose-bound — you cannot piggy-back unrelated processing on a §7(e) medical-emergency basis.
• The Notice obligation under §5 still applies to most §7 grounds.
• Employment-related processing (§7(i)) is the most-used ground in practice; it must still be necessary and proportionate.

Penalty if you get this wrong

Mis-classifying a consent-required activity as a §7 ground exposes you to the unlawful-processing penalty band — up to ₹250 crore.

How ProtectComply solves it

Readiness Assessment + RoPA

• RoPA entry forces selection between §6 consent and §7 legitimate-use, with sub-ground (a)-(i)
• Assessment engine cross-checks each processing activity against its declared §7 ground
• AI Policy Generator drafts §5 Notices even where §7 is the lawful basis
• Audit log captures the lawful-basis declaration with every state change