Corporate Investigations And Indian Data Privacy Law

Introduction

Data collation and review lie at the heart of corporate investigations, which often requires collecting and reviewing data in hostile situations involving suspected employee misconduct, misuse of company's IT assets, breach of terms of employment or company policies. The data processing requirements to be followed in corporate investigations can be gathered from The Digital Personal Data Protection Act, 2023 (DPDP Act), India's first comprehensive data protection legislation.

The DPDP Act regulates the collection, processing, and disclosure of digital personal data. On 13 November 2025, certain key provisions¹ of the DPDP Act were brought into force by the Government of India while the other provisions will come into force in November 2026 and May 2027. The DPDP Act has been operationalised by the Digital Personal Data Protection Rules, 2025 (DPDP Rules), which sets out the procedural and compliance requirements to be followed under the Act. Similar to the provisions of the DPDP Act, while certain rules of the DPDP Rules came into force on 13 November 2025, other rules will come into force in November 2026 and May 2027.

This note discusses the impact of DPDP Act and DPDP Rules on corporate investigations. Separately, it briefly deals with the position on confidentiality and privacy of data in police investigations involving computer related offences.

Data processing in corporate investigations

The term "processing" of personal data is defined broadly under the DPDP Act and means wholly or partly automated operations of collecting, recording, storing, using, retrieving, and sharing or disseminating such data². Thus, any internal investigation involving the processing of digital personal data will attract the provisions of DPDP Act. Data collection in corporate investigations is usually undertaken either by physically collecting the electronic device containing data or by placing 'legal hold'³ on the device.

In the context of corporate investigations, the following concepts under the DPDP Act are relevant:

• Employees will be data principals – individual to whom the personal data relates.
• Employers will be data fiduciaries – one who determines the purpose and means of processing data.
• External counsel or forensic agencies assisting the employer in investigation will be data processors – one who processes or accesses the personal data on behalf of the employer.

Consent and legitimate use grounds for processing personal data

The DPDP Act provides that the personal data of a data principal can be processed for a lawful purpose on two grounds⁴:

• for which data principal has given consent; or
• for certain legitimate uses.

Consent

Under the DPDP Act, the data principal's consent for processing personal data has to be free, specific, informed, unconditional and unambiguous⁵. The data fiduciary is required to obtain consent from a data principal by way of a specific notice, which has to be presented independently, and given in a clear and plain language to facilitate data principal's specified and informed consent. Accordingly, a data processing requirement mentioned in a company's policy which is cross-referred in an employment contract accepted by an employee may not meet the specific and informed consent threshold under the DPDP Act. This is not to undermine the importance of having clear policies and privacy notices stating that organizations can process data to enforce company policies and to prevent the use of company's assets from being used for any unlawful activity.

Legitimate use

Obtaining specific and informed consent from an errant employee or an employee suspected of misconduct may not be feasible and can jeopardize investigation confidentiality, thereby defeating the very purpose of the investigation. For corporate investigations, the 'legitimate uses' ground for processing personal data is relevant as it does not require data principal's consent. The DPDP Act expressly recognizes processing of personal data for the following purposes as legitimate uses:

• for the purposes of employment; and
• purposes relating to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, and classified information⁶.

Thus, organizations can rely on the 'legitimate use' ground for processing personal data in investigations without seeking the consent of the data principal. Separately, the consent requirement will not apply when data processing is undertaken for enforcing a legal right or claim of the employer and where personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law⁷.

Data processing principles for corporate investigations

Data processing in corporate investigations must conform to the following key principles outlined under the DPDP Act and DPDP Rules:

• Purpose limitation: personal data must be used for the limited purpose of investigation.

• Data minimization: only that personal data must be used which is necessary for the investigation.

• Data protection: personal data must be protected by taking reasonable security safeguards⁸ to prevent data breaches.

• Engagement of data processors: data processors or external parties must be engaged under a valid contract which provides that data processors must take reasonable security safeguards to protect the personal data.

• Data retention and erasure: personal data must be erased (by the employer and any external party engaged by the employer) once the purpose of the investigation is over unless retention is required in compliance with any law.

Data privacy in investigations involving computer related offences

The Information Technology Act, 2000 (IT Act) is the primary legal framework in India which addresses computer related offences. The offences under the IT Act range from identity theft, cheating by personation by using a computer to transmitting obscene or sexually explicit material involving children etc.

Corporate investigations may lead to criminal complaints which are investigated by the police. The provisions of the DPDP Act do not apply to police investigations or prosecution of offences⁹. However, as the investigative agency would have access to a company's electronic devices, there may be a reasonable apprehension that the investigative agency may access the company's confidential or proprietary information. Such information may have nothing to do with the offences that are to be investigated under the complaint. In order to safeguard the disclosure or breach of confidentiality of such data, the IT Act penalizes the disclosure of such information with imprisonment up to two years or with fine extending to INR 100,000 or with both¹⁰. Accordingly, an investigation officer who comes in possession of confidential and proprietary information on an electronic device while investigating an offence is required not to disclose such information or make it public. This position is reinforced by the Karnataka High Court decision in Virendra Khanna v State of Karnataka [2021 SCC OnLine Kar 5032], which held that in no case can the investigating officer share personal data with any third party without the written permission of the court seized of the matter. It was held that an investigation officer is responsible for safeguarding the personal data, and if such data is disclosed to any third party, the investigation officer can be proceeded against for dereliction of duty.

Conclusion

The DPDP Act, along with its recently notified operational rules, underscores the significance of balancing data privacy rights with the legitimate needs of companies conducting internal investigations. While it does not explicitly mandate procedures for internal investigations, the DPDP Act lays down key principles that must be followed in such investigations. The DPDP Act and DPDP rules mandate lawful, purpose-specific processing of personal data, primarily requiring consent from the data principal or processing of data for legitimate uses without consent. The newly enacted law streamlines data processing requirements which must be carefully navigated by companies not only in corporate investigations but also in their company policies to ensure compliance. The law recognizes various obligations on data fiduciaries for processing personal data while recognizing the legitimate needs of companies to safeguard their interests. The DPDP Act ultimately establishes a structured framework ensuring that internal investigations are in line with data privacy rights without compromising the integrity and efficacy of such inquiries.

Footnotes

1 Section 1(2) (extent); Section 2 (definitions); Section 18 to 26 (Data Protection Board framework); Sections 35, 38, 39, 40, 41, 42, 43 (Miscellaneous), and Section 44(1) & 44(3) (Amendment to certain Acts)

2 Section 2(x) of DPDP Act

3 A legal hold is placed when a legal dispute or investigation is anticipated and is aimed at preserving important data or information which may be needed in the case.

4 Section 4(1) of DPDP Act

5 Section 6(1) of DPDP Act

6 Section 7(i) of DPDP Act

7 Section 17 (a) and (c) of DPDP Act

8 Rule 6 of the DPDP Rules recognize certain minimum safety security standards such as encryption, obfuscation, masking, access controls to computer resources, visibility on accessing data through maintenance of logs, monitoring, review of data access to prevent unauthorized access etc.

9 Section 17(1)(c) of DPDP Act

10 Section 72 of IT Act

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.