VeridionQGet Started

DPDP Act Compliance for Background Verification: Complete Guide for Indian Employers

Last updated: May 2026

India's Digital Personal Data Protection Act 2023 directly governs how employers collect and process candidate data during background verification. This guide covers every compliance obligation HR teams need to meet.

Key Compliance Points

Explicit, informed consent required before any BGV check
Data Fiduciary (employer) responsible for BGV vendor compliance
Purpose limitation — BGV data cannot be reused for other purposes
Storage limitation — delete rejected candidate data within 3–6 months
Candidate rights: access, correction, erasure, withdrawal of consent
Data Processing Agreement mandatory with BGV vendors
Penalties up to ₹250 crore for significant violations

The DPDP Act and Background Verification: An Overview

The Digital Personal Data Protection Act 2023 (DPDP Act) is India's primary data privacy legislation. For employers conducting background verification, the Act creates a comprehensive framework governing every aspect of how candidate personal data is collected, processed, shared, and retained.

Under the Act, the employer is classified as a Data Fiduciary — the entity that determines why and how personal data is processed. The BGV vendor is a Data Processor — an entity that processes data on behalf of the Data Fiduciary. This means employers bear primary responsibility for ensuring their entire BGV process is DPDP compliant, including the practices of their BGV vendors.

Consent Requirements Under DPDP

Before initiating any background verification check, employers must obtain consent that is:

  • Free: Not conditional on accepting employment or coerced in any way
  • Specific: Relating only to the stated BGV purpose — not a general all-purposes consent
  • Informed: Accompanied by a clear notice explaining what data is collected, the purpose, retention period, and candidate rights
  • Unconditional: Not bundled into employment contracts or general terms
  • Unambiguous: Obtained through a positive affirmative action (checkbox, digital signature) — not pre-ticked boxes

Building a DPDP-Compliant BGV Process

Step 1: Draft Your BGV Notice

The notice must clearly state: what personal data will be collected, the purpose (background verification for employment), who will have access (your BGV vendor), how long data will be retained, and the candidate's rights under DPDP.

Step 2: Implement Consent Collection

Use a separate consent form — not buried in employment agreements. VeridionQ's platform automates compliant digital consent collection.

Step 3: Sign DPA with Your BGV Vendor

Execute a Data Processing Agreement with your BGV vendor covering: scope of processing, security obligations, sub-processor controls, breach notification, and data return/deletion obligations.

Step 4: Update Data Retention Policies

Define and document retention periods for BGV records by candidate status (hired vs. rejected). Implement automated deletion or anonymisation at the end of the retention period.

Step 5: Establish a Rights Request Process

Create a documented process for candidates to exercise their DPDP rights — access, correction, erasure, and complaint. Designate a point of contact (Data Protection Officer or equivalent).

Free Download

DPDP Compliance Handbook for HR

Get the complete guide as a professionally designed PDF — free for HR teams.

Download Free

Frequently Asked Questions

Yes. The DPDP Act is fully enforceable. Employers who conduct background verification without proper consent, without a compliant Data Processing Agreement with their BGV vendor, or who retain candidate data longer than necessary are at risk of regulatory action. The Data Protection Board of India has been established to handle enforcement.
Back to Compliance Hub