The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
Under the Information Technology Rules, 2011 on Reasonable Security Practices and Procedures and Sensitive Personal Data or Information (“Privacy Rules”), employers and other entities in India must meet certain requirements before collecting Sensitive Personal Data or Information (SPDI). The Privacy Rules require that companies:
That said, note that if the parties agree on what constitutes reasonable security practices/procedures, the parties can agree to exclude the applicability of the Privacy Rules.