Summary: India’s Digital Personal Data Protection Rules, 2025, effective November 13, 2025, have fundamentally transformed the regulatory landscape for internal investigations. This analysis is the first part in a two-part series examining the critical compliance challenges facing organisations and law firms navigating data-sensitive proceedings under the new regime.
Introduction
The operationalisation of the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), on November 13, 2025[1], marked a watershed moment, as it established India’s current comprehensive data protection regime. The Digital Personal Data Protection Act, 2023 (“DPDP Act”), and the DPDP Rules, when read together, heavily impact the scope of data-sensitive proceedings, including internal investigations.[2]
With the introduction of new data rules and the increasing need for robust internal investigations, organisations across sectors are compelled to revisit their compliance strategies. This document provides a comprehensive overview of the new data rules in India, their impact on internal investigations, and practical guidance for navigating this evolving regulatory environment. For law firms and their clients conducting internal investigations, these regulations introduce a complex compliance net that reshapes how personal data is collected, processed, accessed and protected during investigations.
The Act defines a Data Fiduciary as any person who, alone or in conjunction with other persons, determines the purpose and means of processing personal data.[3] A Data Processor is any person who processes personal data on behalf of a Data Fiduciary.[4] The Act has provided a broad definition of processing, encompassing collection, recording, retrieval, use, sharing, disclosure by transmission, and even destruction of personal data. The person to whom the personal data relates is the “Data Principal”.[5] The Act establishes a Data Protection Board[6] (“DPB”)as the statutory authority responsible for monitoring, investigating, and enforcing compliance with the Act.
The Law Firm’s Role: Data Fiduciary or Data Processor?
Companies initiate and authorise the conduct of internal investigations, inevitably making them Data Fiduciaries. The way the law firm shares and handles data, and/ or the extent to which it may make recommendations and chart the course of legal action, determines whether it is a Data Processor or a Data Fiduciary.
Scenario 1: Data Processor
When a company engages a law firm with specific instructions and mandates for purpose limitation, the law firm is a Data Processor, processing data solely for the client. This processor relationship is time-bound and continues only as long as the client provides written instructions. The law firm does not determine how or why the data is processed; it only executes the processing.[7] Such scenarios are uncommon, but possible, for instance, in exclusive due diligence mandates.
Scenario 2: Data Fiduciary
The European Data Protection Board’s (“EDPB”) Guidelines 07/2020 on the concepts of controller and processor clarify that law firms may assume the status of Data Fiduciary (Controller) based on their factual influence over data processing decisions.[8]
The EDPB illustrates this principle: When a law firm represents a company in legal proceedings and processes employee personal data as part of its mandate, the firm acts with “a significant degree of independence in deciding (i) what information to use and (ii) how to use it”. The processing is intrinsically linked to the law firm’s professional role as legal representative, making it a Data Controller (Fiduciary) in that context.[9]
Therefore, a law firm is, de facto, the guiding party in conducting an internal investigation, assuming the role of Data Fiduciary, thereby enhancing compliance requirements.
Data Collection in Investigations
While obtaining employee consent is a general practice, in certain cases, seeking consent may compromise investigative integrity by alerting subjects to ongoing investigations. This necessitates reliance on statutory exemptions under Sections 7(i) and 17(1)(c). These balance an employer’s investigative needs against an employee’s privacy rights.[10]
Legitimate Interest Exemption
Section 7(i)
“A Data Fiduciary may process personal data of a Data Principal for any of the following uses, namely: —
for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.”
Under the DPDP Act, a Data Fiduciary may be exempt from consent requirement, where data is collected for certain “legitimate” uses, including safeguarding the employer from loss or liability, data leaks, and intellectual property in the employment context. Since investigations principally centre around detecting and remedying company loss and/or liability, they fall within the ambit of a “legitimate” use.
The Act adopts a prescriptive approach via Section 7(i), permitting Data Fiduciaries to process employee personal data without consent for “employment purposes” or “safeguarding the employer from loss or liability”, encompassing prevention of corporate espionage, protection of trade secrets, and provision of employee-requested services. This broad exemption potentially permits more expansive data collection than the GDPR’s constrained legitimate interest test,[11] as it does not require the explicit balancing of employer and employee interests or a demonstration of necessity and proportionality beyond the employment nexus.
The United Kingdom Information Commissioner’s Office (“ICO”), in its role as an enforcing authority, has stated that “legitimate interest is the most flexible lawful basis for processing”. The regulator strongly recommends[12] establishing a legitimate interest in the investigation plan used by parties conducting internal investigations.
Section 17 Exemption
Section 17(1)(c)[13] of the DPDP Act provides sweeping exemptions from consent, notice, and most Chapter II and III obligations where personal data is processed “in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India.”[14]
The provision’s language (“investigation…of any offence or contravention”) can be interpreted as applicable to internal investigations that may potentially uncover legal violations.
The EDPB’s Guidelines 10/2020 on restrictions under GDPR Article 23[15] (“Restriction Guidelines”) clarify that exemptions to investigations apply where providing information to Data Principals would jeopardise the investigation’s success. The EDPB links applicability to the anti-money laundering (“AML”) framework and activities of forensic laboratories.[16] The regulator also strongly recommends that such laws be closely articulated with data protection frameworks to prevent abuse. After the investigation is no longer in potential jeopardy, a tailored data protection notice should be provided to affected individuals, explaining their rights.
As India’s data protection regime continues to evolve, organisations must adopt robust compliance frameworks that balance investigative imperatives with statutory obligations, ensuring that personal data processing during internal investigations remains lawful, fair, and transparent. Part II of this analysis will examine the practical implementation challenges and best practices for maintaining compliance throughout the investigative lifecycle.
[1] Digital Personal Data Protection Rules, 2025, Ministry of Electronics & Information Technology, India.
[2] Digital Personal Data Protection Act, 2023, No. 22 of 2023, Ministry of Law and Justice, India.
[3] Section 2(i), DPDP Act.
[4] Section 2(k), DPDP Act.
[5] Section 2(j), DPDP Act.
[6] Section 18, DPDP Act.
[7]https://www.dpdpconsultants.com/newsletter.php?id=9&title=data-fiduciary-vs-data-processor-key-differences-under-the-dpdp-act-2023.
[8] Guidelines 07/2020 on the concepts of controller and processor in the GDPR | European Data Protection Board, https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en.
[9] The Indian Act definition of “Data Fiduciary” is pari materia to the European Union’s General Data Protection Regulations’ (“GDPR”) provision of a “Data Controller” (Art.4)
[10] Section 7(i), DPDP Act, 2023; Section 17(1)(c) DPDP Act, 2023.
[11] Para 40.2.4, Chapter 40, Data Protection in Investigations, The Practitioner’s Guide to Global Investigations Volume I: Global Investigations in the United Kingdom and the United States. https://www.lw.com/admin/upload/SiteAttachments/40%20Data%20Protection%20in%20Investigations%20(UK%20and%20US%20Perspectives)%202021.pdf.
[12] Para 40.2.4, Chapter 40, Data Protection in Investigations, The Practitioner’s Guide to Global Investigations Volume I: Global Investigations in the United Kingdom and the United States. https://www.lw.com/admin/upload/SiteAttachments/40%20Data%20Protection%20in%20Investigations%20(UK%20and%20US%20Perspectives)%202021.pdf.
[13] Section 17(1)(c), DPDP Act, 2023.
[14] pari materia Article 23, Para 1(d) GDPR.
[15] Guidelines 10/2020 on restrictions under GDPR Article 23 | European Data Protection Board, https://www.edpb.europa.eu/system/files/2021-10/edpb_guidelines202010_on_art23_adopted_after_consultation_en.pdf.
[16] edpb_guidelines_202010_article23_en.pdf, Para 24.