DPDPA Compliance Guide for Staffing Firms

What DPDPA covers (and does not cover)

DPDPA covers the processing of "digital personal data" — any data that can identify a natural person, in digital form, processed by a "data fiduciary" (the entity that determines the purpose and means of processing). For a staffing firm, that means every CV, every email, every phone number, every interview note, every offer letter you handle.

It does not cover anonymized data (where the candidate cannot reasonably be re-identified) or data processed purely for personal/domestic purposes. The law applies to processing within India and to processing outside India that is connected to offering goods/services to people in India — so a staffing firm in India processing for a US client is fully covered.

The 7 candidate rights you must operationalize

DPDPA grants candidates seven specific rights. You need a documented, repeatable process for each:

• Right to access: candidate can request a copy of their data and a list of every party you shared it with. Standard turnaround: under 30 days.
• Right to correction: candidate can request you fix incorrect data. You must respond and either correct or justify rejection.
• Right to erasure: candidate can ask you to delete their data when the purpose is complete (e.g., they were not hired). Some retention exceptions for legal record-keeping.
• Right to grievance: candidate can lodge a complaint with the Data Protection Board if they are unhappy with your response.
• Right to nominate: candidate can nominate another person to exercise rights on their behalf if they die or become incapacitated.
• Right to consent withdrawal: candidate can withdraw consent. You must stop processing within a reasonable period.
• Right to data portability: in the rules notified post-Act, candidates can request their data in a portable format.

Consent: the most common compliance gap

DPDPA requires "free, specific, informed, unconditional, and unambiguous consent" for processing. A CV emailed to your hiring@ inbox by a candidate is consent for that specific role. It is not consent to keep them in your database for 5 years and submit them to other clients.

Most agencies treat any incoming CV as a permanent license to source. That is a violation. Fix: when a candidate is sourced, send a consent confirmation that lists (a) the specific role they are being considered for, (b) the duration you will retain their data if not selected (typical: 12 months), (c) whether you will share their data with the end client, and (d) a one-click opt-out link. Store the consent record with timestamp.

Data retention: defensible periods

DPDPA requires you to delete data when the purpose is complete unless you have a legal basis to retain it. There is no statutory retention period — you must define a defensible policy and stick to it.

Defensible retention policy for a staffing firm: 12 months for unsuccessful candidates (covers re-engagement on similar roles + audit window), 7 years for placed candidates and offer-related records (covers India tax/labor record retention), permanent for anonymized aggregate data used for analytics. Document the policy, automate the deletion (do not rely on manual cleanup), and log every deletion.

Sharing with end clients: data processor vs sub-fiduciary

When you send a candidate's CV to your end client, you are sharing personal data with another entity. Two possible classifications: (1) the client is your "data processor" — they process the CV strictly per your instructions, in which case you remain the fiduciary; or (2) the client is a separate "data fiduciary" — they decide independently what to do with the CV (e.g., they save it for future roles), in which case both you and the client are fiduciaries.

For staffing, the client is almost always a separate fiduciary — they will keep the CV in their ATS independent of your instruction. That means: your consent to the candidate must explicitly cover sharing with the named end client, and your data sharing agreement with the end client must specify their fiduciary obligations to the candidate.

Breach notification: 72 hours, not "when convenient"

DPDPA requires you to notify the Data Protection Board and affected candidates of a personal data breach within a defined timeline (72 hours per the rules currently notified). A breach includes accidental disclosure (e.g., a recruiter forwards a candidate's CV to the wrong client by mistake) — not just hacking incidents.

Operational implication: every recruiter on your team needs to know what counts as a breach, who to escalate to, and the 72-hour clock. Build a 1-page breach SOP, train every recruiter on it during onboarding, and run a drill once a quarter. Most breaches go unreported because the recruiter who caused it does not know they triggered the obligation.

30-day operational checklist

If you have not started DPDPA compliance, here is the minimum 30-day plan:

• Week 1: appoint a Data Protection Officer (can be internal). Map every data flow (where candidate data enters, where it sits, where it goes).
• Week 2: rewrite your candidate-facing privacy notice. Add consent capture to every sourcing channel. Add a one-click opt-out link to every candidate email.
• Week 3: define and document the retention policy. Build the automated deletion job (12-month rolling delete for unsuccessful candidates).
• Week 4: write the breach SOP. Train every recruiter. Run one tabletop drill. Document candidate rights response process (access, correction, erasure).