India's Digital Personal Data Protection Act (DPDPA) 2023 represents the country's most significant privacy legislation since the IT Act of 2000. For employers using any form of digital time tracking, the law creates specific obligations around employee data collection, consent, processing, and retention. This guide explains what you need to know — and what you need to change — to stay compliant.
Disclaimer: This article is for informational purposes and does not constitute legal advice. Consult a qualified legal professional for advice specific to your organization.
What Is the DPDPA and When Does It Apply?
Enacted in August 2023, the DPDPA establishes a framework for the processing of "digital personal data" — any data about an identifiable individual that is collected or processed digitally. This explicitly includes employee data collected in the course of employment, including time and attendance records, activity logs, and location data.
The Act applies to any organization that processes the digital personal data of Indian citizens, regardless of where they are located. If you track time for employees in India, you are a Data Fiduciary under the DPDPA.
The Six Core DPDPA Principles for HR Data
What Employee Time Data Is Covered?
Any digital record that can identify an individual and relates to their work activity is covered. This includes:
- Timesheet entries linked to a named employee
- Calendar activity data synced from personal or work accounts
- Computer application usage logs (even aggregated)
- Login and logout timestamps
- Location data if tracking field employees
- Biometric data used in attendance systems
What Is Likely Excluded
Fully anonymized aggregate data — where no individual can be identified — falls outside the Act's scope. This is an important consideration for time tracking vendors who process data on behalf of employers.
Consent: The Critical Compliance Issue
The DPDPA requires "free, specific, informed, unconditional and unambiguous" consent for data processing. In an employment context, this raises real questions: can consent given as a condition of employment ever be truly "free"?
The Act acknowledges this tension by also permitting processing for "legitimate use" in relation to employment. However, even under legitimate use, employers must:
- Provide employees with clear notice of what data is collected and why
- Make the privacy notice available in the employee's preferred language
- Allow employees to access, correct, and request erasure of their data
- Designate a Data Protection Officer (DPO) if processing significant volumes of employee data
The consent notice cannot be buried in an employment contract. Under DPDPA, it must be a clear, standalone document written in plain language — not legalese.
Cross-Border Data Transfer Rules
For multinational companies using global HR or time tracking platforms, the DPDPA's cross-border transfer rules are critical. Personal data of Indian employees can only be transferred to countries on the government's approved list (not yet published as of early 2026). Until the list is released, companies should ensure Indian employee data is processed and stored in India-based data centres.
Your DPDPA Compliance Checklist for Time Tracking
✅ DPDPA Compliance Checklist
- Conduct a data mapping exercise to identify all employee time data flows
- Update employment agreements and privacy notices to reflect time tracking practices
- Implement a mechanism for employees to access, correct, and request deletion of their time records
- Verify your time tracking vendor stores Indian employee data in Indian data centres
- Appoint a Data Protection Officer if you process data at significant scale
- Implement data minimisation: capture only what's needed for stated purposes
- Set and document data retention periods for all time tracking records
- Encrypt time data at rest and in transit with organisation-managed keys
- Establish a process for responding to employee data rights requests within 30 days
How ChronoAI Is Designed for DPDPA Compliance
ChronoAI was built with India's regulatory landscape in mind. Every architectural decision reflects the DPDPA's privacy-by-design ethos:
- On-device processing: Raw activity signals never leave the employee's device. Only classified, anonymisable time entries reach the cloud.
- Employee data sovereignty: Employees can view, edit, and export all their data at any time. Deletion requests are processed within 48 hours.
- India-only storage: All data is stored in Mumbai and Chennai data centres, with no cross-border transfers.
- Encryption architecture: Personal activity data is encrypted with the employee's own key. Company project data uses shared company keys. We cannot access either.
- Layered consent: Our onboarding flow presents clear, language-appropriate consent notices that employees can accept granularly per data category.
Build compliance into your workflow
ChronoAI is designed for DPDPA compliance from the ground up. Speak to our team about how we protect your employee data.
Book a Compliance Demo →