One of the most common compliance mistakes under the Digital Personal Data Protection Act 2023 (DPDP Act) is treating consent as the only lawful basis for processing personal data. India's privacy law recognises four distinct processing situations — and picking the wrong one does not just expose a Data Fiduciary to regulatory risk, it can make perfectly legitimate operations unnecessarily burdensome or, conversely, allow prohibited processing to proceed unchecked.
This quiz presents 12 real-world scenarios drawn from banking, healthcare, HR, e-commerce, government, and data broker contexts. For each, you select the correct classification from four options, then immediately see the statutory citation and a plain-language explanation. No timer. No tricks.
Consent (§6) is the default rule and the most operationally demanding. The Act requires a notice before or at the point of collection, presented in plain language in the language chosen by the Data Principal. Crucially, §6(2) explicitly prohibits making consent a condition for a service when the data in question is not necessary to provide that service — dismantling the bundled consent models common in the pre-DPDP era. Withdrawal must be as simple as giving consent, and triggers an obligation to cease processing and, absent a legal retention requirement, delete the data.
Legitimate Use (§7) covers nine enumerated categories that do not require a consent notice. Unlike GDPR's open-ended "legitimate interests" balancing test under Article 6(1)(f), the DPDP Act's §7 sub-clauses are exhaustive, not illustrative. If a processing activity does not fit within one of the nine, the Data Fiduciary must obtain consent under §6. The draft DPDP Rules 2025 add procedural detail on how legitimate use must be documented and the manner in which Data Principals should be informed of processing under §7.
Exempt processing (§17) displaces the normal consent and §7 framework entirely for certain prescribed entities and purposes. Sub-section 17(2) covers state instrumentalities operating for welfare and public order; sub-section 17(3) covers research, archiving, and statistical purposes conducted to prescribed standards. Exemption does not mean zero obligation — certain security and accountability requirements still apply.
Prohibited processing covers situations where no valid basis exists at all — including absolute prohibitions under the Act that override any other consideration. The clearest case is §9: processing a child's personal data without first obtaining verifiable consent from a parent or guardian is prohibited regardless of what other legal basis a Data Fiduciary might attempt to invoke. Similarly, processing for an unlawful purpose, or using coerced or pre-ticked consent under §6(2), renders the processing prohibited even if the data itself is innocuous.
The 12 scenarios below reflect common situations that DPOs, privacy counsel, and compliance leads encounter across Indian industry. Each has one correct classification. After you select your answer, the correct basis, statutory section, and a brief explanation appear immediately. Your final score maps to one of four DPO readiness tiers.
Select the correct DPDP Act 2023 processing basis for each real-world situation.
Run a structured DPDP Act readiness assessment, map your data flows to processing bases automatically, and generate audit-ready gap reports — built for DPOs and compliance teams.
Launch DPDP Assurance Platform →