-
Call: +91-9840269190
-
Mail: hr@voltechgroup.com
DPDP Rules 2025: Criminal Background Checks Guide 2026
- Author: Jagannathan.M , General Manager - BGV Services | 10+ years of experience in Indian data protection law, employment regulation and HR compliance. Published: February 22, 2026 | Reading Time: 18–20 Minutes
Quick Verdict: DPDP Rules 2025 - What Indian Employers Must Do Before May 2027
India's Digital Personal Data Protection Rules 2025, notified on November 14, 2025, have fundamentally changed how employers must conduct criminal background checks. Non-compliance carries penalties up to ₹250 crore. This guide walks you through everything - what changed, what it means for your hiring process, and exactly what you need to do before the May 2027 full enforcement deadline.
Key Compliance Takeaways for Employers (2026)
• India's DPDP Rules 2025, notified by MeitY on November 14, 2025, set binding compliance requirements for all employers running criminal background checks in India.
• All Indian employers, staffing agencies and international companies hiring in India - across all sectors and employee types including gig workers and contractors.
• ₹250 crore (~$27 million USD) per violation for failure to implement reasonable data security safeguards under the DPDP Act, 2023.
• Full enforcement of all DPDP provisions begins May 13, 2027. The Data Protection Board is already operational as of November 14, 2025.
• Standalone consent forms, Data Processing Agreements with BGV vendors, and 180-day data deletion policies must be implemented now - not at the deadline.
• Any background check consent clause embedded in an offer letter predating November 2025 does not meet DPDP Rules 2025 standards.
What Is the DPDP Act 2023 and DPDP Rules 2025?
The DPDP Act, 2023 and DPDP Rules, 2025 impose direct legal liability on Indian employers for how candidate data is collected, processed and stored during background verification - including criminal checks - with penalties reaching ₹250 crore per violation.
The DPDP Act, 2023 and the DPDP Rules, 2025 are related but legally distinct instruments. Understanding the difference is essential for employers building compliant background verification processes.
The DPDP Act, 2023 is India's first comprehensive data protection legislation and shares four structural principles with the European Union's General Data Protection Regulation (GDPR): consent requirements, purpose limitation, data minimization, and individual rights. However, three operationally significant distinctions apply: first, the DPDP Act currently applies only to digital personal data processed within India or data of individuals located in India processed abroad, whereas GDPR covers both digital and manually processed data; second, the DPDP Act does not define a "legitimate interest" basis for processing equivalent to GDPR Article 6(1)(f); and third, DPDP enforcement is centralized through a single Data Protection Board of India, whereas GDPR operates through a distributed model of national supervisory authorities across EU member states.
The DPDP Rules, 2025 are the operational rulebook. The Ministry of Electronics and Information Technology (MeitY) notified these rules on November 13–14, 2025. They take the Act's broad principles and convert them into specific, enforceable processes - how consent must be obtained, how breach notifications must be filed, what data retention timelines look like and more.
Together, they are called the DPDP Framework.
Legal Impact of the Digital Personal Data Protection Rules, 2025 on Criminal Background Verification
Criminal background verification involves the collection, storage, and processing of personal data, including identity details, address history, education records, employment information and where applicable, criminal records.
Under the Digital Personal Data Protection Act, 2023, organizations conducting employee background checks qualify as “Data Fiduciaries.” As Data Fiduciaries, employers are legally responsible for ensuring lawful processing, purpose limitation, data minimization, defined retention periods and breach notification compliance.
Employee background verification activities - including criminal checks, address verification, education validation and employment history confirmation - constitute personal data processing under the DPDP framework. Accordingly, HR departments and their authorized background verification vendors operate within a regulated data protection environment.
Prior to the DPDP Rules 2025, background verification was typically treated as a routine HR administrative function, largely unregulated from a data protection perspective. This classification was possible because India lacked a comprehensive data protection law. The DPDP Act, 2023 changes this by defining background verification as personal data processing - because it involves the collection, storag and use of sensitive personal information including identity records, address history, and criminal records. As a result, background verification is now regulated under the DPDP framework and employers conducting it are classified as Data Fiduciaries with binding statutory obligations.
Compliance Shift: Pre-DPDP vs Post-DPDP Rules, 2025
| Before DPDP Rules 2025 | After DPDP Rules 2025 |
|---|---|
| Generic or bundled consent in offer letter often used | Separate, specific, and plain-language consent required for background verification |
| No clearly defined internal retention timelines | Retention must be purpose-limited; deletion required \ once purpose is fulfilled (many organizations adopt 180-day benchmark post-rejection) |
| Vendor compliance responsibility was loosely structured | Employers remain accountable as Data Fiduciaries for processing carried out by Data Processors (BGV vendors) |
| Regional language consent inconsistently implemented | Consent must be accessible and understandable to the Data Principal, including regional language where necessary |
How Criminal Background Verification Works in India in 2026
Criminal background verification in India operates through a decentralized, fragmented infrastructure that directly shapes how compliance obligations are structured. Understanding the process is necessary to implement DPDP-compliant workflows effectively.
India's Criminal Records System Is Decentralized - Here Is What That Means for Employers
Unlike the United States (NCIC database) or the United Kingdom (DBS system), India does not maintain a single, centrally queryable national criminal database. Criminal records in India are maintained at the local police station level across approximately 15,000 police stations nationwide. This decentralized architecture creates three specific operational implications that employers must account for when scoping a criminal background verification process:
• If a candidate has previously resided in multiple cities, criminal records must be checked at the local police station for each jurisdiction of prior residence.
• Rural police stations typically maintain manual, paper-based records only, with no digital systems or standardized response protocols.
• Verification turnaround times vary significantly by geography: urban court and police checks typically complete in 3–5 days; rural police verification can require 3-4 weeks.
Criminal Background Check Types Available in India
1. Court Record Check (Online) This involves scanning the e-Courts database, which covers more than 3,000 district, session, and high courts, and the Supreme Court. This check is also known as a JUDIS search. It surfaces civil and criminal cases where the individual has appeared as a defendant, accused or petitioner. This check is faster (2–5 days) and less expensive than police verification, but captures only cases that progressed to court.
2. Police Verification (Physical) This is a more granular check where a field agent contacts the local police station in the candidate's residential jurisdiction. The police verify whether any adverse records exist against the individual in their jurisdiction. This check surfaces FIRs, pending investigations and records that may not have progressed to court. It's slower (7–15 days) but more thorough.
3. Police Clearance Certificate (PCC) A formal certificate issued by the Police Commissioner or Superintendent of Police confirming no adverse records. This is typically used for government job applications, visa processes, and high-security roles. A complete criminal background check in India typically comprises one or more of the following four verification types, selected based on the role's risk profile, sector regulations and the candidate's residential and employment history:
| Check Type | What It Covers | Turnaround Time | Best For |
|---|---|---|---|
| Court Record Check | Civil and criminal litigation in 3,000+ courts | 2–5 days | IT, startups, general hiring |
| Police Verification | FIRs, local adverse records, pending cases | 7–15 days | Finance, healthcare, logistics |
| Police Clearance Certificate | Formal clearance from police authority | 15–30 days | Government roles, high-security positions |
| Global Watchlist / Sanctions Check | OFAC, UN sanctions, Interpol, terrorism lists | 1–2 days | BFSI, MNCs, international hiring |
What Typically Shows Up in an Indian Criminal Check?
• Convictions for felonies and misdemeanors (theft, fraud, assault, cyber crimes)
• Pending criminal cases and FIRs
• Civil litigation where the individual is a party
• Ongoing trials in district, session, or high courts
• Traffic violations (for driving or logistics roles)
What does NOT typically show up:
• Cases that were settled out of court
• Juvenile records (protected)
• Acquitted cases in most jurisdictions
• Records from jurisdictions not searched
What Has Actually Changed for Employers After DPDP Rules 2025?
The DPDP Rules 2025 introduced five legally enforceable changes to how criminal background verification must be conducted in India. Each change below replaces prior practice under the IT Act SPDI Rules 2011 and carries specific compliance obligations for employers.
Change 1: Consent Is Now Much More Specific
Under the old IT Act SPDI Rules 2011, a general consent clause in an offer letter or employment agreement was typically considered sufficient.
The DPDP Rules now require that consent must be:
• Specific - tied to a clearly stated purpose, not blanket permission
• Informed - the candidate must know exactly what data is being collected and why
• Free - consent cannot be a condition of employment or coerced in any way
• Revocable - the candidate must be able to withdraw consent easily, at any time
• Standalone - it must not be buried inside a broader terms document
A one-liner in your offer letter saying "we may conduct background verification" no longer meets this standard.
Change 2: Purpose Limitation Is Enforceable
You can only collect data that is proportionate and necessary to the role. For example, asking a software developer for medical history or a data-entry employee for marital status - without a documented reason - is now a violation. Each check type must be justified by the job role.
Change 3: Your BGV Vendor Becomes Your Responsibility
If you outsource criminal background verification to a third-party agency - which most companies do - you are still legally the Data Fiduciary. The Rules require you to have a Data Processing Agreement (DPA) in place with every verification vendor, binding them to the same DPDP compliance standards.
Change 4: Data Retention Has a Clock
Background check data cannot be held indefinitely. The general retention period for rejected candidates' data is 180 days from the date of rejection. For regulated sectors, this may extend to 3–5 years. After the retention period, data must be deleted - not archived, deleted.
Change 5: Breach Notification Is Now Mandatory and Time-Bound
If your systems are breached and candidate or employee background check data is exposed, you must notify the Data Protection Board of India within 24 hours. This includes even suspected breaches. There is no grace period.
Is Criminal Background Check Legally Mandatory in India?
There is no single law in India that universally mandates criminal background checks for all employers across all roles. However, criminal background verification is legally required in specific regulated sectors under the following frameworks:
• Banking and Financial Services: Required under RBI and SEBI guidelines
• Healthcare: Required under MCI regulations and the POCSO Act for roles involving minors
• Insurance: Required under IRDAI guidelines
• Education (staff working with children): Mandatory under the POCSO Act
• Government contractors: Required under applicable ministry guidelines
• ISO 27001-certified companies: Required under ISO audit standards
For employers outside these regulated sectors, criminal background verification is not legally compelled. However, Indian courts have increasingly upheld negligent hiring claims - a legal doctrine under which employers are held civilly liable for harm caused by an employee whose adverse background was discoverable but not checked prior to hiring. Conducting documented criminal background verification serves as evidence of due diligence in negligent hiring proceedings.
DPDP Rules 2025 Enforcement Timeline: Three Implementation Phases and Employer Obligations
The DPDP Framework is implemented in three distinct phases. The following table maps each phase to its enforcement date and the specific obligations it activates for employers conducting criminal background verification in India.
Three-Phase Implementation
Phase 1 - Already Active (From November 14, 2025) The provisions relating to the Data Protection Board (DPB) are already in force. This means the oversight body exists, can receive complaints, and can investigate violations. If someone files a complaint about your background check process today, the DPB can act on it.
Phase 2 - November 14, 2026 Provisions relating to Consent Managers come into force. Consent Managers are registered third-party intermediaries who help manage, track and process consent on behalf of data fiduciaries. Companies handling high volumes of candidate data (staffing agencies, large enterprises) should begin implementing Consent Manager infrastructure well before this date.
Phase 3 - May 13, 2027 (Full Enforcement) All remaining substantive provisions come into force - including the full consent framework, privacy notice requirements, rights of data principals, and all duties of data fiduciaries. This is your hard deadline for complete compliance.
What Does This Mean for You Right Now (February 2026)?
| Action | Urgency | Deadline |
|---|---|---|
| Register with Data Protection Board if required | High | Already active |
| Review and update consent forms | High | Before May 2027, but start now |
| Audit BGV vendor agreements for DPA compliance | High | Before May 2027 |
| Implement data deletion policies | Medium | Before May 2027 |
| Set up breach notification protocols | High | Already active (DPB exists) |
| Evaluate Consent Manager requirements | Medium | Before November 2026 |
Transition Period Note: The IT Act SPDI Rules 2011 remain legally enforceable alongside the DPDP Rules 2025 until May 13, 2027. From May 13, 2027, the DPDP Rules 2025 become the sole governing framework and the IT Act SPDI Rules 2011 cease to apply.
What this means for employers right now: Between February 2026 and May 13, 2027, Indian employers must comply with both the IT Act SPDI Rules 2011 and the DPDP Rules 2025 at the same time. Compliance with one does not substitute for compliance with the other.
What Does a DPDP-Compliant Consent Form Look Like?
A DPDP-compliant consent form for criminal background verification must satisfy eight mandatory elements under the DPDP Rules 2025. The following specification defines each required element and identifies the most common compliance gaps in current Indian employer forms.
What Your Old Consent Clause Probably Says (Non-Compliant)
"By signing this offer letter, you consent to [Company Name] conducting background verification including education, employment, and criminal checks as part of the onboarding process."
This is not compliant under DPDP Rules 2025. It's vague, it's bundled with an employment offer (coercive) and it doesn't specify data handling, retention, or withdrawal rights.
What a DPDP-Compliant Consent Form Must Include
A valid background check consent form under the DPDP Framework must clearly state:
1. Identity of the Data Fiduciary Full legal name and contact details of your company as the entity collecting the data.
2. Types of Data Being Collected Be specific. "Criminal records check via e-Courts database and local police verification," not just "background check."
3. Purpose of Collection Why each type of check is being run. Link it to the specific role and its risk profile.
4. Names of Third-Party Vendors If you use a BGV agency, name them. The candidate has a right to know who processes their data.
5. Data Retention Period State clearly how long the data will be kept. For rejected candidates - typically 180 days. For hired employees - role-specific duration.
6. Right to Withdraw Consent Provide a clear, accessible mechanism for the candidate to withdraw consent. Withdrawal must not automatically affect the hiring process unless the check is legally required for the role.
7. Right to Access and Correct Data The candidate has the right to access their verification report and raise a dispute if incorrect information is included.
8. Language Accessibility For pan-India hiring, the consent form must be available in the regional language of the candidate's state of residence.
Consent Form Compliance Quick-Check Table
| Element | Required Under DPDP Rules 2025 | Status in Most Indian Employer Forms |
|---|---|---|
| Standalone separate document | Yes | Non-Compliant - typically bundled inside the offer letter |
| Specific data types listed | Yes | Non-Compliant - usually described in vague or generic terms |
| Vendor names disclosed | Yes | Non-Compliant - rarely disclosed to candidates |
| Retention period stated | Yes | Non-Compliant - almost never included |
| Withdrawal mechanism | Yes | Non-Compliant - absent in most forms |
| Regional language option | Yes (mandatory for pan-India hiring) | Non-Compliant - English-only in most cases |
| Digital signature / OTP-based consent | Recommended | Partial - inconsistently implemented across organizations |
The ₹250 Crore Penalty - Real Risks Employers Are Ignoring
The DPDP Act, 2023 establishes a tiered financial penalty structure enforced by the Data Protection Board of India. The penalties apply per violation and are not subject to annual caps.
What Are the Actual Penalties?
The DPDP Act imposes financial penalties through the Data Protection Board. The penalty structure is:
| Violation | Maximum Penalty |
|---|---|
| Failure to implement reasonable security safeguards | ₹250 crore (~$27 million USD) |
| Failure to notify the Board and affected individuals of a data breach | ₹200 crore |
| Failure to fulfill obligations regarding children's data | ₹200 crore |
| Failure to comply with the Board's directions | ₹150 crore |
| Minor violations / procedural non-compliance | ₹50 crore |
These are per-violation caps, not annual caps. Multiple violations mean multiple penalties.
But Penalties Are Not the Only Risk
Financial penalties under the DPDP Act represent one of four distinct risk categories that employers face for non-compliant background verification. The following four risks carry significant operational consequence and are frequently underestimated relative to the headline ₹250 crore penalty:
ISO 27001 Certification Risk: DPDP non-compliance in background verification creates direct audit exposure through two specific control mappings. First, the absence of a signed Data Processing Agreement with a BGV vendor constitutes a failure under ISO 27001:2022 Annex A Control 5.19 (Information Security in Supplier Relationships), which requires documented security requirements in supplier agreements. Second, non-compliant consent processes for sensitive personal data map to failures under Annex A Control 5.12 (Classification of Information). Non-conformance findings in either control area can result in suspension or loss of ISO 27001 certification. For Indian IT/ITES organizations, certification loss directly triggers breach of contractual obligations with global clients who mandate ISO 27001 as a vendor qualification requirement.
Negligent Hiring Lawsuits: Employers can be held civilly liable for harm caused by an employee whose adverse criminal background was discoverable but not checked prior to hiring. Civil litigation risk on this basis is significant and growing in Indian employment courts.
Reputational Risk: A DPDP violation involving candidate data mishandling - including unauthorized disclosure or improper retention - can damage employer brand on professional platforms, directly affecting talent acquisition pipelines and offer acceptance rates.
Client Contract Clauses: An increasing number of MNCs and global clients include data protection compliance requirements as vendor qualification criteria in their agreements. A DPDP violation can result in contract termination independent of any regulatory penalty imposed by the Data Protection Board.
Industry-Specific Rules for Criminal Background Checks in India
Criminal background verification requirements in India vary by sector. The following sector-by-sector breakdown maps each industry to its governing regulatory body and mandatory check requirements under Indian law:
Banking, Financial Services & Insurance (BFSI)
BFSI is the most regulated sector for background verification in India. RBI and SEBI mandate exhaustive screening including criminal checks, financial integrity checks, and address verification. Based on background verification cases processed by Voltech HR Services in FY2023–24, approximately 1 in 10 BFSI candidates presented at least one material inaccuracy or adverse finding across criminal, financial, or employment records — making BFSI one of the highest discrepancy rate sectors across all Indian industries screened during this period.
Criminal check requirements for BFSI roles include court record checks, police verification, global sanctions and watchlist screening and for senior roles, civil litigation checks.
IT and Technology
Based on background verification cases processed by Voltech HR Services across IT sector hiring in India, the industry consistently records among the highest resume discrepancy rates of all sectors screened - with educational qualifications, employment tenure, job titles and technical certifications as the most commonly falsified categories.
IT employers should treat each discrepancy finding as a separate evaluation rather than applying blanket disqualification, as severity and role-relevance vary significantly across cases.
Education Sector
The Education sector is governed by the Protection of Children from Sexual Offences (POCSO) Act, which mandates criminal background checks for all staff members in direct or indirect contact with children. This applies to teachers, administrative staff and support personnel including school bus drivers. POCSO compliance is a statutory requirement, not a best practice recommendation. Despite this, many private schools in India have not implemented a structured background verification process, representing both a legal compliance gap and a child safety risk.
Gig Economy and Contract Workers
According to NITI Aayog's June 2022 report India's Booming Gig and Platform Economy, India's gig workforce is projected to reach 23.5 million workers by 2030. This scale is directly relevant to DPDP compliance risk: the DPDP Rules 2025 apply to personal data processing of all workers regardless of employment classification, yet most gig platforms currently conduct only KYC-level verification rather than structured criminal background checks - creating a large, growing population of workers processed outside compliant BGV frameworks.
Your BGV Vendor Is Your Liability - What the Rules Say
Under the DPDP Act, 2023, engaging a third-party background verification (BGV) agency does not transfer an employer's data protection obligations to that vendor. The employer retains full Data Fiduciary status; the BGV agency operates as a Data Processor under the employer's instructions and contractual control. This distinction has four specific liability consequences for employers when vendors are non-compliant.
What This Means Practically
If your BGV vendor commits any of the following violations, the employer faces regulatory consequences from the Data Protection Board of India - in addition to or instead of, the vendor:
• Stores candidate data on servers that do not meet DPDP-mandated security standards
• Shares verification reports with unauthorized third parties
• Retains candidate data beyond the contractually agreed retention period
• Fails to notify the employer of a personal data breach within the required timeframe
What a Data Processing Agreement (DPA) Must Cover
A written Data Processing Agreement (DPA) with every BGV vendor is mandatory under the DPDP Act, 2023. The DPA must specify seven categories of obligation:
• The categories of personal data being processed
• The specific purposes for which the vendor may process data
• Data security standards the vendor must meet (minimum: ISO 27001 or SOC 2)
• Breach notification timelines (24 hours to you, so you can notify the Board)
• Data deletion obligations and timelines
• Prohibition on sub-processing without your written approval
• Audit rights - your right to audit the vendor's compliance
Questions to Ask Your Current BGV Vendor Right Now
| Question | Why It Matters |
|---|---|
| Are you DPDP Rules 2025 compliant? | Establishes baseline |
| Do you have a DPA template ready? | Required under DPDP Framework |
| What security certifications do you hold? | ISO 27001, SOC 2 Type II recommended |
| How do you handle data deletion for rejected candidates? | 180-day rule compliance |
| What is your breach notification process? | 24-hour window requirement |
| Do you use any sub-processors? | Sub-processing chain needs to be disclosed |
Step-by-Step DPDP-Compliant Background Check Process for 2026
The following nine-step workflow reflects the minimum process requirements for DPDP Rules 2025-compliant criminal background verification in India. Each step maps to a specific compliance obligation under the DPDP Act, 2023.
Step 1: Determine the Scope Based on the Role
Under the data minimization and purpose limitation principles of the DPDP Act, 2023, employers may only collect personal data that is necessary and proportionate to the specific role being filled. Before initiating any background verification, document the risk classification of the role and the checks it justifies. This documentation serves as your compliance evidence under Rule 7 of the DPDP Rules, 2025, which requires that data processing be limited to the purpose for which consent was obtained.
A role-risk matrix - a written document mapping job categories to permitted check types - is the recommended mechanism for satisfying this requirement. The matrix should be maintained by HR or the compliance function and made available for regulatory review if required.
Sample Role-Risk Classification:
| Risk Level | Example Roles | Recommended Criminal Checks |
|---|---|---|
| Low | Data entry, back-office, administrative | Court record check (e-Courts/JUDIS) |
| Medium | Finance, IT systems access, client-facing | Court record check + police verification |
| High | C-suite, BFSI, healthcare, roles involving children | Court record check + police verification + global sanctions screening + POCSO compliance check where applicable |
Step 2: Issue a Standalone DPDP-Compliant Consent Notice
Send the candidate a separate consent document - not embedded in the offer letter - that specifies all the elements listed in Section 6. Give them reasonable time to review it. Obtain digital consent (OTP-based or e-signed) and log the timestamp.
Step 3: Collect Only What Is Necessary
Request only the documents required for the specific checks you're running. For a criminal check, you typically need: candidate's full name, date of birth, father's name, current and previous addresses, and a government-issued ID (Aadhaar or PAN).
Do not collect medical records, marital status, caste, religion or financial data unless directly relevant and consented to specifically.
Step 4: Engage Your BGV Vendor Under a Valid DPA
Transmit the candidate's data to your verified BGV vendor over an encrypted channel. Ensure your DPA is signed and current before initiating any check.
Step 5: Run the Criminal Check
Your vendor will conduct the appropriate combination of:
• e-Courts / JUDIS online database scan
• Local police station verification (physical or digital where available)
• Global sanctions and watchlist check (for regulated sectors)
Step 6: Receive and Securely Store the Report
The verification report must be stored in an access-controlled, encrypted system. Restrict access to authorized HR and compliance personnel only. Log every access event.
Step 7: Use the Report Proportionately
A criminal record does not automatically disqualify a candidate under Indian law. The prohibition on blanket disqualification derives from three sources: first, emerging judicial precedent in Indian employment courts, which has increasingly required proportionality in adverse hiring decisions; second, applicable state-level employment and non-discrimination statutes; and third, the proportionality principle embedded in the DPDP Framework's data minimization requirements, which requires that personal data - including criminal records - be used only to the extent necessary and proportionate to the specific role.
Employers must evaluate each criminal record finding on a case-by-case basis, considering:
• The nature and severity of the offense
• The time elapsed since the offense
• The direct relevance of the offense to the specific job role and its responsibilities
• Whether the candidate voluntarily disclosed the record upfront
Blanket disqualification policies - where any criminal record results in automatic rejection regardless of relevance - create legal exposure under Indian employment and human rights law and are inconsistent with the proportionality principle embedded in the DPDP Framework's data minimization requirements.
Step 8: Communicate the Decision to the Candidate
If you're declining an offer based on criminal check findings, inform the candidate and give them an opportunity to respond or contest inaccurate findings before the decision is final.
Step 9: Trigger Data Retention / Deletion Policy
For candidates who are not hired: set a 180-day deletion calendar event for their data. For hired employees: data is retained through the employment lifecycle and deleted per your retention policy post-exit.
Common Mistakes Employers Make During Criminal Background Checks in India
The following compliance failures are frequently observed in Indian employer background verification processes as of 2026. Each represents a specific violation risk under the DPDP Rules 2025.
Mistake 1: Using the Same Consent Form for Three Years: The DPDP Rules 2025 are new. Any consent form created before November 2025 needs to be reviewed and likely replaced entirely.
Mistake 2: Assuming Your BGV Vendor Handles Compliance: Under the DPDP Act, 2023, you are the Data Fiduciary regardless of whether you outsource verification to a third party. Outsourcing the check does not outsource the liability. A signed Data Processing Agreement and regular vendor audits are both mandatory - not optional.
Mistake 3: Running Checks Without Role-Specific Justification: Conducting a criminal background check on every employee regardless of role - without documented justification - is overcollection under DPDP Rules. Document your role-risk matrix.
Mistake 4: Storing Rejected Candidate Reports Indefinitely Many HR teams keep all background check reports "just in case." Under DPDP Rules, rejected candidates data must be deleted at or before 180 days. Indefinite storage is a violation.
Mistake 5: Automatically Rejecting Based on Any Criminal Record: A criminal record is not automatically disqualifying. The offense must be relevant to the role. Blanket rejection policies create legal exposure under Indian employment and human rights law.
Mistake 6: Not Telling Candidates What Was Found: If you're withdrawing an offer due to a criminal check result, the candidate has the right to know what was found and to dispute it if it's inaccurate. Skipping this step creates both a legal and reputational risk.
Mistake 7: Ignoring Contract Workers and Gig Staff: The DPDP Rules 2025 apply to personal data processing of all worker categories - including contractors, gig workers, and vendors - regardless of employment classification. Limiting DPDP compliance efforts to full-time employees constitutes a compliance gap under the Act.
FAQ - Everything Employers Ask About DPDP and Criminal Background Checks
1. Is criminal background verification mandatory under the DPDP Act 2023?
No, the DPDP Act itself does not mandate criminal checks. However, it regulates how they must be conducted. Sector-specific regulations (RBI, SEBI, MCI, IRDAI) may independently mandate criminal checks in regulated industries. For most professional roles, criminal background verification is strongly recommended as a risk management and negligent hiring protection measure.
2. Does the DPDP Act require consent for background checks if the employment contract allows for it?
The DPDP Act, 2023 permits processing of personal data for "legitimate employment purposes" - such as payroll processing or contract performance - without explicit consent in some cases. However, criminal background checks involve sensitive personal data that goes beyond the scope of standard employment contract performance. Regulatory interpretation, pending formal guidance from the Data Protection Board of India, generally treats criminal verification as requiring explicit, standalone consent separate from the employment contract. Employers who rely solely on employment contract language to justify criminal background checks face material compliance risk.
3. How long can we keep background check records for hired employees?
For general roles: typically, 3 years from the date of the check is considered reasonable. For regulated sectors (BFSI, healthcare): 5 years or as required by sector-specific regulation. For rejected candidates: 180 days from the date of rejection, then delete.
4. What happens if a candidate withdraws consent mid-verification?
If a candidate withdraws consent before the check is complete, you must stop processing their data. If the check was already submitted to a vendor, you must instruct the vendor to halt and delete the data collected. Withdrawal of consent does not obligate you to hire the candidate, but it does mean you cannot complete the verification or use any partially collected data.
5. Does DPDP apply to international companies hiring in India?
Yes. The DPDP Act applies to any processing of personal data of individuals located in India, regardless of where the Data Fiduciary is located. A US or UK company hiring in India must comply with DPDP Rules 2025.
6. What if a criminal record check returns false positive results?
False positives happen - particularly due to name-matching errors in decentralized databases. Candidates have the right to contest inaccurate findings. Before making an adverse hiring decision based on a criminal record check, verify the record independently and give the candidate a formal opportunity to respond.
Final Thoughts - Compliance Is Not a Burden, It's a Trust Signal
DPDP compliance carries strategic value beyond regulatory risk avoidance. Employers who implement compliant background verification processes gain measurable advantages in three areas: candidate trust, client contract eligibility and investor confidence in data governance maturity. Employers who implement DPDP-compliant background verification processes before the May 2027 deadline gain three measurable advantages: candidates show higher acceptance rates with employers who demonstrate transparent data handling; global clients are increasingly including data protection compliance clauses as vendor qualification criteria; and investors treat demonstrated data governance maturity as an operational risk indicator during due diligence.
A DPDP-compliant criminal background check process delivers three measurable outcomes beyond regulatory protection: It demonstrates transparent data handling to candidates, satisfies data protection audit requirements imposed by global clients and provides boards with documented evidence that people operations meet statutory data governance standards. The deadline is May 2027. But the companies that start today have 15+ months to build it properly, test it thoroughly, and turn compliance into competitive advantage.
Employers should prioritize three immediate actions: (1) replacing pre-November 2025 consent forms with DPDP Rules 2025-compliant standalone documents; (2) reviewing all BGV vendor agreements to confirm the existence of signed Data Processing Agreements; and (3) mapping candidate data flows to identify any collection, storage or transfer practices that do not comply with the purpose limitation and data minimization requirements of the DPDP Act, 2023.
Voltech HR Services helps Indian employers implement each of these three actions - from DPDP-compliant consent form design and BGV vendor agreement reviews to end-to-end criminal background verification built around the 180-day data deletion and breach notification requirements of the DPDP Rules 2025. The right compliance partner does not just run background checks - they keep your hiring process legally protected at every step.
Read these free resources:
Want to go deeper on the cost and risk side of background verification? These articles build directly on the compliance themes covered in this guide:
→ BGV: India's First Defense Against the ₹21,367 Cr Fraud Crisis - A data-driven look at how background verification protects Indian employers from the growing threat of workplace fraud and financial crime.
→ Skipping ₹800 BGV Can Cost ₹5L in Bad Hires in 2026 - A practical cost analysis of what happens when employers skip background verification — and why the math never works in their favor.
→ What is the Future of BGV for HR in 2026? - An industry outlook on how background verification is evolving in India — covering DPDP compliance, technology shifts and what HR teams should prepare for next.
For criminal background verification built around DPDP Rules 2025 compliance, Voltech HR Services specialists are ready to assist. The right BGV partner protects your hiring process legally, operationally and reputationally.
Subscribe for latest update
Write Comment