Home / Insights
People Sector

RFID and DPDPA 2023: What Every People-Tracking System in India Must Get Right

September 2025  ·  6 min read  ·  Vishal Singh, Markss Infotech Ltd

What DPDPA Means for RFID and Barcode Systems

DPDPA 2023: Three Principles Every People-Tracking RFID System Must Meet Consent Free, specific, informed, unambiguous. Opt-in only. Before any data is collected. Implied consent = not compliant Purpose Limitation Data collected for access control cannot be used for marketing / analytics. Each purpose needs consent Data Minimisation Collect only what you actually need. Excess collection = legal exposure. Storing photo when name suffices = risk DPDPA 2023 applies to all RFID systems processing personal data of Indian individuals — vishalsinghrfid.com
Three DPDPA 2023 principles that must be designed into any people-tracking RFID system in India

The Digital Personal Data Protection Act 2023 — India's first comprehensive personal data protection legislation — applies to any system that collects or processes personal data of individuals in India. For RFID and barcode systems deployed in visitor management, event access, workforce tracking, campus identification, or any people-facing application, DPDPA changes what you are required to do before, during, and after deployment.

What Counts as Personal Data in an RFID Context

Under DPDPA, "personal data" means any data about an identifiable individual. In an RFID or barcode system context, this includes: a visitor's name linked to an RFID badge or QR code, an employee's identity linked to an access control tag, an attendee's profile linked to an event wristband, vehicle registration data linked to a transponder, and location or movement data linked to any of the above. If the system can identify a specific person through a combination of identifier and associated data, it is processing personal data under DPDPA.

The Three DPDPA Principles That Affect System Design

Consent: The DPDPA requires free, specific, informed, and unambiguous consent before personal data is collected for a specific purpose. For visitor management, this means the consent process at registration is a legal requirement — not a checkbox to be added later.

Purpose limitation: Data collected for one purpose cannot be used for a different purpose without fresh consent. If you collect access control data for building security, you cannot use that data for attendance reporting or marketing without separate consent.

Data minimisation: Collect only the data actually needed for the stated purpose. If a visitor badge system requires only a name and company to grant access, collecting biometric data or mobile number is excess collection that creates legal exposure without operational benefit.

Practical Pre-Deployment Requirements Under DPDPA

Before deploying any people-facing RFID or barcode system, you need: a documented data map covering what data is collected, where it is stored, who has access, and how long it is retained; a consent mechanism that meets DPDPA standards; a data subject rights process for how individuals can access, correct, or withdraw consent; a data processor agreement if using a third-party system provider; and a data retention and deletion policy.

If your current people-tracking system does not have these governance elements in place, DPDPA compliance is a pre-deployment requirement — not a post-deployment task. The compliance framework must be designed into the system, not bolted on afterward.

Frequently Asked Questions

Does DPDPA 2023 apply to employee RFID access control systems?+

Yes. If an employee RFID access control system stores data that can identify an individual — employee name, employee ID, entry/exit timestamps linked to a specific person — it is processing personal data under DPDPA. This means the system operator must have a legitimate purpose for collecting the data, a mechanism for employee consent or a lawful alternative basis, a data retention policy, and a process for employees to access or correct their data.

Is a visitor management RFID system subject to DPDPA?+

Yes. A visitor management system that stores a visitor's name, company, contact details, and entry/exit timestamps — and links those details to an RFID badge or QR code — is processing personal data. The visitor must be informed of what data is collected, why, and how long it is retained. Consent or another lawful basis under DPDPA is required.

What is the consent requirement for event RFID wristbands under DPDPA?+

Event wristbands linked to a registered attendee profile are processing personal data. DPDPA requires that attendees give free, specific, informed, and unambiguous consent for each purpose for which their data will be used. If the event plans to use wristband data for post-event marketing communications, cashless payment processing, or session analytics, each of those purposes requires explicit consent — ideally captured at registration.

How long can RFID access control data be retained under DPDPA?+

DPDPA does not specify a maximum retention period for all categories of personal data, but it requires that personal data not be retained longer than necessary for the purpose for which it was collected. For RFID access control data in a commercial building, a retention period of 30–90 days is typically considered reasonable for security audit purposes. Retention beyond that requires a specific justification documented in the data retention policy.

About the author

Vishal Singh is Business Development Manager at Markss Infotech Ltd, with close to a decade of experience across sales, pre-sales, and project work in RFID and barcode deployments across retail, warehousing, manufacturing, and healthcare in India.

Hello@vishalsinghrfid.com  ·  LinkedIn  ·  Book a Clarity Call
More Insights

Related articles

Process-First

Is Your Process Ready for RFID? The Question Most Indian Evaluations Skip

65% of Indian RFID projects that underperform share one root cause — not the technology, but the process that feeds it. Here is the framework I use before recommending any RFID system.

March 2026 · 8 min readRead →
Cost & ROI

Real RFID and Barcode Costs in India (2026): What Vendor Proposals Leave Out

A realistic breakdown of what RFID and barcode actually cost in India in 2026 — including the items that almost never appear in vendor proposals but significantly affect total cost of ownership.

February 2026 · 7 min readRead →
Retail

Source Labelling in Indian Apparel: The Biggest RFID Barrier in 2026

The biggest obstacle to RFID in Indian apparel retail is not the technology — it is getting domestic manufacturers to tag at source. Where the industry stands in 2026 and how to address it.

January 2026 · 6 min readRead →

Have a question about your specific situation?

30 minutes. No pitch. A direct technical conversation. Hello@vishalsinghrfid.com

Book a Clarity Call → RFID vs Barcode Guide