A 5,000-employee Indian IT company uses a US-based payroll SaaS and an HR analytics platform that generates "attrition risk" / "flight risk" scores visible to line managers. Employee data stored on US servers. Employment agreement includes "consenting to HR processes." The AI model flags individual employees as high flight risk.

Is the employment contract's general "HR consent" clause sufficient for AI attrition profiling?

Payroll processing rests on legal obligation (§7(b)) — consent not required. AI attrition profiling is discretionary — not mandated by any law. The "legitimate interests" basis may be argued, but profiling individuals with AI-generated flight risk scores visible to managers (which may influence career decisions) requires a genuine balancing test, a DPIA, and likely employee notice.

Is storing employee data on US-based payroll SaaS servers lawful under DPDP §16?

The DPDP Rules 2025 implement a "White List" of approved countries under §16. As of the Rules notification, the White List has not yet been published. For existing US payroll systems: document the processing as non-sensitive employee data for statutory purposes, execute Standard Contractual Clauses or equivalent DPAs with the US vendor, and monitor MeitY for the White List notification.

Payroll data processed for statutory purposes (TDS, PF, ESIC) may have an additional §7(b) legal obligation argument — but this requires legal counsel review and documentation, not assumption.

An employee asks to see their "flight risk score." Does the §11 right to access cover AI-generated HR outputs?

An AI-generated "flight risk score" based on the employee's personal data is personal data about that employee. The employer cannot refuse access on grounds that the score is a "business decision" or "internal HR document." The DPDP Act creates no blanket exception for internal analytical outputs derived from personal data.