PART 1: From the Ex-Employee’s Perspective
(Accessing personal emails & WhatsApp chats from a surrendered office laptop)
1. Core Legal Principle

Under the DPDP Act, any data that identifies an individual = Personal Data, regardless of whether it is stored on:

a personal device, or
an office-issued device

👉 Therefore, personal emails and WhatsApp chats remain the employee’s personal data, even if accessed from a company laptop.

2. What the Organization Has Potentially Done Wrong

If the organization accesses:

personal Gmail / Outlook accounts
WhatsApp Web sessions
saved credentials / cached chats

👉 without explicit consent, it may amount to:

(a) Unauthorized Processing of Personal Data

Violation of DPDP Act principles:

Lawful purpose missing
Consent not obtained
Purpose limitation breached
(b) Breach of Privacy & Confidentiality

Even if the laptop belongs to the company:

👉 Personal data ≠ Company data

Accessing such data can be treated as:

Intrusion into privacy
Misuse of digital identity
(c) Offences under IT Act, 2000

Relevant sections:

Section 43 – Unauthorized access / data extraction
Section 66 – Computer-related offences (if done dishonestly)
Section 72 – Breach of confidentiality and privacy

👉 This can elevate the matter from civil violation → criminal liability

3. How Grievous Is This? (Severity Analysis)
Legally
Moderate to severe violation, depending on intent and misuse
If data is copied/shared → becomes highly severe
Financial Exposure (DPDP Act)
Penalties can go up to ₹250 crore (organization-level, depending on severity and scale)
Reputational & Ethical
High reputational damage
Loss of employee trust
Potential litigation
4. Key Insight (Very Important)

👉 Even if:

the employee forgot to log out
or data was cached

The organization STILL does not get automatic rights to access personal data.

5. Practical Interpretation

This situation reflects:

Lack of data governance controls
Absence of exit protocols
Possible intentional or negligent misuse