Who is processing your data? Each time an entity collects your data, it is with the intention for that data to be used to provide you with a promised service. To do so, an agency, entity, or person processes the data – and sometimes, such an entity may be entirely different from the one who collects the data from you.
Who is a Data Processor?
Under the DPDP Act, data processors are responsible for processing digital personal data on behalf of a data fiduciary. Broadly, there are of two categories of processors. Non-customer-facing and customer-facing processors. The former processes personal data shared by a data fiduciary, and not directly by a data principal.
Distinguishing Data Processors from Data Fiduciaries
Under the DPDP Act, a pertinent question that may emerge is the distinction between the data fiduciary and processor, and whether they might be the same entity at all. In principle, the data fiduciary is the one who determines the purpose and means of processing personal data collected, and the data processor is the one who processes the data on behalf of the data fiduciary.
No data can be processed without the consent of the data principal. However, the matter does not end with obtaining consent – it is also important to pay attention to how consent is managed. All instances of consent provided by data principals must be appropriately documented, accessible, and safeguarded. When consent is sought, it must be for a specific requirement and the data principal must be made aware of precisely what that specific requirement is. Once sought, consent for a specific requirement cannot be extrapolated or applied to other requirements. A data principal is also free to withdraw consent at any time – which means that a data processor must stop processing data and delete it when consent is withdrawn.
Under Section 8.2 of the DPDP Act, a data fiduciary must sign a contract with every data processor they engage with. However, the act does not define the scope and content of such a contract, and it remains to be seen how we may be guided by practice and precedents on this.
Under the law, as personal data privacy is the core focus, a data processor can be implicitly understood to have a responsibility to verify consent, respond to data deletion and updation requests, and maintain a clear repository of PII data and consent received for each item gathered and for the purpose for which it is gathered. This is largely a good practice rather than mandated by the law, as it does not do so explicitly.
Insights from industry leaders
“There’s this perception that if your company is branded as a data processor rather than a controller, you can escape liability under the law. However, it’s not about labelling the entire entity as either a processor or a controller. It’s about the specific data processing activities happening at different stages of the journey.
For example, if you’re simply printing credit card numbers, you’re acting as a processor. But if you’re analyzing data at another point, or handling data for employee management, you might be considered a data controller, or fiduciary, in that context. So, it’s not a one-size-fits-all label for an entire entity.
The law’s definition of a processor is straightforward—it refers to any person processing personal data on behalf of a data fiduciary. And when we circle back to the definition of data fiduciary, we should remember the deeper message behind the terminology.”
– Supratim Chakraborty, Partner at Khaitan & Co.
Examples of Data Processors
Let’s say you’ve ordered handmade goods from a small business. You give them your address, phone number, and email ID toward the delivery of your purchase. The small business then shares your data with three other companies – one that prints out the cards, another that delivers the cards, and another that sends you notifications and OTPs required to complete delivery. Each of these is a data processor, as they are processing your personal data.
Casting the net wider, a processor could also include the human resources department of an organization. As they have methods and techniques to process the personal data of applicants, employees, interns, and contractors, these data need to be protected. Some processing may also involve a third party – in which case such a third party.
Similarly, the marketing team in an organization is consistently maintaining, expanding, and updating databases of existing and potential customers. When the marketing team works with an email marketing company or agency that uses the emails of their existing or potential customers to roll out campaigns, such a company or agency is also a data processor.
In all these cases, a key common thread is that the data processor does not own any of the personal data of the customers – both existing and potential – or that of anyone else that they process. The owner remains the data principal.
To get a better understanding of what data processors should know about their duties under the DPDP Act, watch the full webinar below!
Duties of a Data Processor
The DPDP Act does not specifically impose any obligations on data processors. However, this does not mean that they are not held accountable at all under the law: Data fiduciaries may contractually delegate some of their obligations to the Data Processor through written agreements. Further, in general, a data processor must strive to take appropriate safeguards to protect personal data they access, and to delete and update such data whenever they are required to by given situations.
For a data processor to process the data, explicit consent from the data principal for the (a) processing of data (b) for the specific purpose is necessary. Consent received for one purpose cannot be a blanket application for any other purpose.
When a data principal withdraws consent, the data processor must cease processing all personal data of that particular data principal within a reasonable time (which the law has not explained or specified). The data principal must also delete the data so received from the principal. Similarly, a data processor must stop processing and delete all data as soon as it is reasonable to assume that the specific purpose for data processing is no longer being served, unless there is a need to retain the data for the sake of compliance with the law.
If there is a data breach, a data processor is responsible for informing the Data Protection Board upon coming to know of such a brief.
Insights from Industry Leaders
“Eventually, every entity will play the role of a fiduciary. From the moment a company is set up, it begins collecting data—whether from workers or other stakeholders. So, initially, a company is a fiduciary. Then, as it starts serving other clients or companies, it may also become a processor. Essentially, every company has to comply with all relevant regulations, whether it’s the GDPR, DPDP, or any other law, because everyone eventually handles personal data in one way or another.
But to address the question about customer-facing and non-customer-facing processors—while that categorization is one way to look at it, I believe that, in the end, both types of processors are acting on behalf of another party. For example, if I outsource my website hosting to a third party, the end user only sees my company. The fiduciary, in this case, is the one with the direct relationship to the consumer, and the consumer is unaware of the processors working behind the scenes.
That’s important because when it comes to consent, the processor cannot collect consent on their own. The role of obtaining and managing consent falls to the fiduciary. Different sectors have different obligations—take banking as an example, where the RBI requires data retention even after account closure. However, the processor cannot retain consent details for the required 10 years. Therefore, the responsibility for consent management should remain with the fiduciary.
In agreements between fiduciaries and processors, it’s essential to clearly define these responsibilities. Shifting consent management to the processor isn’t practical, as it adds complexity and makes rigorous consent management unfeasible for them. Instead, the fiduciary should handle consent collection and retention for all parties involved. For instance, if a bank works with multiple processors, the fiduciary should be the one managing consent across the board, ensuring clarity and consistency for everyone.”
– Kishore Manvuri, DPO at Jio Haptik
Data Processor- GDPR Vs DPDP Act
| Aspect | GDPR | DPDP Act |
| Definition and Role | Data processor processes personal data on behalf of a data controller and acts under the controller’s instructions without deciding on data processing purposes. | Data processor processes personal data on behalf of a data fiduciary (controller) and acts under the fiduciary’s instructions with similar constraints on decision-making. |
| Responsibilities | Follow the data controller’s instructions and implement appropriate security measures for GDPR compliance. | Follow the data fiduciary’s instructions and implement appropriate security measures for DPDP compliance. |
| Liability and Accountability | Liable for breaches if failing to follow instructions or implement security measures. Data subjects can seek compensation from both controllers and processors. | Liable for breaches similarly, though specific liability mechanisms may differ. Compensation and liability mechanisms are determined by the DPDP Act’s provisions. |
| Contractual Obligations | Requires a contract with the data controller specifying obligations. Must obtain prior written consent for using sub-processors and ensure they meet GDPR standards. | Requires a contract with the data fiduciary outlining obligations. Must have similar agreements for sub-processors, but specifics may vary under the DPDP Act. |
| Regulatory Authority | Subject to action by supervisory authorities like the ICO. Enforcement includes fines and penalties based on GDPR standards. | Subject to oversight by the regulatory body specified under the DPDP Act. Enforcement will be tailored to the DPDP Act’s provisions, with potentially different penalties. |
Definition of a Sub-Processor
A sub-processor is any external entity that a data processor utilizes to perform part of the processing activities for which the processor has been engaged by the data controller. Essentially, sub-processors are processors of processors.
Role and Responsibilities
1. Contractual Relationship:
- With Data Controller: The primary data processor must have a contract with the data controller that outlines how personal data is to be processed and protected. This contract must include specific clauses related to the use of sub-processors.
- With Sub-Processor: The primary data processor must also establish a contract with the sub-processor. This contract must impose the same data protection obligations on the sub-processor as are imposed on the primary processor by the data controller.
2. Authorization Requirement:
- The GDPR mandates that a data processor must obtain the data controller’s prior written authorization before engaging a sub-processor. This ensures that the data controller is aware of and agrees to the involvement of the sub-processor.
3. Liability:
- The primary data processor remains fully liable to the data controller for the performance of the sub-processor. This means that if the sub-processor fails to meet GDPR requirements or causes a breach, the primary data processor is responsible for addressing the issue and ensuring compliance.
4. Obligations Imposed on Sub-Processors:
- Data Protection Obligations: The sub-processor must adhere to the data protection obligations specified in the contract with the primary data processor. This includes implementing appropriate technical and organizational measures to protect personal data.
- Compliance with GDPR: The sub-processor must comply with the GDPR requirements, including those related to data security, data subject rights, and breach notification.
Insights from industry leaders
“When I look at GDPR, it provides a very clear definition of sub-processors and the processes for transferring data between processors and sub-processors. The rules in the DPDP Act, as we’ve seen so far, are still in their early stages. I believe we will see significant evolution in these regulations over the next two years. The clarity we’re seeking may not be fully available today, but in two years, we could have more well-defined guidelines. That’s just my perspective on this.”
– Ashok Hariharan, CEO at IDfy
Data Processors and Data Fiduciaries: Quick FAQs
1. Who is a data fiduciary under the DPDP Act?
A data fiduciary is any person or entity who, either by themselves or in conjunction with other persons or entities, determines the purpose and means of processing of personal data.
2. Who is a Significant Data Fiduciary under the DPDP Act?
A Significant data fiduciary is any data fiduciary or class of data fiduciaries as may be notified by the Central Government under section 10.
3. What responsibilities does a data fiduciary have under the DPDP Act?
When a personal data breach occurs, the data fiduciary must promptly inform the DPB and affected Data Principals about the breach, its nature, and the steps taken to mitigate its effects, in the manner prescribed by law. Data fiduciaries are also responsible for erasing personal data upon the Data Principal withdrawing their consent or as soon as the purpose of processing is no longer being served.
They must also ensure that their data processors erase any data shared for processing. When any personal data are used for decision-making or are disclosed to another data fiduciary, the processing data fiduciary has the responsibility to ensure the completeness, accuracy, and consistency of the data. A data fiduciary can process personal data only if it is for a lawful purpose and either with the consent of the Data Principal or for certain legitimate uses.
4. What happens when a data principal withdraws consent?
A data processor is legally obliged to delete all data from the data principal within a reasonable time after the withdrawal of consent.
5. What happens when a data principal finds out about a breach of data privacy?
Upon coming to know of a breach of data privacy, a data processor must inform the Data Protection Board of such a breach.