With the Digital Personal Data Protection (DPDP) Act, 2023 having entered into force, the language of the law is set to evolve with practice and precedents. One area of concern and confusion have been centred on “data fiduciaries” and “data processors.” Who is a data fiduciary? Who is a data processor? What are their roles under the DPDP Act? What are their duties and responsibilities under the new avenues that have opened up in the privacy law landscape?
Read on to learn all about data fiduciaries.
Who is a data fiduciary?
Under the DPDP Act, a data fiduciary is the entity that, either independently or in collaboration with others, establishes the purpose and methods for processing personal data. This entity, under the DPDP Act in India, is a lot like the data controller under other data privacy regimes.
Under DPDP Act, data fiduciaries are responsible for maintaining security safeguards; ensuring the completeness, accuracy, and consistency of personal data; ensuring the intimation of data breaches in a prescribed manner to the Data Protection Board of India (DPB); performing data erasure upon the withdrawal of consent or upon the expiry of the specified purpose for which data was collected, appointing a data protection officer and setting up grievance redress mechanisms; and securing the consent of the parent or guardian, which is mandatory in the case of children or minors aged under 18 years.
What are the obligations of a data fiduciary?
Chapter II of the DPDP Act outlines the duties of data fiduciaries, focusing on the principles that govern personal data processing. Data can only be processed for lawful reasons, either with the individual’s explicit consent or under specific legitimate circumstances. The term Data Principal refers to the owner of the personal data. When dealing with minors, this extends to their parents or legal guardians, and for individuals with disabilities, their legal guardians represent them. Before requesting consent, the data fiduciary must present a clear notice outlining the purpose of processing, how to lodge complaints, and providing access to the notice in English or any other languages listed in the Eighth Schedule of the Indian Constitution. This requirement applies even if consent was obtained before the DPDP Act was enacted.
Consent
According to Section 6 of the Act, data principals’ consent must be voluntary, specific, informed, clear, and unambiguous. Consent should relate directly to a particular processing purpose. Any consent that violates the principles of the Act will be considered invalid. Requests for consent must be simple, easy to understand, and include the contact information of the data protection officer or another designated individual responsible for communication with data principals. Data principals have the right to withdraw their consent at any time, and once consent is revoked, the data fiduciary must cease processing the data unless otherwise permitted by this Act or relevant Indian laws.
Appointment of a consent manager
A consent manager, acting on behalf of the data principal, facilitates the management, review, or revocation of consent granted to the data fiduciary. This consent manager is required to register with the Board and meet the technical, operational, and financial standards defined by the regulations, ensuring the data principal’s best interests are protected.
Processing for legitimate purposes
Section 7 of the Act permits data fiduciaries to process personal data under legitimate purposes, even in scenarios where the data principal did not explicitly consent but provided the data for a specific reason. The Act also outlines various other legitimate circumstances where data processing is allowed.
The Act allows data fiduciaries to process personal data for certain government-related purposes. This includes facilitating government services such as subsidies, benefits, licenses, permits, and certificates. Such processing is allowed if the data principal has given prior consent for this purpose, or if the data is digitized from government records, as specified by Central Government notifications. Compliance with relevant laws and standards set by the Central Government is mandatory.
General responsibilities of data fiduciaries
Section 8 of the Act defines the core responsibilities of data fiduciaries, which include adhering to the regulations related to personal data processing, ensuring data accuracy, completeness, and consistency, implementing appropriate technical and organizational safeguards, reporting data breaches to the Board and affected data principals, and publicly sharing the contact information of data protection officers.
Special considerations for processing minors’ data
Section 9 highlights the specific responsibilities of data fiduciaries when handling minors’ data or that of individuals with disabilities. Verifiable consent from a parent or legal guardian is required before processing. Additionally, data fiduciaries are prohibited from processing any personal data that may harm the well-being of a child, including activities like tracking, behavioral monitoring, and targeted advertising towards minors.
Data retention requirements
Personal data should not be retained longer than necessary to fulfill the intended purpose. Once the data is no longer needed, the data fiduciary must delete or anonymize it.
Penalties for non-compliance
Failure to comply with these obligations can result in significant penalties, including fines that may extend up to 250 crore rupees, depending on the nature and severity of the violation. This emphasizes the importance of adhering to the DPDPA’s provisions to protect personal data and uphold the rights of individuals.
In summary, the obligations of Data Fiduciaries under the DPDPA are comprehensive and aim to create a robust framework for data protection, ensuring that personal data is handled responsibly and ethically.
Who is a Significant Data Fiduciary (SDF)?
Under the DPDP Act, a data fiduciary may be classified as a Significant Data Fiduciary, if their processing activities (such as the volume and sensitivity of personal data involved and the impact on the rights of data principals) relate to larger social and national concerns such as India’s sovereignty and integrity, electoral democracy, state security, and public order. If a fiduciary is classified as an SDF, there are additional obligations imposed on them – such as appointing a Data Protection Officer (DPO) responsible for addressing the inquiries and concerns of data principals. The government may impose restrictions on an SDF from time to time, through notifications.
Let’s look at this with an example. Let’s say you are signing up for an account on a social media platform, say, Facebook. While signing up, you provide Facebook with your data – your name, email ID, location, age, and other relevant parameters. Meta, the parent company of Facebook, takes and processes these data points for your use and consumption of Facebook as a platform. This effectively makes Meta/Facebook a data fiduciary.
Insights from industry leaders
Supratim Chakraborty
Khaitan & Co.
Partner
“When data protection laws were initially being conceptualized, there was a lot of focus on the data fiduciary being fully responsible, even if data was passed down to second, third, or even fourth processors. The idea was that the data fiduciary should remain the primary point of contact for the data principal. While this makes sense in theory, in practice, it can be incredibly challenging for a data fiduciary to keep track of all the downstream processors. Still, that’s the approach the law currently takes.
How should a data fiduciary handle data transfers?
Here are some scenarios that fiduciaries need to keep in mind while transferring customer data:
- Local transfer of personal data Personal data can be freely transferred within India, provided that the transfer complies with all the provisions outlined for processing under the Act. This includes the necessity for processing to be based on either: (i) the consent of the data principal for processing their personal data for a legitimate purpose; or (ii) specific legitimate uses as defined under the Act.
- Cross-border transfer of personal data The Act permits the transfer of personal data to other countries or regions outside of India, unless the Central Government restricts such transfers to specific nations through a notification. Essentially, the Act follows a blacklisting model, allowing cross-border transfers unless the destination is among the restricted territories. Moreover, the same obligations that govern local transfers must also be followed when transferring personal data across borders.
- Interaction with other laws or sector-specific regulations If any existing law or sectoral regulation mandates stricter protection or restrictions on the transfer of personal data outside India—whether for specific types of personal data or certain classes of data fiduciaries—those regulations will take precedence. For example, the Reserve Bank of India (RBI), in its directive dated April 06, 2018, required all payment system providers to store payment data exclusively on systems within India. If a payment transaction is processed abroad, the data must be erased from foreign systems and transferred back to India within 24 hours or by the next business day. Sector-specific regulations, such as this RBI directive, will prevail over the Act in these circumstances.
- Transfers to data processors When personal data is transferred to a data processor, the fiduciary remains ultimately responsible for ensuring compliance with the Act. It is essential that any transfer to a data processor is supported by a contract that includes specific terms, such as:
- Representations, warranties, and indemnities to protect the fiduciary against unauthorized processing by the data processor;
- Requirements for the data processor to implement appropriate technical and organizational measures to comply with the Act and safeguard personal data by taking reasonable security measures to prevent any breaches.
Joint controllers vs data fiduciary
A joint controller refers to an entity that collaborates with other controllers to collectively determine the purposes and methods of data processing.
Under Article 26 of GDPR, joint controllers are required to establish a “joint controller agreement” (a term used for clarity, though not explicitly named in the GDPR). This agreement outlines each controller’s responsibilities concerning GDPR compliance, covering areas such as:
- Assigning responsibility for handling data subject rights requests
- Identifying who will develop and manage the privacy policy, along with other relevant privacy notices for data subjects
- Optionally, joint controllers can appoint a single contact point for data subjects
- The core elements of the joint controller agreement must be accessible to data subjects
- Regardless of how responsibilities are divided, data subjects retain the right to exercise their GDPR rights with any of the controllers involved
The concept of joint controllers does not exist in the same way under DPDP.
| Aspect | Joint Controllers (GDPR) | Data Fiduciary (DPDP Act, India) |
| Definition | Two or more entities that jointly determine the purposes and means of processing personal data. | An entity that determines the purpose and means of processing personal data independently. |
| Legal Basis | Governed by the General Data Protection Regulation (GDPR) in the European Union. | Governed by the Digital Personal Data Protection (DPDP) Act, 2023 in India. |
| Purpose Determination | Jointly determined by all controllers involved, with shared responsibilities. | Determined solely by the Fiduciary based on its role and obligations. |
| Agreement Requirement | Requires a “joint controller agreement” to define roles and responsibilities for compliance. | No specific agreement is required with other entities, but the Data Fiduciary must comply with the law individually. |
| Responsibility for Data Subject Rights | Joint controllers must determine which entity handles data subject rights and ensure clarity. | The Fiduciary alone is responsible for facilitating data principal rights, such as access, correction, and deletion. |
| Point of Contact | May designate a single point of contact for data subjects across all joint controllers. | Typically, the Fiduciary serves as the primary contact for data principals, with no provision for a shared contact point. |
| Transparency | Must provide the “essence” of the joint controller agreement to data subjects. | Must ensure transparency by informing data principals about data processing activities, including providing privacy notices. |
| Accountability | All joint controllers are equally accountable to data subjects, regardless of internal arrangements. | The fiduciary is solely accountable for compliance and ensuring data security and privacy. |
| Cross-Border Data Transfers | Must ensure proper safeguards when transferring data across borders, often jointly handled. | Must ensure compliance with local laws for cross-border data transfers, with the responsibility lying entirely with the fiduciary. |
| Compliance Mechanism | Shared compliance responsibilities, with potential for complexity in shared audits or inspections. | The data fiduciary must independently maintain compliance mechanisms and respond to regulatory audits or inspections. |
Insights from industry leaders
Kishore Manvuri
Jio Haptik
DPO
In the case of a co-branded credit card involving an aggregator and a bank, both parties might be classified as joint controllers. This means they jointly determine the purpose of processing and must each obtain separate consent from data subjects for their specific use cases. The data collected and processed by each party will be different, so separate consent and data flow management are necessary.
Similarly, GDPR introduces the concept of co-processors. Here, two or more processors may jointly handle data under a single arrangement, and they share responsibility. This concept could very well be introduced in India as the data protection landscape matures.
Who is a data processor?
A data processor is responsible for processing digital personal data on behalf of a fiduciary. Broadly, they are of two categories of data processors. Non-customer-facing and customer-facing data processors. The former processes personal data shared by a fiduciary, and not directly by a data principal.
Let’s look at this with an example. Let’s say you are buying custom-made business cards from a small printer on Instagram. You give them your address, phone number, and email ID toward the delivery of your purchase. The small business then shares your data with three other companies – one that prints out the cards, another that delivers the cards, and another that sends you notifications and OTPs required to complete delivery. Each of these is a data processor, as they are processing your personal data.
The dual nature of data processors and data fiduciaries- The ultimate identity crisis!
Under the DPDP Act, a pertinent question that may emerge is the distinction between the fiduciary and data processor, and whether they might be the same entity at all. In principle, the fiduciary is the one who determines the purpose and means of processing personal data collected, and the data processor is the one who processes the data on behalf of the data fiduciary.
There is a tendency to assume that the fiduciary alone has obligations under the DPDP Act and that the data processor does not. This assumption has given room for data fiduciaries to find ways to stretch the definition of a data processor to accommodate them within its scope. However, under the law, a data processor can be implicitly understood to have a responsibility to verify consent, respond to data deletion and updation requests, and to maintain a clear repository of PII data and consent received for each item gathered and for the purpose for which it is gathered. While the law may not mandate this in as many words, it is a good practice to build this commitment to the privacy ecosystem in order to ensure transparency.
Data processors and data fiduciaries: Quick FAQs
- Who is a data processor under the DPDP Act?
A data processor is any person or entity who processes personal data on behalf of a Data Fiduciary.
- Who is a data fiduciary under the DPDP Act?
A data fiduciary is any person or entity who, either by themselves or in conjunction with other persons or entities, determines the purpose and means of processing of personal data. - Who is a Significant Data Fiduciary under the DPDP Act?
A Significant data fiduciary is any data fiduciary or class of data fiduciaries as may be notified by the Central Government under section 10. - What responsibilities does a data processor have under the DPDP Act?
A data processor is responsible for processing data on behalf of the data fiduciaries, for the purposes for which consent has been given. - What responsibilities does a data fiduciary have under the DPDP Act?
When a personal data breach occurs, the data fiduciary must promptly inform the DPB and affected Data Principals about the breach, its nature, and the steps taken to mitigate its effects, in the manner prescribed by law. Data fiduciaries are also responsible for erasing personal data upon the Data Principal withdrawing their consent or as soon as the purpose of processing is no longer being served. They must also ensure that their data processors erase any data shared for processing. When any personal data are used for decision-making or are disclosed to another data fiduciary, the processing data fiduciary has the responsibility to ensure the completeness, accuracy, and consistency of the data. A data fiduciary can process personal data only if it is for a lawful purpose and either with the consent of the Data Principal or for certain legitimate uses. - Can the same entity be both, the data fiduciary and data processor?
It is possible for the same entity to be both, data fiduciaries and data processors. This depends on the roles they play in relation to the data of data principals.
- What are the key things which data fiduciaries should keep in mind to ensure that they are fully compliant with the DPDP Act? To ensure full compliance with the Digital Personal Data Protection Act (DPDP Act) of 2023, data fiduciaries must be aware of several key elements that govern their responsibilities. Here are the critical considerations:
- Understand the Definition of Data Fiduciary
Data fiduciaries are defined as entities that determine the purpose and means of processing personal data. Understanding this definition is crucial as it establishes the scope of responsibilities and liabilities under the DPDP Act.
- Obtain Valid Consent
Consent must be free, specific, informed, unambiguous, and given through a clear affirmative action. Data fiduciaries should ensure that they have mechanisms in place to obtain and manage consent effectively, including providing clear notices that outline the data being collected, the purpose of processing, and the rights of data principals.
- Implement Data Minimization Principles
Data fiduciaries should only collect personal data that is necessary for the specified purpose. They must regularly assess whether the data being processed is still needed and cease retention when it is no longer necessary.
- Ensure Data Accuracy and Security
Data fiduciaries must implement reasonable technical and organizational measures to protect personal data from unauthorized access, loss, or damage. This includes having protocols in place for responding to data breaches.
- Establish Grievance Redressal Mechanisms
Data fiduciaries are required to provide data principals with accessible means to address grievances related to their personal data. This includes having a designated contact point for inquiries and complaints.
- Comply with Special Obligations for Significant Data Fiduciaries
Entities classified as Significant Data Fiduciaries (SDFs) face additional obligations, such as appointing a Data Protection Officer (DPO), conducting Data Protection Impact Assessments (DPIAs), and engaging independent auditors for compliance evaluations.
- Manage Children’s Data Responsibly
The DPDP Act places strict limitations on the processing of children’s data, including prohibiting targeted advertising directed at minors. Data fiduciaries must ensure compliance with these provisions to protect children’s privacy.
- Review and Update Contracts with Data Processors
Data fiduciaries remain responsible for the data even when processed by third-party data processors. It is vital to have robust contractual arrangements that outline compliance obligations and ensure that processors adhere to the same standards required by the DPDP Act.
- Monitor Compliance and Conduct Regular Audits
Regular audits and assessments of data processing activities are necessary to ensure ongoing compliance with the DPDP Act. This includes evaluating the effectiveness of data protection measures and making necessary adjustments.
- Stay Informed and Adapt to Regulatory Changes
As data protection regulations evolve, data fiduciaries should stay updated on changes to the DPDP Act and related guidelines. This proactive approach will help organizations remain compliant and mitigate potential legal risks.
By keeping these key considerations in mind, data fiduciaries can navigate the complexities of the DPDP Act effectively, ensuring they uphold the rights of data principals while maintaining compliance with the law.