Sign in
Schedule A Demo

Responsibilities of Data Fiduciaries under Digital Personal Data Protection Act

“Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

 

Explanation:

A Data Fiduciary is essentially the entity or individual that decides why and how personal data is processed. This includes decisions about:

  • The purpose (e.g., for providing a service, conducting a survey, fulfilling legal obligations),
  • The means (e.g., using specific technologies, storing data on servers, sharing data with vendors).

 

Examples of Data Fiduciaries

  • A bank collecting customer KYC details
  • An e-commerce platform processing user addresses for deliveries
  • A hospital storing patient medical records digitally
  • A government department collecting citizen data for welfare schemes
  • A Company collecting personal data such as name, address, phone number, PAN, aadhaar details, bank account details, health information, family details etc of employees

 

Under the Digital Personal Data Protection Act, 2023 (DPDP Act) in India, a Data Fiduciary plays a central role in ensuring the lawful and responsible processing of personal data. Here’s a summary of the key responsibilities of a Data Fiduciary under the Act and the draft rules (as of May 2025):

Key Responsibilities of a Data Fiduciary

  1. Lawful Purpose of Processing
  • Process personal data only for lawful purposes that are:
    • Consented to by the Data Principal (individual), or
    • Permitted under legitimate use as defined under the Act (e.g., compliance with law, medical emergencies, employment, etc.)

 

  1. Consent Management
  • Obtain valid, informed, and specific consent from data principals before processing their data.
  • Provide the option for data principals to withdraw consent at any time.
  • Ensure consent notices are clear, in plain language, and available in multiple languages (as prescribed).

 

  1. Notice Obligations
  • Provide notice to data principals at the time of data collection, stating:
    • Purpose of processing
    • Nature and type of personal data being collected
    • Rights of the data principal
    • Details of cross-border transfer (if any)

 

  1. Data Minimization and Purpose Limitation
  • Collect only such personal data that is necessary and relevant for the intended purpose.
  • Do not retain personal data beyond the period necessary for the stated purpose, unless mandated by law.

 

  1. Accuracy of Data
  • Ensure that the personal data processed is accurate and kept up to date.

 

  1. Security Safeguards
  • Implement reasonable security safeguards to prevent:
    • Unauthorized access
    • Breach of confidentiality
    • Alteration or destruction of personal data

 

  1. Grievance Redressal Mechanism
  • Establish a grievance redressal system for data principals.
  • Ensure grievances are addressed within 7 days.

 

  1. Reporting Data Breaches
  • Report personal data breaches to the Data Protection Board of India (DPBI) and affected individuals as soon as possible.

 

  1. Data Principal Rights Fulfilment: Facilitate data principals’ rights:
  • Right to access information about their personal data
  • Right to correction and erasure
  • Right to withdraw consent
  • Right to nominate a person to exercise rights in case of incapacity or death

 

  1. Children’s Data & Data of Persons with Disabilities
  • Obtain verifiable parental consent for processing data of children (below 18 years) and ensure no harmful tracking or targeted advertising.
  • Ensure appropriate consent from legal guardians for persons with disabilities.

 

  1. Cross-border Data Transfers
  • Permitted unless restricted by the Central Government through notification (blacklist mechanism).

 

  1. Retention Policies
  • Cease retention of personal data once the purpose is fulfilled and no legal requirement exists for further storage.

 

Additional Obligations for Significant Data Fiduciaries (SDFs)

The government may notify certain entities as Significant Data Fiduciaries based on criteria such as volume and sensitivity of data processed, and risk to rights of individuals.

They have additional obligations:

  • Appoint a Data Protection Officer (DPO) in India.
  • Conduct periodic Data Protection Impact Assessments (DPIA).
  • Undertake audits and risk assessments.
  • Maintain records of processing activities.

 

Governance & Penalties

  • Non-compliance can result in financial penalties imposed by the Data Protection Board of India. For instance:
    • Failure to protect personal data: up to ₹250 crore.
    • Failure to notify breach: up to ₹200 crore.

 

Disclaimer: The information contained in this Article is intended solely for personal non-commercial use of the user who accepts full responsibility of its use. The information in the article is general in nature and should not be considered to be legal, tax, accounting, consulting or any other professional advice. We make no representation or warranty of any kind, express or implied regarding the accuracy, adequacy, reliability or completeness of any information on our page/article. 

To stay updated Subscribe to our newsletter today

Explore other Legal updates on the 1-Comply and follow us on LinkedIn to stay updated 

Post Views: 34

Stay Connected

X-twitter Linkedin Youtube

Stay Connected

X-twitter Linkedin Youtube

Subscribe Newsletter

Quick Links

Explore Links

Contact info

  • Head Office:
    9, Dwarikapuri, Jamnalal Bajaj Marg,
    C-Scheme, Jaipur
  • Branches: Anand,Vadodara
  • +91 63778 80064
  • hello@1-comply.com
© 2024,  Compezz Solutions Pvt. Ltd. All Rights Reserved.

Schedule A Demo