Introduction
The Digital Personal Data Protection Act 2023 introduces the term 'Data Fiduciary' as the central concept around which the entire compliance framework is built. If your organisation collects or processes personal data of Indian citizens for any purpose, you are almost certainly a Data Fiduciary — and that classification comes with significant legal obligations.
Understanding exactly what a Data Fiduciary is, how it differs from a Data Processor, and what obligations it carries is the essential first step to building your DPDP compliance programme.
Definition of a Data Fiduciary
Under Section 2(i) of the DPDP Act, a Data Fiduciary is defined as 'any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.'
In plain language: if your organisation decides WHY personal data is collected and HOW it is used, you are a Data Fiduciary. This applies regardless of whether you actually carry out the processing yourself or engage a third party to do it on your behalf.
Examples of Data Fiduciaries
- An e-commerce platform that collects customer names, addresses, and payment details to process orders
- A hospital that collects patient health records for medical treatment
- A bank that processes customer KYC data for account opening
- An HR software company that processes employee data on behalf of its client companies
- A mobile app that collects location data and usage behaviour for service improvement
Data Fiduciary vs Data Processor — Key Difference
These two roles are frequently confused. The distinction is critical because they carry different legal obligations.
| Aspect | Data Fiduciary | Data Processor |
|---|---|---|
| Decision-making | Determines purpose and means of processing | Processes data only on instructions from Fiduciary |
| Legal liability | Primary — directly accountable under DPDP Act | Secondary — contractual obligations to Fiduciary |
| Consent | Must obtain valid consent from Data Principal | Cannot obtain consent independently |
| Examples | Banks, hospitals, e-commerce platforms, SaaS companies | Cloud providers, payroll processors, analytics vendors |
| Obligations | Full set of DPDP Act obligations | Limited to security and contractual compliance |
A single organisation can be both a Data Fiduciary and a Data Processor simultaneously — for example, a payroll company is a Processor for its clients' employee data, but a Fiduciary for its own employees' data.
Significant Data Fiduciaries — Enhanced Obligations
The DPDP Act creates a special category called Significant Data Fiduciaries (SDFs). The Indian government will notify which organisations qualify based on factors including the volume and sensitivity of data processed, risk to Data Principals, and implications for national security.
Significant Data Fiduciaries face additional obligations beyond standard Data Fiduciaries:
- Appointment of a Data Protection Officer (DPO) based in India
- Appointment of an independent data auditor
- Conduct of periodic Data Protection Impact Assessments (DPIAs)
- Additional algorithmic accountability requirements
- Restrictions on cross-border data transfers
Core Obligations of a Data Fiduciary
Notice and Consent
Before or at the time of collecting personal data, a Data Fiduciary must provide clear notice about the purpose of processing and obtain free, specific, informed, unconditional, and unambiguous consent. Pre-ticked boxes and bundled consent are explicitly invalid.
Purpose Limitation
Personal data collected for a specific purpose cannot be used for any other purpose without obtaining fresh consent. This applies even to data already in your possession — if you want to use customer purchase data for a new personalisation programme, you need new consent.
Data Minimisation
You may only collect personal data that is strictly necessary for the stated purpose. Collecting 'nice to have' data or building data lakes without a specific processing purpose is non-compliant.
Storage Limitation
Personal data must be erased once the purpose for which it was collected has been fulfilled, unless legal or regulatory requirements mandate retention. Data Fiduciaries must establish clear retention schedules and automated deletion mechanisms.
Security Safeguards
Data Fiduciaries must implement appropriate technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration, or destruction. This includes encryption, access controls, audit logging, and incident response capabilities.
Grievance Redressal
Every Data Fiduciary must provide a mechanism for Data Principals to raise grievances about how their data is handled, with defined response timelines.
Children's Data — Special Obligations
- Verifiable parental consent is required before processing children's data
- Tracking and behavioural monitoring of children is prohibited
- Targeting children with advertising based on profiling is prohibited
- Processing that is likely to harm the wellbeing of children is prohibited
Organisations operating platforms, apps, or services that could be accessed by minors must implement age verification mechanisms — the Act places the compliance burden squarely on the Data Fiduciary.
Cross-Border Data Transfers
The DPDP Act takes a permissive approach to cross-border data transfers by default — transfers are permitted unless the Indian government restricts transfers to specific countries. However, Data Fiduciaries must ensure that any transfer complies with the Act's security obligations, and that Data Processors in recipient countries are bound by appropriate contractual safeguards.
Penalties for Data Fiduciaries
The Data Protection Board of India has the authority to impose substantial financial penalties on Data Fiduciaries for violations. Penalties up to ₹250 crore can be imposed for security failures leading to breaches, and up to ₹50 crore for failing to honour Data Principal rights. Repeated or systemic violations can result in cumulative penalties.
How to Determine if You Are a Data Fiduciary
- Do you decide WHY personal data is collected from individuals?
- Do you decide HOW that data is used, stored, or shared?
- Do you engage third parties to process personal data on your behalf?
- Do you collect data from individuals directly — through a website, app, or service?
If you answered yes to any of these questions, your organisation is a Data Fiduciary and the full obligations of the DPDP Act apply to you.
How Vedtam Can Help
Navigating the Data Fiduciary obligations under the DPDP Act requires a structured compliance approach that covers legal interpretation, technical implementation, and operational change. Vedtam's DPDP Act Consulting Services help organisations at every stage — from understanding their obligations to implementing compliant data governance frameworks.
Visit vedtam.com/consulting/dpdp-act-consulting-services/ to learn more or schedule a free consultation.
Schedule a free DPDP compliance consultation: vedtam.com/contact/ | info@vedtam.com | +91 98915 55588
Published by Vedtam Cybersecurity Team | Vedtam Tech Solutions, Ghaziabad, India
