Who Am I? Know Your Role Under the DPDP Act

---

Q: What is a Data Principal?

You are a Data Principal if you are the individual whose personal data is being collected. Every time you fill a form, sign up for an app, or share your details with a business or government portal — you are the Data Principal. You have the right to access, correct, erase your data, and withdraw consent at any time.

---

Q: What is a Data Fiduciary?

You are a Data Fiduciary if your organisation decides why and how personal data is collected and used. Banks, hospitals, e-commerce platforms, employers, and government bodies are all Data Fiduciaries. You must obtain consent, give prior notice, secure the data, report breaches, and delete data once the purpose is served.

---

Q: What is a Data Processor?

You are a Data Processor if you handle personal data on behalf of a Data Fiduciary — under a contract, not on your own initiative. Cloud providers, payroll vendors, and IT service companies typically fall here. You follow instructions; the Fiduciary remains legally accountable.

---

Q: What is a Significant Data Fiduciary?

You are a Significant Data Fiduciary (SDF) if the Central Government notifies you as one — based on the volume or sensitivity of data you process, risk to individuals’ rights, or implications for national security. As an SDF, you must additionally appoint a Data Protection Officer (based in India), conduct annual Data Protection Impact Assessments, and undergo independent data audits.

---

Q: Can I be more than one?

Yes. A company can be both a Data Fiduciary (for its customers’ data) and a Data Processor (for data it handles on behalf of another business). Roles depend on context, not just who you are.

---

Q: What if I’m just an individual using data for personal purposes?

The Act does not apply to data processed purely for personal or domestic use. If you’re not collecting data as part of a business or service, you fall outside the Act’s scope.

---

Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.