DPDP Series 1.4: Data Fiduciary – Obligations

Am I a Data Fiduciary? What Are My Obligations?


Q: How do I know if I am a Data Fiduciary?

If your organisation decides why and how personal data is collected and processed — you are a Data Fiduciary. This includes businesses, hospitals, schools, employers, apps, government bodies, and NGOs. Size does not matter; if you collect personal data of individuals in India, you qualify.


Q: Do I need consent before collecting data?

Yes. Before collecting any personal data, you must give the individual a clear notice describing what data is being collected and why. Consent must be free, specific, informed, and unambiguous.


Q: Can I collect more data than I need? No. You may only collect data that is necessary for the stated purpose. Collecting excess data is a violation of the Act.


Q: How long can I keep the data?

Only as long as the purpose requires. Once the purpose is served or the individual withdraws consent, you must delete the data — unless a law requires you to retain it for a specific period.


Q: What security measures must I put in place?

You must implement reasonable technical and organisational safeguards — including encryption, access controls, monitoring logs, and data backups — to prevent unauthorised access or breaches.


Q: What must I do if there is a data breach?

You must immediately notify the Data Protection Board and every affected individual, describing the nature of the breach, its likely impact, and the steps being taken to contain it.


Q: Must I have a grievance mechanism?

Yes. Every Data Fiduciary must establish an effective grievance redressal system and publish contact details of a person who can respond to Data Principal queries.


Q: What are the penalties for non-compliance?

Penalties can reach up to ₹250 crore for failure to implement security safeguards, and up to ₹200 crore for failure to report a breach — imposed by the Data Protection Board.


Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.4: Data Fiduciary – Obligations

DPDP Series 1.2: Roles under DPDP Act

Who Am I? Know Your Role Under the DPDP Act


Q: What is a Data Principal?

You are a Data Principal if you are the individual whose personal data is being collected. Every time you fill a form, sign up for an app, or share your details with a business or government portal — you are the Data Principal. You have the right to access, correct, erase your data, and withdraw consent at any time.


Q: What is a Data Fiduciary?

You are a Data Fiduciary if your organisation decides why and how personal data is collected and used. Banks, hospitals, e-commerce platforms, employers, and government bodies are all Data Fiduciaries. You must obtain consent, give prior notice, secure the data, report breaches, and delete data once the purpose is served.


Q: What is a Data Processor?

You are a Data Processor if you handle personal data on behalf of a Data Fiduciary — under a contract, not on your own initiative. Cloud providers, payroll vendors, and IT service companies typically fall here. You follow instructions; the Fiduciary remains legally accountable.


Q: What is a Significant Data Fiduciary?

You are a Significant Data Fiduciary (SDF) if the Central Government notifies you as one — based on the volume or sensitivity of data you process, risk to individuals’ rights, or implications for national security. As an SDF, you must additionally appoint a Data Protection Officer (based in India), conduct annual Data Protection Impact Assessments, and undergo independent data audits.


Q: Can I be more than one?

Yes. A company can be both a Data Fiduciary (for its customers’ data) and a Data Processor (for data it handles on behalf of another business). Roles depend on context, not just who you are.


Q: What if I’m just an individual using data for personal purposes?

The Act does not apply to data processed purely for personal or domestic use. If you’re not collecting data as part of a business or service, you fall outside the Act’s scope.


Disclaimer

The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.

The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.

Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.

The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.

DPDP Series 1.2: Roles under DPDP Act

DPDP Series 1.3: Rights & Duties of the Data Principal

I’m Sharing My Data — What Are My Rights & Duties?


Q: Do I have the right to know what data is collected about me?

Yes. You can request a summary of your personal data being processed, the purpose for which it is used, and the names of all organisations it has been shared with.


Q: Can I correct my data if it’s wrong?

Yes. You have the right to correct inaccurate or incomplete data and to erase data that is no longer needed for the purpose it was collected.


Q: Can I take back my consent?

Yes — at any time. Withdrawing consent must be as easy as giving it. Once withdrawn, the organisation must stop processing your data within a reasonable time.


Q: What if I have a complaint?

Every Data Fiduciary must provide a readily available grievance redressal mechanism. If unresolved, you can escalate your complaint to the Data Protection Board of India.


Q: What happens to my data if I die or become incapacitated?

You can nominate another individual in advance to exercise your data rights on your behalf in the event of your death or incapacity.


Q: Do I have any duties too?

Yes. Rights come with responsibilities. As a Data Principal you must not:

  • Provide false or impersonated information
  • Suppress material information when applying for government documents or benefits
  • File false or frivolous complaints with a Data Fiduciary or the Board
  • Submit unverifiable information when requesting correction or erasure

Breach of these duties can attract a penalty of up to ₹10,000.


Q: Can a child exercise these rights?

A minor’s rights are exercised by their parent or lawful guardian. Organisations must obtain verifiable parental consent before collecting a child’s data, and cannot track, monitor, or target advertising at children.


DPDP Series 1.3: Rights & Duties of the Data Principal