Data Fiduciary vs. Data Processor under the Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) creates two central roles in the personal data ecosystem – Data Fiduciary and Data Processor. Understanding how these two differ is crucial for compliance, contract drafting, and risk allocation within any organisation handling personal data in India.

At a broad level, a Data Fiduciary is the entity that decides why and how personal data will be processed. A Data Processor, on the other hand, implements processing operations strictly as instructed by the Data Fiduciary and does not independently decide the purpose or means of processing.

This distinction directly influences:

  • Who is primarily answerable under the Digital Personal Data Protection Act, 2023
  • Who must issue breach notifications and to whom
  • Who bears exposure to statutory penalties
  • How contractual protections, indemnities, and data deletion obligations are structured

Core Conceptual Distinction

Data Fiduciary: The Decision-Maker and Primary Accountable Entity

The Data Fiduciary is at the heart of the compliance framework under the Digital Personal Data Protection Act, 2023. It:

  • Determines the purposes for which personal data will be collected and used (the “why”)
  • Decides the essential means of processing (the “how”), including what categories of data will be processed, which individuals’ data will be collected, and for what duration
  • Interacts directly with the individual whose data is processed (the Data Principal)
  • Bears direct statutory responsibility for compliance with the Act, even when it outsources processing activities to a Data Processor

In practice, an assessee that offers services or products to individuals, collects their personal data, and decides the business objectives for which such data is used, will almost always be treated as a Data Fiduciary.

Data Processor: The Service Provider Working on Instructions

A Data Processor, in contrast, is essentially a service provider that processes personal data only on behalf of and as directed by the Data Fiduciary. Key aspects include:

  • It does not determine the purpose of processing
  • It does not exercise independent discretion over how personal data will be used, except in a limited technical or operational sense as permitted by contract
  • It has no direct legal relationship with the Data Principal in terms of rights under the Digital Personal Data Protection Act, 2023
  • Its obligations primarily arise from a binding contract with the Data Fiduciary

The Act’s architecture makes the Data Fiduciary the central point of accountability, while allowing its contractual arrangements with Data Processors to handle operational and risk allocation aspects.

Role and Function: Who Does What?

Role of the Data Fiduciary

The Data Fiduciary’s role is strategic and regulatory in nature. It:

  • Frames the privacy framework and internal policies for the organisation
  • Chooses the lawful basis and grounds for processing personal data
  • Decides what information notices, consent mechanisms, and privacy disclosures will say
  • Selects and appoints Data Processors, and determines the scope of their engagement

For instance, if an assessee, Sharma & Co., runs an online platform, Sharma & Co. would typically be the Data Fiduciary for its users’ and employees’ personal data. It would define why the data is collected (e.g., account creation, billing, fraud detection) and how it may be shared with third parties.

Role of the Data Processor

The Data Processor focuses on execution of processing operations on the personal data supplied or made accessible by the Data Fiduciary. A Data Processor may:

  • Host and store personal data on servers
  • Provide analytics, CRM, or HRMS services
  • Offer API-based tools that integrate with the Data Fiduciary’s systems to process personal data

A typical example would be a cloud-based HR software vendor that processes employee data of various clients. The vendor will be a Data Processor, while each client assessee will be the Data Fiduciary for its employees’ data.

Important: The Data Processor’s role is restricted to what the contract and the instructions of the Data Fiduciary permit.