Introduction
Under the Digital Personal Data Protection Act, 2023 (DPDP Act), one question determines the scale of your compliance obligations:
Are you a Data Fiduciary, a Data Processor, or both?
Many organisations answer this confidently — and incorrectly.
A company using a third-party visitor management system may assume it is “just a user.” A SaaS provider may assume responsibility lies entirely with customers. Both assumptions are incomplete.
Section 8 of the DPDP Act makes one thing clear: a Data Fiduciary remains accountable for processing carried out on its behalf by a Data Processor.
Understanding your role is the starting point of compliance.
The Three Roles Under the DPDP Act
Data Principal
The individual whose personal data is being processed.
In workplace contexts, this may include:
- Visitors checking in at reception
- Employees using attendance systems
- Contractors entering through gate systems
- Delivery personnel logging access records
Data Principals have enforceable rights under the Act:
- Access
- Correction
- Erasure
- Grievance redressal
- Nomination
- Withdrawal of consent
Organisations owe obligations directly to Data Principals.
Data Fiduciary
A Data Fiduciary is the entity that determines the purpose and means of processing personal data.
Three elements define this role:
- Determines — exercises decision-making authority
- Purpose — decides why the data is collected
- Means — decides how the data is processed
If your organisation decides:
- What data to collect
- Why to collect it
- Which tools to use
- How long to retain it
You are the Data Fiduciary.
Most businesses fall into this category.
Data Processor
A Data Processor processes personal data on behalf of a Data Fiduciary.
The Processor:
- Does not determine the purpose
- Does not independently decide how data is used
- Acts under instructions
Typical examples:
- SaaS vendors
- Cloud hosting providers
- Payroll processing companies
- IT managed services firms
The Processor handles data — but does not control its purpose.
Why the Distinction Matters
Section 8(1) of the DPDP Act establishes non-delegable accountability.
A Data Fiduciary is responsible for compliance in respect of processing carried out:
- By itself
- Or on its behalf by a Data Processor
This creates vicarious liability.
If your vendor suffers a breach, fails to delete data, or misuses information — the Data Protection Board of India (DPBI) will hold you accountable as the Fiduciary.
Vendor selection and contract design are therefore compliance-critical.
When You Are a Data Fiduciary
You are a Data Fiduciary if:
- You collect personal data for your own business operations
- You decide the purpose of processing
- You choose the processing tools
- You instruct vendors on how data should be handled
Examples:
- Corporate offices managing visitor check-ins
- Manufacturing plants managing gate pass systems
- HR departments managing employee attendance
- Co-working spaces tracking member bookings
- Hospitals logging patient entries
If the decision-making authority sits with you, you are the Fiduciary.
When You Are a Data Processor
You are a Data Processor if:
- You process personal data strictly under another organisation’s instructions
- You cannot repurpose the data independently
- You provide infrastructure or services, not decision-making
Examples:
- Visitor management SaaS platforms
- Cloud infrastructure providers
- Payroll outsourcing firms
- Managed IT providers
You act on behalf of a Fiduciary.
When You Are Both
Many organisations operate in dual capacity.
For example:
- A SaaS platform processes enterprise customer data (Processor role)
- The same SaaS company collects its own user account and billing data (Fiduciary role)
These roles exist simultaneously.
Each role carries distinct obligations.
Failure to recognise dual status leads to compliance gaps.
Core Obligations of a Data Fiduciary
If you are a Data Fiduciary, your obligations include:
Privacy Notice
Provide a standalone, plain-language privacy notice in English or any Eighth Schedule language.
It must specify:
- Data collected
- Purpose
- Withdrawal mechanism
- Rights mechanism
- DPBI complaint pathway
Valid Consent
Consent must be:
- Free
- Specific
- Informed
- Unconditional
- Unambiguous
No pre-ticked boxes or bundled consent.
Security Safeguards
Implement safeguards under Section 8 and Rule 6:
- Encryption
- Role-based access control
- Multi-factor authentication
- Audit logs (minimum one-year retention)
- Breach response plan
Breach Reporting
All personal data breaches must be reported:
- Initial intimation without delay
- Full report within 72 hours
- Notification to affected individuals
Retention and Deletion
- Retain data only while purpose is served
- Define retention schedules
- Automate deletion
- Provide advance notice before erasure (where applicable)
Data Principal Rights
- Publish a contact mechanism
- Respond within 90 days
- Make withdrawal of consent as easy as consent giving
Processor Oversight
- Execute Data Processing Agreements
- Ensure Rule 6 safeguards are implemented
- Define breach notification SLAs
- Establish audit rights
- Flow obligations to sub-processors
Core Obligations of a Data Processor
Although the Act places primary obligations on Fiduciaries, Processors must:
Process Only Under Instruction
No independent use of data without authorisation.
Implement Security Safeguards
Meet Rule 6 standards contractually and technically.
Notify Fiduciary of Breaches
Immediate notification to enable 72-hour reporting.
Support Data Principal Rights
Assist Fiduciaries in fulfilling access, correction, and erasure requests.
Delete on Instruction
Erase data when instructed, including backup data within reasonable timelines.
The Data Processing Agreement (DPA)
The DPA is the operational backbone of Processor compliance.
A DPDP-compliant DPA should include:
- Scope limitation clause
- Security safeguard obligations
- Breach notification timeline
- Data Principal rights support
- Deletion on instruction
- Sub-processor disclosure
- Audit rights
- India governing law and jurisdiction
A DPA is not optional.
Rule 6 effectively mandates contractual enforcement of safeguards across the supply chain.
Practical Illustrations
Corporate Office Using SaaS
- Corporate entity: Data Fiduciary
- SaaS provider: Data Processor
- Visitors: Data Principals
The corporate entity must issue notice, obtain consent, define retention, and ensure the SaaS vendor is contractually compliant.
Manufacturing Plant Gate System
- Plant operator: Data Fiduciary
- Gate software vendor: Data Processor
- Drivers and contractors: Data Principals
The plant must issue gate-level notices, define retention schedules, and enforce DPDP safeguards via vendor contracts.
SaaS Provider Model
- Acts as Processor for enterprise customers
- Acts as Fiduciary for its own internal operational data
Dual compliance frameworks must operate in parallel.
The Bottom Line
Your role under the DPDP Act is determined by who decides the purpose and means of processing.
If that is you, you are a Data Fiduciary — and primary accountability rests with you.
If you process under someone else’s instructions, you are a Data Processor — and your obligations flow contractually and operationally from that role.
If you operate in both capacities, you must comply in both.
This distinction determines:
- Your compliance obligations
- Your vendor management requirements
- Your budget allocation
- Your exposure to regulatory scrutiny
- Your potential liability — up to ₹250 crore per violation
Clarity on role is the foundation of compliance.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection professional for specific compliance guidance.
Onfra operates as a DPDP-compliant Data Processor for enterprise customers, with Rule 6 security safeguards and structured Data Processing Agreements built into the platform. Explore how Onfra supports your DPDP compliance →