Obligations of Data Fiduciaries under DPDP Act 2023

  • Blog|Company Law|
  • 4 Min Read
  • By Taxmann
  • |
  • Last Updated on 4 May, 2025

Data Fiduciaries

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), a Data Fiduciary refers to any person who determines the purpose and means of processing personal data. In simpler terms, it is the entity (individual, company, or organisation) that decides why and how an individual's personal data is collected, used, stored, or shared.

Table of Contents

  1. Concept of Fiduciary Duty
  2. Baseline Obligations Table
  3. Reasonable Security – Minimum Benchmark
  4. Processing of Personal Children’s Data – Section 9
  5. Significant Data Fiduciaries – Section 10
  6. Cross‑border Transfers – Operational Safeguard
  7. Vendor & Processor Management
  8. Record‑keeping & Documentation
  9. Liability & Penalties Recap
  10. Implementation Roadmap
  11. Conclusion
Check out Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes which offers a robust framework for India's data privacy landscape. It clarifies rights and safeguards for Data Principals, details obligations for Data Fiduciaries, and highlights recent legislative updates from statutes like the IT Act and RTI Act. Comprehensive Section Notes and FAQs delve into key principles such as consent and cross-border transfers, simplifying complex provisions for easy reference. The book's structured approach, with illustrations, indexes, and a clear layout, caters to legal practitioners, corporate counsels, regulators, students, and IT professionals.

1. Concept of Fiduciary Duty

The Act deliberately adopts the term “fiduciary”—a trustee of another’s interest.  Section 8 enumerates baseline duties, while Sections 9 & 10 augment them for children’s data and SDFs.

2. Baseline Obligations Table

Obligation Statutory Source Practical Implementation
Valid Notice & Consent Sec 6 + Rules Multilingual banner → affirmative checkbox → withdrawal toggle.
Processing of Personal Data with data Principal’s Consent Sec 4(1) (a) Data‑mapping matrix linking each dataset to a documented purpose.
Processing of Personal Data for Legitimate Uses Sec 4(1) (b) Collect only fields marked “strictly necessary”. Periodic review to prune extras.
Security Safeguards to prevent personal data breach Sec 8 (5) ISO/NIST controls – MFA, encryption, SIEM, DLP, vendor risk management.
Breach of Persoanl Data Sec 8 (6) 24×7 incident‑response team; template notice to DPB + individuals within X hrs.
Rights of Data Principal Sec 11–14 Rights‑management module, SLA dashboards, reconciliation logs.
Rights of Grievance Redressal Mechanism Sec 13 Display Grievance Officer details, ticketing system; 30‑day resolution.

Taxmann.com | Research | Indian Acts & Rules

3. Reasonable Security – Minimum Benchmark

  • Technical  encryption at rest & transit, patch management, network segmentation, EDR.
  • Organisational  privacy‑by‑design policy, least‑privilege access, background checks, NDAs.
  • Testing  quarterly vulnerability scans, annual penetration tests, red‑team drills.
  • Third‑party Oversight  DPIAs for new vendors, contractual security clauses, right to audit.

Failure to implement reasonable safeguards is penalised up to 250 crore if it leads to a breach.

4. Processing of Personal Children’s Data – Section 9

Requirement Details
Parental consent for processing Children’s personal data Obtain via verifiable method (OTP to the parent’s Aadhaar‑linked mobile, digital locker sign).
No behavioural tracking of Children’s data Disable analytics & profiling cookies for accounts flagged < 18 yrs.
No targeted advertising to Children Serve only contextual ads, or none, to minors.
Detriment test for assessing impact of data processing on Children Processing must not likely cause “any detrimental effect” on child well‑being.

Penalty for breach: up to 200 crore.

Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes

5. Significant Data Fiduciaries – Section 10

Designation criteria (illustrative; the Govt will notify specifics) –

  • ≥ 10 million Data Principals, or
  • Large‑scale processing of financial, health or biometric data, or
  • Platforms with systemic societal impact (social network, digital bank).

Extra Duties

  1. Data Protection Officer (DPO) – A senior employee based in India reporting to the board; contact details are in a privacy notice.
  2. Data Protection Impact Assessment (DPIA) – Assess necessity, proportionality, and mitigation prior to high-risk processing.
  3. Annual Independent Audit  by DPB‑approved auditor; file summary or “Data‑Trust Score”.
  4. Grievance SLA  likely tighter (e.g., resolve within 7 days).
  5. Record of Processing Activities (RoPA)  detailed inventory available for DPB inspection.

Non‑compliance attracts up to 150 crore.

6. Cross‑border Transfers – Operational Safeguard

Until Govt issues the “negative list”, fiduciaries may transfer personal data abroad provided they –

  • Obtain consent (or rely on the Sec 7 ground);
  • Execute contractual clauses ensuring onward protection;
  • Map data flows in DPIA (if SDF).

Transfers to any country subsequently black‑listed must cease within the transition period.

7. Vendor & Processor Management

Although Processors are not directly regulated, Fiduciaries must –

  1. Contractually bind processors to DPDP‑equivalent controls.
  2. Monitor & audit  periodic security reviews.
  3. Flow‑down breach notification obligation—processor must alert Fiduciary within X hrs of incident.

Regulator will treat processor negligence as a Fiduciary’s breach.

8. Record‑keeping & Documentation

  • Retention schedule aligned with statutory obligations (Income tax 6 yrs, Companies Act 8 yrs, etc.).
  • Consent logs  versioning, language, timestamp.
  • Right‑request log  date, nature, outcome, TAT.
  • Training logs  annual privacy‑awareness certificates for staff.
  • Vendor register  risk tier, last audit date.

9. Liability & Penalties Recap

Failure Max Penalty () Section
No security safeguards to prevent a personal data breach 250 cr 8 (5) + Sch.
Personal Data Breach 200 cr 8 (6) + Sch.
Children’s data violation 200 cr 9 + Sch.
SDF extra‑duty breach 150 cr 10 + Sch.
Any other breach 50 cr Sch.

DPB also has the power to –

  • Issue warning & remediation orders.
  • Accept voluntary undertaking (if rectified).
  • Recommend blocking access to non‑compliant platform (extreme cases).

10. Implementation Roadmap

Phase Action Items
0–3 months Appoint privacy lead, map data flows, gap‑analyse consent flows, and draft retention schedule.
4–6 months Build rights portal, implement breach‑response runbook, vendor contract updates, and staff training.
6–12 months Conduct security uplift, penetration testing, DPIA for new projects, and board-level reporting.
Annual Independent audit (SDF) or self‑assessment (others); review policies against updated Rules.

11. Conclusion

The DPDP Act elevates privacy to a boardroom compliance priority. Early, good‑faith implementation of these obligations not only mitigates fines but also strengthens consumer trust and global competitiveness, especially for cross—border data—intensive industries.

Dive Deeper:
Overview of Digital Personal Data Protection Act (DPDP Act) 2023
Scope and Key Definitions Under DPDP Act
Rights of Data Principals under the DPDP Act 2023
Lawful Processing and Consent under DPDP Act 2023
Cross‑Border Data Transfers under the DPDP Act 2023
Data Privacy Breach | Enforcement | Penalties under the DPDP Act
DPDP Act Compliance Checklist for Businesses
DPDP Act vs IT Act – Shifting India’s Data‑protection Paradigm
DPDP Act vs EU GDPR Compliance – A Comparative Analysis
DPDP Act Impact on Startups and SMEs in India
FinTech and BFSI – Sector-specific Guidance for DPDP Compliance
DPDP in Healthcare Ecosystem – HealthTech and Hospitals

Disclaimer: The content/information published on the website is only for general information of the user and shall not be construed as legal advice. While the Taxmann has exercised reasonable efforts to ensure the veracity of information/content published, Taxmann shall be under no liability in any manner whatsoever for incorrect information, if any.

Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.

The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:

  • The statutory material is obtained only from the authorized and reliable sources
  • All the latest developments in the judicial and legislative fields are covered
  • Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
  • Every content published by Taxmann is complete, accurate and lucid
  • All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
  • The golden rules of grammar, style and consistency are thoroughly followed
  • Font and size that’s easy to read and remain consistent across all imprint and digital publications are applied

Leave a Reply

Your email address will not be published. Required fields are marked *

Everything on Tax and Corporate Laws of India

To subscribe to our weekly newsletter please log in/register on Taxmann.com

Author: Taxmann

Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.

The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:

  • The statutory material is obtained only from the authorized and reliable sources
  • All the latest developments in the judicial and legislative fields are covered
  • Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
  • Every content published by Taxmann is complete, accurate and lucid
  • All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
  • The golden rules of grammar, style and consistency are thoroughly followed
  • Font and size that's easy to read and remain consistent across all imprint and digital publications are applied