Obligations of Data Fiduciaries under DPDP Act 2023
- Blog|Company Law|
- 4 Min Read
- By Taxmann
- |
- Last Updated on 4 May, 2025
Under the Digital Personal Data Protection Act, 2023 (DPDP Act), a Data Fiduciary refers to any person who determines the purpose and means of processing personal data. In simpler terms, it is the entity (individual, company, or organisation) that decides why and how an individual's personal data is collected, used, stored, or shared.
Table of Contents
- Concept of Fiduciary Duty
- Baseline Obligations Table
- Reasonable Security – Minimum Benchmark
- Processing of Personal Children’s Data – Section 9
- Significant Data Fiduciaries – Section 10
- Cross‑border Transfers – Operational Safeguard
- Vendor & Processor Management
- Record‑keeping & Documentation
- Liability & Penalties Recap
- Implementation Roadmap
- Conclusion
Check out Taxmann's Digital Personal Data Protection Act 2023 with Draft Rules – Bare Act with Section Notes which offers a robust framework for India's data privacy landscape. It clarifies rights and safeguards for Data Principals, details obligations for Data Fiduciaries, and highlights recent legislative updates from statutes like the IT Act and RTI Act. Comprehensive Section Notes and FAQs delve into key principles such as consent and cross-border transfers, simplifying complex provisions for easy reference. The book's structured approach, with illustrations, indexes, and a clear layout, caters to legal practitioners, corporate counsels, regulators, students, and IT professionals.
1. Concept of Fiduciary Duty
The Act deliberately adopts the term “fiduciary”—a trustee of another’s interest. Section 8 enumerates baseline duties, while Sections 9 & 10 augment them for children’s data and SDFs.
2. Baseline Obligations Table
Obligation | Statutory Source | Practical Implementation |
Valid Notice & Consent | Sec 6 + Rules | Multilingual banner → affirmative checkbox → withdrawal toggle. |
Processing of Personal Data with data Principal’s Consent | Sec 4(1) (a) | Data‑mapping matrix linking each dataset to a documented purpose. |
Processing of Personal Data for Legitimate Uses | Sec 4(1) (b) | Collect only fields marked “strictly necessary”. Periodic review to prune extras. |
Security Safeguards to prevent personal data breach | Sec 8 (5) | ISO/NIST controls – MFA, encryption, SIEM, DLP, vendor risk management. |
Breach of Persoanl Data | Sec 8 (6) | 24×7 incident‑response team; template notice to DPB + individuals within X hrs. |
Rights of Data Principal | Sec 11–14 | Rights‑management module, SLA dashboards, reconciliation logs. |
Rights of Grievance Redressal Mechanism | Sec 13 | Display Grievance Officer details, ticketing system; 30‑day resolution. |
3. Reasonable Security – Minimum Benchmark
- Technical – encryption at rest & transit, patch management, network segmentation, EDR.
- Organisational – privacy‑by‑design policy, least‑privilege access, background checks, NDAs.
- Testing – quarterly vulnerability scans, annual penetration tests, red‑team drills.
- Third‑party Oversight – DPIAs for new vendors, contractual security clauses, right to audit.
Failure to implement reasonable safeguards is penalised up to ₹250 crore if it leads to a breach.
4. Processing of Personal Children’s Data – Section 9
Requirement | Details |
Parental consent for processing Children’s personal data | Obtain via verifiable method (OTP to the parent’s Aadhaar‑linked mobile, digital locker sign). |
No behavioural tracking of Children’s data | Disable analytics & profiling cookies for accounts flagged < 18 yrs. |
No targeted advertising to Children | Serve only contextual ads, or none, to minors. |
Detriment test for assessing impact of data processing on Children | Processing must not likely cause “any detrimental effect” on child well‑being. |
Penalty for breach: up to ₹200 crore.
5. Significant Data Fiduciaries – Section 10
Designation criteria (illustrative; the Govt will notify specifics) –
- ≥ 10 million Data Principals, or
- Large‑scale processing of financial, health or biometric data, or
- Platforms with systemic societal impact (social network, digital bank).
Extra Duties
- Data Protection Officer (DPO) – A senior employee based in India reporting to the board; contact details are in a privacy notice.
- Data Protection Impact Assessment (DPIA) – Assess necessity, proportionality, and mitigation prior to high-risk processing.
- Annual Independent Audit – by DPB‑approved auditor; file summary or “Data‑Trust Score”.
- Grievance SLA – likely tighter (e.g., resolve within 7 days).
- Record of Processing Activities (RoPA) – detailed inventory available for DPB inspection.
Non‑compliance attracts up to ₹150 crore.
6. Cross‑border Transfers – Operational Safeguard
Until Govt issues the “negative list”, fiduciaries may transfer personal data abroad provided they –
- Obtain consent (or rely on the Sec 7 ground);
- Execute contractual clauses ensuring onward protection;
- Map data flows in DPIA (if SDF).
Transfers to any country subsequently black‑listed must cease within the transition period.
7. Vendor & Processor Management
Although Processors are not directly regulated, Fiduciaries must –
- Contractually bind processors to DPDP‑equivalent controls.
- Monitor & audit – periodic security reviews.
- Flow‑down breach notification obligation—processor must alert Fiduciary within X hrs of incident.
Regulator will treat processor negligence as a Fiduciary’s breach.
8. Record‑keeping & Documentation
- Retention schedule aligned with statutory obligations (Income tax 6 yrs, Companies Act 8 yrs, etc.).
- Consent logs – versioning, language, timestamp.
- Right‑request log – date, nature, outcome, TAT.
- Training logs – annual privacy‑awareness certificates for staff.
- Vendor register – risk tier, last audit date.
9. Liability & Penalties Recap
Failure | Max Penalty (₹) | Section |
No security safeguards to prevent a personal data breach | 250 cr | 8 (5) + Sch. |
Personal Data Breach | 200 cr | 8 (6) + Sch. |
Children’s data violation | 200 cr | 9 + Sch. |
SDF extra‑duty breach | 150 cr | 10 + Sch. |
Any other breach | 50 cr | Sch. |
DPB also has the power to –
- Issue warning & remediation orders.
- Accept voluntary undertaking (if rectified).
- Recommend blocking access to non‑compliant platform (extreme cases).
10. Implementation Roadmap
Phase | Action Items |
0–3 months | Appoint privacy lead, map data flows, gap‑analyse consent flows, and draft retention schedule. |
4–6 months | Build rights portal, implement breach‑response runbook, vendor contract updates, and staff training. |
6–12 months | Conduct security uplift, penetration testing, DPIA for new projects, and board-level reporting. |
Annual | Independent audit (SDF) or self‑assessment (others); review policies against updated Rules. |
11. Conclusion
The DPDP Act elevates privacy to a boardroom compliance priority. Early, good‑faith implementation of these obligations not only mitigates fines but also strengthens consumer trust and global competitiveness, especially for cross—border data—intensive industries.
Dive Deeper:
Overview of Digital Personal Data Protection Act (DPDP Act) 2023
Scope and Key Definitions Under DPDP Act
Rights of Data Principals under the DPDP Act 2023
Lawful Processing and Consent under DPDP Act 2023
Cross‑Border Data Transfers under the DPDP Act 2023
Data Privacy Breach | Enforcement | Penalties under the DPDP Act
DPDP Act Compliance Checklist for Businesses
DPDP Act vs IT Act – Shifting India’s Data‑protection Paradigm
DPDP Act vs EU GDPR Compliance – A Comparative Analysis
DPDP Act Impact on Startups and SMEs in India
FinTech and BFSI – Sector-specific Guidance for DPDP Compliance
DPDP in Healthcare Ecosystem – HealthTech and Hospitals
Disclaimer: The content/information published on the website is only for general information of the user and shall not be construed as legal advice. While the Taxmann has exercised reasonable efforts to ensure the veracity of information/content published, Taxmann shall be under no liability in any manner whatsoever for incorrect information, if any.

Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.
The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:
- The statutory material is obtained only from the authorized and reliable sources
- All the latest developments in the judicial and legislative fields are covered
- Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
- Every content published by Taxmann is complete, accurate and lucid
- All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
- The golden rules of grammar, style and consistency are thoroughly followed
- Font and size that’s easy to read and remain consistent across all imprint and digital publications are applied