Obligations of Data Processors vis-à-vis Data Fiduciaries under the DPDP Act, 2023
Executive Summary
The Digital Personal Data Protection Act, 2023 (DPDP Act in India) distinguishes between Data Fiduciaries (entities determining the purpose and means of processing) and Data Processors (entities processing data on behalf of fiduciaries). While fiduciaries bear primary responsibility for compliance, processors also have important statutory and contractual obligations.
This essay examines the fiduciary–processor relationship under the DPDP Act, analyses statutory duties, explores contractual mechanisms, compares India’s model with GDPR, and outlines compliance strategies. Illustrative examples and sample contractual clauses provide practical guidance for IT/ITES companies, outsourcing vendors, BPOs, and cloud service providers.
Table of Contents
Introduction: Why Processor Obligations Matter
India’s digital economy is heavily outsourcing-driven. Banks outsource KYC verification, insurers rely on TPAs, e-commerce companies use cloud vendors, and corporates engage payroll processors. This ecosystem requires clarity on:
- Who is accountable (fiduciary vs. processor)?
- What duties processors owe directly to law vs. through contract?
The DPDP Act adopts a fiduciary-centric model, keeping processors in a subordinate but important role.
Fiduciaries vs. Processors: Statutory Definitions
- Data Fiduciary: Any person who alone or with others determines the purpose and means of processing.
- Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.
- Key distinction: Fiduciaries decide the “why” and “how”; processors execute.
Obligations of Data Fiduciaries
Fiduciaries retain overall accountability for:
- Consent and notices.
- Data Principal rights (access, erasure, correction).
- Breach notification.
- Grievance redressal.
- Cross-border transfers.
- Classification as Significant Data Fiduciaries (SDFs).
Obligations of Data Processors
While the DPDP Act places primary liability on fiduciaries, processors are bound by:
1. Acting Only on Fiduciary Instructions
- Processors cannot determine purpose or means.
- Processing beyond instruction = unlawful and exposes both parties to liability.
2. Security Safeguards
- Processors must implement reasonable security measures.
- Shared liability with fiduciaries in case of negligence leading to a breach.
3. Sub-Processing Restrictions
- Processors cannot appoint sub-processors without fiduciary authorisation.
- Ensures accountability chain remains intact.
4. Cooperation with Fiduciaries
- Processors must assist fiduciaries in fulfilling rights requests, breach notifications, and audits.
5. Record Maintenance
- Maintain records of processing activities as directed.
Comparison with GDPR
- GDPR: Direct obligations on processors (security, record-keeping, DPO appointment in some cases). Processors can be fined directly.
- DPDP: Processors primarily bound via fiduciary contracts; statutory liability is limited.
India’s approach is lighter on processors but places greater responsibility on fiduciaries to police their processors.
Practical Scenarios
- Outsourced Payroll Processor
- Fiduciary (employer) decides purpose (salary disbursement).
- Processor (payroll vendor) executes.
- Processor must ensure data security and act only on employer’s instructions.
Cloud Hosting Provider
- E-commerce company uses a cloud provider.
- Breach at cloud provider affects millions of users.
- Fiduciary is primarily liable, but contract must impose indemnities on the processor.
KYC Verification Vendor
- Fintech outsources KYC checks to a third-party vendor.
- Vendor mishandles Aadhaar data.
- Fiduciary liable under DPDP, but vendor accountable under contract and IT Act.
Contractual Mechanisms: Data Processing Agreements (DPAs)
Given the DPDP Act’s fiduciary-centric liability, contracts are the key compliance tool.
Essential Clauses for DPAs
1. Purpose Limitation: “Processor shall process personal data solely for the purposes documented by the Fiduciary.”
2. Security Obligations: “Processor shall implement appropriate technical and organisational measures to ensure confidentiality, integrity, and availability of personal data.”
3. Sub-Processor Approval: “Processor shall not engage sub-processors without prior written consent of the Fiduciary.”
4. Audit Rights: “Fiduciary shall have the right to audit Processor’s facilities and systems to ensure compliance.”
5. Breach Notification: “Processor shall notify Fiduciary of any breach within [X hours] of becoming aware.”
6. Indemnity: “Processor shall indemnify Fiduciary against losses arising from Processor’s wilful misconduct or negligence.”
7. Return/Deletion of Data: “Upon termination, Processor shall return or delete all personal data, unless retention is required by law.”
Sectoral Implications
IT/ITES and BPOs
- India’s outsourcing industry will be heavily impacted.
- Contracts with global clients will require stricter data processing terms.
Banking and Fintech
- RBI-regulated entities outsourcing to processors must ensure DPDP + RBI compliance.
Healthcare
- Hospitals using TPAs for claims processing must impose strict contractual controls.
E-Commerce
- Platforms must police logistics and marketing vendors to ensure compliance.
Cloud and SaaS Providers
- Likely to become “critical processors” requiring strong contractual safeguards.
Compliance Strategies
1. Contract Standardisation: Adopt industry-standard DPAs aligned with DPDP.
2. Vendor Due Diligence: Assess processor’s technical, legal, and financial capacity before engagement.
3. Ongoing Audits: Conduct regular audits and penetration tests of processors.
4. Breach Response Integration: Ensure processors are embedded in fiduciary’s incident response plan.
5. Sub-Processor Control: Maintain updated lists of approved sub-processors.
Risks of Non-Compliance
- For Fiduciaries: Vicarious liability for processor actions.
- For Processors: Contractual liability, reputational damage, termination risk.
- For Both: Regulatory penalties if negligence causes breach.
Conclusion & Key Takeaways
The DPDP Act creates a fiduciary-centric model, but processors cannot remain passive. They play a critical operational role and must comply with fiduciary instructions, implement safeguards, and support compliance.
Key takeaways:
- Fiduciaries bear primary liability, but processors face contractual accountability.
- Robust Data Processing Agreements are essential.
- Global clients will demand DPDP-aligned contractual protections.
- Processors must upgrade their security and compliance frameworks to remain competitive.
For Indian businesses, the fiduciary–processor relationship under DPDP is not just about legal contracts: it is about building trust, accountability, and resilience across the digital supply chain.
Co–Authored by :- Aurelia Menezes
By entering the email address you agree to our Privacy Policy.