What is the difference between a Data Fiduciary and a Data Processor?

A Data Fiduciary determines the purpose and means of processing and is accountable for compliance under the DPDPA. A Data Processor processes personal data only on the Fiduciary’s instructions under a contract (Section 8(2)). The Fiduciary remains responsible even when processing is outsourced.

Does a Data Fiduciary remain liable if its vendor causes a breach?

Yes. Under Section 8(2) and 8(5), accountability stays with the Data Fiduciary even when a Data Processor handles the data. If a vendor suffers a breach involving your data, you must notify the Board and affected individuals and you face the penalty exposure — so govern processors with binding contracts.

Do Data Fiduciaries need to appoint a Data Protection Officer?

Only Significant Data Fiduciaries (SDFs) notified under Section 10 must appoint a DPO based in India. A regular Data Fiduciary need not appoint a DPO, but under Section 8(9) it must publish the contact of a person who can answer Data Principals’ questions about processing.

What is the penalty for failing Data Fiduciary obligations?

The Schedule to the Act sets penalties up to ₹250 crore for failing to take reasonable security safeguards to prevent a breach (Section 8(5)). Breach-notification failures and other obligation breaches attract penalties up to ₹200 crore, assessed per instance by the Data Protection Board.

Does a Data Fiduciary need consent to process every type of data?

Not always. Consent (Section 6) is the primary basis, but Section 7 permits a defined set of legitimate uses — such as voluntarily provided data, employment purposes, legal obligations and medical emergencies — without separate consent. The rest of the Section 8 obligations still apply in those cases.

What must a Data Fiduciary include in its grievance mechanism?

Under Section 8(10), you must establish an effective channel for Data Principals to raise complaints about your processing or unanswered rights requests, and respond within the period prescribed by the DPDP Rules 2025. The mechanism must be reachable and operate before an individual escalates to the Board.

Data Fiduciary Obligations Under the DPDPA

What are the obligations of a Data Fiduciary under the DPDPA?

A Data Fiduciary must process personal data only for the consented or lawful purpose, keep it accurate, apply reasonable security safeguards, notify breaches to the Board and affected individuals, erase data when no longer needed, publish a contact for queries, and run a grievance mechanism (Section 8). It stays accountable even when a Data Processor handles the data.

Under India’s Digital Personal Data Protection Act, 2023 (DPDPA), a Data Fiduciary is any person who — alone or with others — determines the purpose and means of processing personal data. If you decide why and how customer, employee or user data is processed, you are a Data Fiduciary, and Section 8 of the Act places a clear set of operational duties on you regardless of your size or sector.

These obligations are not optional policy aspirations. The Data Protection Board of India can impose penalties of up to ₹250 crore for failing to take reasonable security safeguards, so understanding and operationalising Section 8 — alongside the notice duty in Section 5 and the legitimate uses in Section 7 — is the core of DPDPA compliance.

What is a Data Fiduciary under the DPDPA?

Section 2(i) defines a Data Fiduciary as any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. This is the DPDPA equivalent of a “controller” under the GDPR. The role carries accountability: the Fiduciary is the legally responsible party, even when day-to-day processing is carried out by a Data Processor on its behalf under Section 8(2).

A Data Fiduciary may itself be a regular Fiduciary or, where notified by the Central Government under Section 10, a Significant Data Fiduciary (SDF) with additional duties. This guide covers the baseline Section 8 obligations that apply to every Data Fiduciary.

What are the Section 8 obligations of a Data Fiduciary?

Section 8 is the heart of the Data Fiduciary’s duties. It runs from the basis on which you may process data to how you must wind it down. These are the key obligations:

Lawful purpose (Section 8(1)): Process personal data only in accordance with the Act and for the purpose for which the Data Principal consented, or for a legitimate use under Section 7 — and remain responsible for compliance including for any processing on your behalf.
Accountability for processors (Section 8(2)): You may engage a Data Processor to process personal data only under a valid contract. The accountability for compliance stays with you — outsourcing the activity does not outsource the responsibility.
Data accuracy (Sections 8(3)–8(4)): Ensure the completeness, accuracy and consistency of personal data where it is used to make a decision affecting the Data Principal, or where it is disclosed to another Data Fiduciary.
Reasonable security safeguards (Section 8(5)): Protect personal data in your possession or control by taking reasonable security safeguards to prevent a personal data breach.
Breach notification (Section 8(6)): On becoming aware of a personal data breach, notify the Data Protection Board and each affected Data Principal in the form and manner prescribed by the DPDP Rules 2025.
Data erasure (Sections 8(7)–8(8)): Erase personal data — and cause your processors to erase it — once the Data Principal withdraws consent or the specified purpose is served and retention is no longer necessary under any law.
Published contact (Section 8(9)): Publish the business contact information of a Data Protection Officer (if applicable) or other person able to answer questions about the processing on behalf of the Fiduciary.
Grievance redressal (Section 8(10)): Establish an effective mechanism to redress the grievances of Data Principals, and respond within the period the DPDP Rules prescribe.

What does “lawful purpose” mean for processing?

Section 8(1) anchors everything else: you may process a Data Principal’s personal data only in accordance with the Act, and only for the purpose for which consent was given — or for a permitted legitimate use. You must also remain responsible for that processing, including processing carried out by a Data Processor on your behalf. In practice this means purpose limitation is enforceable: data collected to fulfil an order cannot be quietly repurposed for unrelated marketing without a fresh basis.

Before consent is the trigger, the notice duty applies. Under Section 5, on or before requesting consent you must give an itemised notice describing the personal data to be collected and the purpose of processing, how the Data Principal can exercise their rights, and how to complain to the Data Protection Board — available in English or any language listed in the Eighth Schedule to the Constitution.

What are the legitimate uses under Section 7?

Consent is the primary basis, but Section 7 sets out a defined list of “legitimate uses” where personal data may be processed without separate consent. These are narrow and specific, not a general-purpose exemption. They include:

Where the Data Principal has voluntarily provided their personal data for a specified purpose and has not indicated they do not consent to its use.
For the State and its instrumentalities to provide a subsidy, benefit, service, certificate, licence or permit.
For performing a function under any law, or in the interest of the sovereignty and integrity of India or security of the State.
For fulfilling a legal obligation to disclose information to the State.
For compliance with a judgment, decree or order under any law.
For responding to a medical emergency, providing medical treatment during an epidemic or threat to public health, or ensuring safety during a disaster or breakdown of public order.
For purposes of employment, or to safeguard the employer from loss or liability (for example, preventing corporate espionage or providing services/benefits to employees).

Even when you rely on a legitimate use rather than consent, the rest of Section 8 still applies — you must still keep data accurate, secure it, erase it when no longer needed, and run a grievance mechanism.

How must a Data Fiduciary keep data accurate?

Sections 8(3) and 8(4) impose a targeted accuracy duty. You must ensure the completeness, accuracy and consistency of personal data in two high-stakes situations: where the data is likely to be used to make a decision that affects the Data Principal, and where it is likely to be disclosed to another Data Fiduciary. The logic is to prevent harm flowing from stale or incorrect data — a wrong address, an outdated credit flag or an incorrect identity field — when that data drives a decision or moves to a third party.

What security safeguards are required?

Section 8(5) requires every Data Fiduciary to protect the personal data in its possession or under its control — including data processed on its behalf by a Data Processor — by taking reasonable security safeguards to prevent a personal data breach. The DPDP Rules 2025 give shape to “reasonable”, expecting measures such as encryption, masking or tokenisation, access controls, logging and monitoring, backups, and contractual security obligations on processors.

This is the obligation that carries the heaviest exposure: failure to take reasonable security safeguards to prevent a personal data breach can attract a penalty of up to ₹250 crore — the single largest figure in the Schedule to the Act.

You remain accountable for your processors

Engaging a Data Processor under a contract (Section 8(2)) does not transfer your liability. If your vendor suffers a breach involving your data, you — the Data Fiduciary — answer to the Board. Govern processors with binding data-processing agreements, security obligations and erasure duties.

How must breaches be notified?

Section 8(6) requires that, on becoming aware of a personal data breach, the Data Fiduciary notifies both the Data Protection Board and each affected Data Principal in the form and manner prescribed. The DPDP Rules 2025 set out a two-part regime: an intimation to affected individuals describing the breach, its likely consequences and the measures they can take, and a report to the Board — initially without delay, followed by detailed information (including the broad facts, mitigation measures and remedial steps) within the prescribed window. Speed, completeness and documentation all matter here.

When must a Data Fiduciary erase personal data?

Sections 8(7) and 8(8) embed storage limitation. You must erase personal data — and cause your Data Processors to erase it — when the Data Principal withdraws consent, or as soon as it is reasonable to assume the specified purpose is no longer being served, unless retention is required by law. The DPDP Rules 2025 add specific retention-and-erasure timelines for certain classes of Data Fiduciary (such as large e-commerce, online gaming and social media intermediaries), typically requiring erasure after a defined period of Data Principal inactivity, with advance notice before deletion.

Who must a Data Fiduciary publish as a contact?

Section 8(9) requires you to publish, in the prescribed manner, the business contact information of a Data Protection Officer (where you are required to appoint one) or of another person who is able to answer, on your behalf, the questions of Data Principals about the processing of their personal data. In practice this is a clearly reachable contact point — typically on your privacy notice and website — so individuals know who to ask.

What grievance mechanism is required?

Section 8(10) requires every Data Fiduciary to establish an effective mechanism to redress the grievances of Data Principals. This works alongside the Data Principal’s right to grievance redressal under Section 13: an individual must be able to raise a complaint about your processing or about an unanswered rights request, and you must respond within the period the DPDP Rules prescribe. Only after exhausting your mechanism (or being unsatisfied with it) does the individual approach the Data Protection Board.

What is your Data Fiduciary obligations checklist?

Translate Section 8 into an operating checklist. Work through these obligations in order:

1Establish a lawful basis — process only for a consented purpose (Section 6) or a legitimate use (Section 7), and serve a compliant itemised notice first (Section 5).
2Apply purpose limitation — use personal data only for the purpose for which it was collected, and obtain a fresh basis before repurposing.
3Keep data accurate — ensure completeness, accuracy and consistency wherever data drives a decision affecting the individual or is shared with another Fiduciary (Sections 8(3)–8(4)).
4Implement reasonable security safeguards — encryption, access control, logging, backups and processor security obligations to prevent a breach (Section 8(5)).
5Stand up a breach-response plan — detect, contain and notify the Board and affected individuals in the prescribed form and timeline (Section 8(6)).
6Govern erasure and retention — delete data when consent is withdrawn or the purpose is served and retention is no longer required by law (Sections 8(7)–8(8)).
7Publish a contact point — make the DPO or responsible person’s business contact details readily available (Section 8(9)).
8Run a grievance mechanism — provide an effective, responsive channel for Data Principal complaints (Section 8(10)).
9Govern your processors — use binding contracts, flow down security and erasure duties, and remember accountability stays with you (Section 8(2)).
10Maintain evidence — keep records, consent artefacts and audit trails so you can demonstrate compliance to the Board on demand.

Turn the checklist into evidence

Run a free DPDPA readiness assessment to map your processing against every Section 8 duty and get a prioritised action plan before you invest in tooling.

Data Fiduciary Obligations Under the DPDPA: A Complete Guide