Digital Personal Data Protection Act, 2023 – Research memo on statutory obligations of a “Data Fiduciary”

/ Data Privacy Law / By

This memorandum summarizes the statutory obligations of a “Data Fiduciary” under India’s Digital Personal Data Protection Act, 2023 (DPDP Act). It focuses on Chapter II (Obligations of Data Fiduciary) and related provisions, and notes enforcement and penalties. A short commencement status is included to clarify timing of in‑force provisions. Statutory citations refer to the DPDP Act sections by number. Full source links appear at the end.

Executive summary

Under the DPDP Act, a Data Fiduciary bears primary responsibility for lawful, transparent, and secure processing of digital personal data. Core obligations include providing notice, obtaining and managing consent (or relying on limited “legitimate uses”), ensuring accuracy when data informs decisions or is disclosed, implementing reasonable security safeguards, notifying breaches to the Data Protection Board of India and affected Data Principals, ensuring timely erasure when purpose is served or consent is withdrawn, publishing a contact point and operating a grievance mechanism, and overseeing processors by contract while remaining accountable for their acts. Additional, stricter obligations apply to Significant Data Fiduciaries (SDFs), and special rules govern processing of children’s data. Non‑compliance can attract substantial monetary penalties as set out in the Schedule to the Act.

Scope and key definitions

  • The Act applies to processing of digital personal data in India and to certain extra‑territorial processing connected with offering goods or services to Data Principals in India (s.3).
  • “Data Fiduciary” is any person who determines the purpose and means of processing personal data; “Data Processor” processes on behalf of a Data Fiduciary (s.2).
  • “Personal data breach” covers unauthorised processing or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access that compromises confidentiality, integrity or availability (s.2).

Lawful grounds and gatekeeping duties

  • A Data Fiduciary may process personal data only for a lawful purpose and either with the Data Principal’s consent or for specified “legitimate uses” (s.4, s.7).
  • Every consent request must be preceded or accompanied by a notice stating: (i) the personal data and purpose of processing; (ii) how to exercise rights under s.6(4) and s.13; and (iii) how to complain to the Board; the notice must be accessible in English or any Eighth Schedule language (s.5(1), (3), (2)).
  • Consent must be free, specific, informed, unconditional, unambiguous, obtained by clear affirmative action, limited to data necessary for the specified purpose, and easily withdrawable in a manner comparable to how it was given (s.6(1), (4)). Part of a consent that purports to waive statutory rights is invalid (s.6(2)).
  • Where consent is the basis, the Data Fiduciary bears the burden to prove compliant notice and consent if the question arises in proceedings (s.6(10)).
  • Data Principals may give, manage, review, or withdraw consent via registered “Consent Managers”; processing must cease within a reasonable time following withdrawal unless otherwise required/authorised by law (s.6(6)–(9)).

General obligations of the Data Fiduciary (s.8)

  • Responsibility and processor oversight: The Data Fiduciary is responsible for compliance “irrespective of any agreement to the contrary” and remains accountable for any processing undertaken on its behalf by a Data Processor (s.8(1)). Processors may be engaged only under a valid contract (s.8(2)).
  • Accuracy when consequential or disclosed: If personal data is likely to be used to make a decision affecting the Data Principal or to be disclosed to another Data Fiduciary, the Data Fiduciary “shall ensure its completeness, accuracy and consistency” (s.8(3)).
  • Organisational and technical measures: Appropriate measures must be implemented to ensure effective observance of the Act and rules (s.8(4)).
  • Security safeguards: Personal data in the Fiduciary’s possession or control—including processing by processors—must be protected by taking reasonable security safeguards to prevent personal data breaches (s.8(5)).
  • Breach notification: In the event of a personal data breach, the Fiduciary must give the Board and each affected Data Principal an intimation of the breach in the prescribed form and manner (s.8(6)).
  • Erasure and storage limitation: Unless retention is necessary for compliance with law, the Fiduciary must erase personal data upon (i) withdrawal of consent or (ii) as soon as it is reasonable to assume the specified purpose is no longer served, and must cause its processors to erase data made available to them (s.8(7)).
  • Presumed inactivity and deemed purpose‑completion: If the Data Principal neither approaches the Fiduciary for the specified purpose nor exercises her rights for a prescribed period, the purpose is deemed no longer served (s.8(8), (11)).
  • Transparency and redress: The Fiduciary must publish business contact details of a Data Protection Officer (if applicable) or another responsible person to answer Data Principal queries (s.8(9)), and must establish an effective grievance redress mechanism (s.8(10)).

Children’s data (s.9)

  • Prior verifiable consent of the parent or lawful guardian is required before processing personal data of a child or a person with disability who has a lawful guardian (s.9(1) and Explanation).
  • Prohibitions: Processing that is likely to cause any detrimental effect on a child’s well‑being is prohibited; tracking or behavioural monitoring of children and targeted advertising directed at children are prohibited (s.9(2)–(3)).
  • Limited carve‑outs and safe‑processing relief: Specified classes of Fiduciaries/purposes may be exempted by rules (s.9(4)); if the Central Government is satisfied that a Fiduciary’s processing of children’s data is “verifiably safe,” it may notify an age above which some or all obligations in s.9(1) and (3) are inapplicable for that Fiduciary (s.9(5)).

Additional obligations for Significant Data Fiduciaries (s.10)

  • Designation: The Central Government may notify any Data Fiduciary or class of Fiduciaries as a “Significant Data Fiduciary” based on factors such as volume/sensitivity of data processed, risks to Data Principal rights, and national interest/public order considerations (s.10(1)).
  • Mandatory measures for SDFs:
  • Appointment of a Data Protection Officer (based in India; reporting to the Board of Directors or similar body; point of contact for grievance redress) (s.10(2)(a)).
  • Appointment of an independent data auditor to evaluate compliance (s.10(2)(b)).
  • Periodic Data Protection Impact Assessments (DPIAs), periodic audits, and any other prescribed measures consistent with the Act (s.10(2)(c)).

Rights‑enablement duties that fall on Data Fiduciaries

  • Access information duty: Upon request, the Fiduciary to which consent was previously given must provide a summary of personal data being processed and processing activities, identities of all Fiduciaries and Processors with whom the data has been shared (with a description of the data shared), and other prescribed information (s.11(1), subject to s.11(2) exceptions for specified lawful requests).
  • Correction and erasure handling: Upon request, the Fiduciary must correct inaccurate/misleading data, complete incomplete data, and update data; it must also erase personal data on request unless retention is necessary for the specified purpose or to comply with a legal requirement (s.12(1)–(3)).
  • Grievance redress time frames: The Fiduciary must provide readily available means of grievance redress and respond within prescribed periods; the Data Principal must exhaust this mechanism before approaching the Board (s.13).

Cross‑border transfers and consistency with other laws

  • Cross‑border: The Central Government may, by notification, restrict transfers of personal data by a Data Fiduciary to specified countries/territories; stricter transfer rules under other Indian laws continue to apply where relevant (s.16).
  • Consistency clause: The Act includes a general consistency provision with other laws (s.38).

Enforcement and penalties

  • The Data Protection Board of India may direct urgent mitigation measures upon breach intimation, inquire into breaches and impose penalties (s.27, s.28, s.33).
  • The Schedule prescribes maximum penalties for key contraventions, including:
  • Up to INR 250 crore for breach of the obligation to take reasonable security safeguards to prevent a personal data breach (s.8(5)).
  • Up to INR 200 crore for failure to give breach notice to the Board or affected Data Principals (s.8(6)).
  • Up to INR 200 crore for breach of children’s‑data obligations (s.9).
  • Up to INR 150 crore for breach of SDF additional obligations (s.10).
  • Up to INR 50 crore for breach of any other provision or rules, and other specified heads (Schedule; read with s.33).

Commencement status (as of May 15, 2026)

  • The Act provides that different provisions may be brought into force on different dates (s.1(2)). India Code’s authenticated text reflects a Central Government notification dated November 13, 2025 (G.S.R. 843(E)) stating that specified core provisions—including ss.3–17 (covering Chapter II obligations), ss.27–34, 36–37, and s.44(2)—shall come into force 18 months from November 13, 2025. On that basis, many principal obligations of Data Fiduciaries would commence on or about May 13, 2027, unless otherwise notified. Organizations should monitor official notifications for any updates or earlier/altered commencements.

Practical takeaways for Data Fiduciaries

  • Map processing activities to lawful bases (consent versus legitimate uses) and update notices accordingly.
  • Implement consent lifecycle management (including Consent Manager integrations where appropriate) and withdrawal handling.
  • Strengthen data accuracy controls where data informs decisions or is disclosed to other Fiduciaries.
  • Implement, test, and document reasonable security safeguards proportional to risk; prepare breach‑assessment and notification playbooks.
  • Build erasure workflows tied to consent withdrawal, purpose completion, inactivity thresholds (once prescribed), and processor back‑to‑back obligations.
  • Publish required contact details and operate grievance mechanisms with prescribed response times.
  • If notified as an SDF, appoint a DPO in India, engage an independent data auditor, schedule DPIAs and periodic audits, and implement any additional prescribed measures.
  • Track cross‑border transfer restrictions and overlapping sectoral laws imposing stricter controls.