Part II: Duties of Data Fiduciaries
⚖️

Part II: Duties of Data Fiduciaries

PART II: DUTIES OF DATA FIDUCIARIES

General Obligations

Apart from the consent-related obligations – i.e., ensuring that consent on the basis of which data is processed is valid, data fiduciaries are expected to follow a set of principles at the time of processing. Heavy reliance has been placed on the 7 principles (discussed in Legislative Context).
  1. Lawful and Fair Processing (Section 4, 5(1)): A data fiduciary must process personal data only in a lawful and fair manner, in line with the provisions of the DPDPA. For instance. a payment app cannot collect a user's Aadhaar number unless it is required for a legally valid purpose under the Act. Before processing, a clear and accessible notice must be provided to the data principal detailing the purpose of processing, rights available, and grievance redressal mechanisms. For instance, a ride-hailing app must show a privacy notice before account creation explaining why location data is collected.
      2. When compared with GDPR Article 5(1)(a) on "lawfulness, fairness, and transparency," with CJEU judgments, we observe that lawfulness requires a processing activity to be "strictly necessary" for its stated purpose. In Mousse v. SNCF (C-394/23), a French train company would ask customers to input their preferred honorifics (Ms./Mr./Mrs. etc.) to purchase tickets. The court ruled that this practice violated the GDPR because collecting the title was not "objectively indispensable" for fulfilling the contract of selling a ticket.
  1. Purpose Limitation (Section 6(1)): Personal data must be collected and processed only for clear, specific, and lawful purposes communicated to the data principal at or before the time of collection. For example, an e-commerce website cannot collect phone numbers "for delivery updates" and then use them for marketing without fresh consent. It is impossible to look at this in isolation with principles of lawfulness discussed. The draft Digital Personal Data Protection Rules, 2025 ("Draft Rules") which were published by the Indian government on January 3, 2025 incorporated this – specifically that the notice accompanying the consent request should clearly specify the exact purposes for which the personal data will be processed and provide an itemized list of the goods and services that will be offered using the collected information.
  1. Storage Limitation (Section 8(7)): Personal data must not be retained for longer than necessary to fulfil the stated purpose, unless longer retention is required by law. For instance, a hospital cannot retain a patient's contact details indefinitely if they are no longer needed for follow-up or compliance. Research tip: Compare with GDPR Article 5(1)(e) and explore sectoral Indian laws (e.g., medical records retention) that impose specific storage periods.
      2. The Digi Case (C-77/21) analyses the limits of purpose limitation and storage limitation. The specific question that emerged was whether the creation of a parallel database of data collected (legitimately) amount to a violation of the principles of purpose limitation and/or storage limitation as per the GDPR? The CJEU determined that:
      a) Under Article 5(1)(b) GDPR, storing personal data in a separate "test" database for purposes such as running tests and fixing errors counts as "further processing." This is allowed if the new purpose is compatible with the original purpose for which the data was collected. Compatibility must be assessed using the criteria in Article 6(4) GDPR, such as the link between the original and new purposes, the context of collection, the nature of the data, potential effects on individuals, and safeguards in place. In this case, testing and error correction were closely linked to fulfilling subscription contracts and aligned with customers' reasonable expectations, so the storage could be compatible.
      b) Under Article 5(1)(e) GDPR, personal data can only be kept for as long as necessary for the purposes for which it is processed. Even if processing is initially lawful, keeping the data beyond what is needed breaches the "storage limitation" principle. In this case, if test data were not deleted after tests and corrections were complete, the retention period exceeded what was necessary, violating the rule, regardless of whether the over-retention was due to oversight.
  1. Data Minimisation (Section 6(1)): Only the minimum amount of personal data necessary for the intended purpose should be collected. For example. a job application portal should not require a candidate's PAN number if it is not essential for the recruitment process. Generally, the principle of lawfulness and transparency can be used to better understand this concept.
  1. Accuracy of Data (Section 8(3)): Reasonable steps must be taken to ensure that the personal data processed is complete, accurate, and up-to-date. For instance, a university should have a mechanism for students to correct errors in their academic records. Inaccurate data can lead to a range of harms, from minor inconveniences to life-altering decisions. Common errors, such as a mistaken criminal record, could prevent someone from getting a job, or an incorrect medical diagnosis could lead to improper treatment. In a highly interconnected and data-driven world, where personal information is constantly shared and used for automated decision-making, the potential for harm from inaccurate data is amplified.
  1. Security Safeguards and Breach Reporting (Section 8(5), 8(6)): Reasonable technical and organisational measures must be taken to protect personal data from breaches, unauthorised access, disclosure, alteration, or destruction. For instance, a fintech company must encrypt sensitive customer data both in transit and at rest. Furthermore, in the event of a breach, the data fiduciary shall be obligated to report the breach to the affected party and the Data Protection Board of India.
  1. Accountability (Section 8(1)): Data fiduciaries must be able to demonstrate compliance with all provisions of the DPDPA, including maintaining necessary records and cooperating with the Data Protection Board. For instance, a social media platform should maintain logs of when and how consent was obtained from users. The provision itself states that the data fiduciary "shall be responsible for complying with the provisions of this Act" and "shall be able to demonstrate such compliance" through reasonable efforts. The obligations for data fiduciaries listed in Sections 8(3), 8(5), and 8(6) are all duties that stem from this overarching principle of accountability.
  1. Processing by Data Processors: When engaging a processor, the fiduciary must ensure that processing is done under a valid contract and in compliance with the DPDPA, while retaining overall responsibility. For instance, a bank outsourcing its KYC process must ensure the vendor follows the bank's data protection standards.

Obligations Regarding Children's Data (Section 9)

The Digital Personal Data Protection Act, 2023 ("DPDPA") places heightened obligations on data fiduciaries when processing the personal data of children. A "child" is defined under Section 2(f) as any person who has not attained the age of eighteen years, aligning the threshold with the Majority Act, 1875. This means that no person under 18 can lawfully provide consent for the processing of their personal data – the law requires verifiable parental consent before any such processing begins.
Under Section 9(1), a data fiduciary must obtain such verifiable consent and must not process children's personal data in any way that is:
  • Detrimental to the well-being of the child, or
  • For purposes of tracking, behavioural monitoring, or targeted advertising.
For instance, a gaming app directed at teenagers cannot track in-game chat patterns to push microtransactions based on perceived spending habits. Similarly, an educational platform cannot repurpose student data for personalised product marketing.
The Draft Rules elaborate on this obligation in Rule 10, which requires "appropriate technical and organisational measures" to ensure that parental consent is genuine. These include verification through (a) reliable identity and age details already available with the fiduciary, or (b) a virtual token linked to the parent's identity and age proof. While these methods draw inspiration from the U.S. Children's Online Privacy Protection Act ("COPPA"), they are narrower than the flexible menu of options under COPPA, which includes video calls, signed forms, toll-free calls, or secure ID checks.
India's strict "under 18" standard creates what scholars call an "age autonomy paradox," i.e., while adolescents (16–17) may understand and wish to control their data, the law effectively replaces their consent with that of a parent. This can perpetuate data immaturity, where young people reach adulthood without having exercised meaningful control over their data. Moreover, the dynamic nature of children's data (e.g., health metrics, academic performance) means that inaccuracies can arise quickly, leading to long-term effects if outdated data is used for profiling or decision-making.
From a compliance standpoint, fiduciaries should adopt a risk-based approach. For services aimed primarily at children or processing their data at scale, the reintroduction of a "Guardian Data Fiduciary" classification (as first proposed in the Personal Data Protection Bill, 2019) could set higher accountability thresholds, including prohibitions on profiling, enhanced transparency obligations, and regular audits. Supplementing this with a Data Trust Score system would help parents and regulators assess an organisation's child data protection record in a simple, transparent manner.
For example, a children's ed-tech platform processing millions of student profiles would qualify as a high-risk fiduciary under such a model. Beyond obtaining parental consent, it would be required to:
  • Implement age-appropriate interfaces and notices,
  • Allow joint parent–child control for certain features (e.g., content sharing), and
  • Regularly refresh stored data to ensure accuracy.

Significant Data Fiduciaries (Section 10)

Under Section 10 of the DPDPA, the Central Government may notify certain data fiduciaries or classes of data fiduciaries as "Significant Data Fiduciaries" based on factors such as:
  • Volume and sensitivity of personal data processed
  • Risk of harm to data principals
  • Potential impact on sovereignty, integrity, and security of India
  • Risk to electoral democracy
  • Use of new technologies such as AI and machine learning
  • Any other prescribed factor
Example: A large fintech platform processing millions of biometric KYC records using AI-based fraud detection could be designated as an SDF due to the high sensitivity, scale, and potential risks involved.

Obligations of SDFs

  1. Data Protection Impact Assessments ("DPIAs"): Before undertaking high-risk processing, an SDF must conduct a DPIA to evaluate the potential harm to data principals and outline measures to mitigate such risks. A DPIA involves outlining the rights available to the data principal (including cross-referencing with the type of data collected and the manner in which it is processed), then outlining risk and risk management methods.
  1. Periodic Data Audits: SDFs must undergo independent data audits to ensure compliance with the DPDPA and to identify gaps in data protection practices.
  1. Appointment of a Data Protection Officer ("DPO"): An SDF must appoint a DPO who is based in India and serves as the primary point of contact for grievance redressal and coordination with the Data Protection Board.
  1. Record-Keeping Obligations: SDFs are required to maintain detailed records of data processing activities, security measures implemented, and risk mitigation actions taken.
  1. Enhanced Compliance Measures: SDFs may be subject to additional measures as prescribed by the Central Government, including stricter breach reporting timelines or mandatory security certifications.