Q2 - Can a single organization act as a Data Fiduciary for one activity and a Data Processor for another?
Yes. A single organization can act as a Data Fiduciary for one activity and a Data Processor for another, depending on the purpose and context of processing.
If an organization decides why and how personal data is collected or used, it functions as a Data Fiduciary under Section 2(i) of the Digital Personal Data Protection Act, 2023. If it processes personal data on behalf of another entity and only follows that entity’s instructions, it acts as a Data Processor under Section 2(k).
Additionally, Section 8(1) states that a Data Fiduciary remains responsible for compliance even when processing is carried out by a Data Processor on its behalf. This confirms that a single entity may perform both roles in different situations, based on its control and responsibility over the data.
A cloud service provider stores customer databases for several businesses.
- For its own internal employee records, it determines the purpose and method of processing — acting as a Data Fiduciary.
- For the data it hosts on behalf of clients, it processes information strictly as per client instructions — acting as a Data Processor.
A marketing agency collects visitor information on its own website and also runs campaigns for clients.
- When it collects and analyses data from its own website visitors, it decides the purpose of processing — acting as a Data Fiduciary.
- When it sends promotional emails for a client using the client’s customer list, it follows the client’s directions — acting as a Data Processor.
An IT support provider maintains its own HR and payroll data while also managing servers for other organizations.
- For its internal employee data, it acts as a Data Fiduciary.
- For the client data it accesses to maintain systems, it processes that data on behalf of those clients — acting as a Data Processor.