Skip to main content

Q7 - What is the relationship between a Data Fiduciary and a Consent Manager — is one more powerful than the other?

Answer

Under the Digital Personal Data Protection Act, 2023 (DPDPA), the Data Fiduciary and the Consent Manager have distinct but complementary roles. Neither is more powerful than the other — they perform different functions within the same data-protection ecosystem.

1. Role of the Data Fiduciary

A Data Fiduciary is the entity that determines why and how personal data is processed. It is legally responsible for ensuring that:

  • Consent is obtained lawfully and transparently.
  • Data is processed only for the stated purpose.
  • Security safeguards, retention limits, and grievance mechanisms are in place.
  • All obligations under the DPDPA are met.

The Fiduciary remains fully accountable for compliance, even when it uses a Consent Manager to collect or manage consent on its behalf.

A Consent Manager, defined under Section 2(g) and further described in Section 6(7)–(9), is a Board-registered intermediary that provides a standardised, interoperable platform through which individuals (Data Principals) can:

  • Give, manage, review, or withdraw consent.
  • View the history of consents granted to different Data Fiduciaries.
  • Exercise their data-protection rights conveniently.

The Consent Manager acts as a neutral interface between the individual and the Data Fiduciary.
It does not decide how data is processed — it only enables consent to be communicated, stored, and managed securely.

3. Nature of Their Relationship

  • The Data Fiduciary is the decision-maker and accountable party.
  • The Consent Manager is a facilitator that ensures consent is verifiable, standardised, and easy for individuals to control.
  • The Consent Manager is accountable to the Data Principal, while the Data Fiduciary is accountable to both the Data Principal and the Data Protection Board.
  • Their relationship is co-operative, not hierarchical — one does not have authority over the other.
Example

An online healthcare platform wants to collect patients’ consent to process medical records. The platform (Data Fiduciary) integrates a registered Consent Manager’s API to manage this process. The patient gives or withdraws consent through the Consent Manager’s interface, but the Fiduciary remains responsible for how the medical data is used, stored, and protected.

Referenced Provisions:

  • Section 2(g) – Definition of Consent Manager.
  • Section 6(7)–(9) – Duties, registration, and accountability of Consent Managers.
  • Section 8(1) – Responsibility of Data Fiduciary for compliance.