Skip to main content

Duties and Obligations of Data Fiduciaries

Under the Digital Personal Data Protection Act (DPDPA), 2023, every organization or government body that decides how and why personal data is processed is called a Data Fiduciary. The Act places clear responsibilities on Data Fiduciaries to ensure that they handle data lawfully, fairly, and with respect for individuals’ privacy. These duties are not optional; they are legal requirements that apply to all entities handling personal data.

  • Duty to Obtain Clear and Informed Consent
    A Data Fiduciary must always inform individuals about why their data is being collected and how it will be used, before collecting it. Consent must be free, specific, informed, and unambiguous. Individuals should also be able to withdraw consent just as easily as they gave it.

    Example

    If a shopping website asks for your phone number to deliver an order, it cannot later use that number for advertising without first asking your permission.

  • Duty to Provide Transparent Notices
    Every organization must give individuals a clear and standalone notice explaining the type of personal data being collected, the purpose of collection, and the person to contact for questions or complaints. The notice must be simple enough for anyone to understand, without hidden terms or complicated jargon.

  • Duty to Implement Security Safeguards
    Data Fiduciaries are required to protect personal data using reasonable security measures such as encryption, secure storage, access controls, backups, and activity logs. These safeguards ensure that personal data is not accidentally lost or stolen by hackers.

    Example

    A hospital storing patient records must ensure that only authorized doctors can access them and that the records are encrypted to prevent leaks.

  • Duty to Report Data Breaches
    If there is a data breach, the organization must report it to the Data Protection Board of India as well as inform the affected individuals. The law expects this to be done quickly (within seventy-two hours) so that people can take steps to protect themselves.

    Example

    If a bank’s database is hacked, it must notify the regulator and also inform its customers so they can change passwords or monitor suspicious transactions.

  • Duty to Set Up Grievance Redressal
    Every Data Fiduciary must establish a proper grievance redressal mechanism to handle complaints about misuse of data. Individuals must know whom to contact, and the organization must respond within defined timelines.

  • Duty to Limit Data Use and Retention
    Organizations can only use data for the purpose for which it was collected. Once that purpose is complete, the data must be deleted unless there is a lawful reason to retain it.

    Example

    A mobile app collecting your location to deliver food must delete the data once delivery is complete unless it needs to keep certain information for billing or legal records.

  • Duty of Enhanced Accountability for Significant Data Fiduciaries (SDFs)
    Certain organizations that process large volumes of sensitive data or pose higher risks are classified as Significant Data Fiduciaries. These entities have stricter obligations: they must conduct Data Protection Impact Assessments (DPIAs), undergo regular audits, and appoint a Data Protection Officer to oversee compliance.

  • Duty to Work with Consent Managers and Data Processors
    If a Data Fiduciary uses a Consent Manager to handle permissions or a Data Processor to carry out certain tasks, it must ensure that these third parties also comply with the Act. The responsibility for data misuse cannot be outsourced; it always remains with the Data Fiduciary.

Together, these obligations ensure that organizations cannot treat personal data casually. Instead, they are legally bound to handle it with care, protect it with strong safeguards, and respect the choices of individuals. Compliance with these duties not only reduces legal risks but also builds long-term trust with customers, patients, clients, and citizens.