Distinction between Data Fiduciary and Data Processor under DPDP Act, 2023

Key Points:

• The Digital Personal Data Protection Act, 2023 distinguishes between a Data Fiduciary, who determines data processing purposes and is liable for compliance, and a Data Processor, who processes data solely on the Fiduciary's instructions.
• Data Fiduciaries bear statutory responsibilities, including breach notifications and penalties for non-compliance, while Data Processors operate under contractual obligations without direct liability to individuals.
• This distinction emphasizes the primary role of Data Fiduciaries in data protection compliance, impacting how organizations manage data processing relationships.

Background: The Digital Personal Data Protection Act, 2023 establishes legal frameworks for data protection in India. It defines roles and responsibilities of Data Fiduciaries and Data Processors to enhance accountability in personal data handling.

What's Next: Organizations will need to review and possibly revise contracts with Data Processors to ensure compliance with the new statutory requirements under the DPDP Act.