Under the Digital Personal Data Protection Act, 2023, the distinction between a Data Fiduciary and a Data Processor turns on control, liability, and accountability. The Data Fiduciary determines the purpose and means of processing, directly collects personal data from individuals, and bears statutory responsibility for compliance, including breach notifications to authorities and affected individuals within prescribed timelines. It is also liable for significant penalties for breaches and must ensure timely data deletion upon consent withdrawal or purpose completion, besides appointing a Grievance Officer. In contrast, a Data Processor acts solely on the Fiduciary’s instructions, has no direct relationship with the Data Principal, and operates under a binding contract that defines scope, security, breach reporting to the Fiduciary, and deletion obligations. While processors are not directly liable under the Act, fiduciaries may recover penalties contractually through indemnities. Courts and regulators thus treat fiduciaries as the primary compliance anchor, with processors’ duties flowing from contract and instruction.
Data Fiduciary vs. Data Processors – Key Differences under the Digital Personal Data Protection Act, 2023 (Act)
| Sr. No. | DATA FIDUCIARY | DATA PROCESSOR |
| ROLE | ||
| 1 | Role – Determines the “Purpose” (Why) and “Means” (How) of processing. | Role – Process or work on personal data of individuals on behalf of the Data Fiduciary. |
| COLLECTION AND PROCESSING OF DATA | ||
| 2 | First point of interaction with employees or customers and collects personal data directly from employees or customers. | Act only on the instructions of Data Fiduciary and only processes the personal data. One of the way to process the personal data of an individual is by way of integration of its API based software with the software of Data Fiduciary. This also ensures that there is no direct data flow from the Data Fiduciary to the Data Processor. |
| DIRECT LIABILITY | ||
| 3 | Contract or agreement with employees or customers. Statutorily liable to Data Protection Board of India for any data breaches by itself or the Data Processor. | No direct relationship with the individual owning the subject personal data also known as ‘Data Principal’. Need to have a valid contract or agreement to engage a Data Processor under the Act. Its role is purely contractual. Only the agreement or contract between the Data Fiduciary and the Data Processor is the binding document. This is most important. |
| BREACH NOTIFICATION | ||
| 4 | Breach Notification – Obligated to notify Data Protection Board of India and the individual (employee, customer) not later than 72 hours of every data breach as per Rule 7(2) (b) of DPDP Rules, 2025. Ransomware breaches to be reported within 6 hours to Indian Computer Emergency Response Team (CERT-In). | Breach Notification – The contract or agreement Obligated to provide for notification of any data breach to the Data Fiduciary immediately so that Data Fiduciary can report it to Data Protection Board. |
–
| STATUTORY LIABILITY | ||
| 5 | Directly liable for data breach up to the extent of Rs.250.00 crore.
Not reporting data breach to the Data Protection Board of India – Rs.200.00 crore |
Not directly liable for data breach. Since the Data Processor acts only under the instructions of Data Fiduciary, the Data Fiduciary can recover the statutory fine or penalty under indemnity. |
| RESPONSIBILITY OF DATA DELETION | ||
| 6 | Data Deletion – Obligated to delete data when consent is withdrawn or purpose is met. | Data Deletion – Obligated to delete data upon instructions from Data Fiduciary. The Data Fiduciary must include such provisions of Data Deletion in its contract or agreement with the Data Processor. |
| GRIEVANCE OFFICER | ||
| 7 | Obligated to appoint a Grievance Officer under the Act | Not required to appoint a Grievance Officer. Though not required under the Act, most Data Fiduciaries require Data Processors to appoint a “SPOC” to help resolve their queries. |
Author Bio
