Understanding Data Fiduciaries and Data Principals in India
- Kiratraj Sadana
- May 26, 2025
- 3 min read
Introduction
The Digital Personal Data Protection Act, 2023 (DPDP Act) introduces a structured, rights-based framework for data protection in India. At the heart of this framework are two foundational roles: the Data Fiduciary and the Data Principal.
Whether you're a business handling user data or an individual seeking control over your personal information, understanding these roles is essential to ensure compliance, accountability, and informed consent.
1. Who Is a Data Principal?
A Data Principal is the individual to whom the personal data relates.
Essentially, every user, customer, employee, or citizen whose data is collected or processed qualifies as a Data Principal.
Under the DPDP Act, Data Principals have legally enforceable rights to:
Access personal data
Correct or erase inaccurate data
Withdraw consent
Be informed about how their data is processed
Lodge complaints with the Data Protection Board
For minors and persons with disabilities, their lawful guardian acts as the Data Principal.
2. Who Is a Data Fiduciary?
A Data Fiduciary is any entity (company, government body, startup, NGO, etc.) that:
“Determines the purpose and means of processing digital personal data.”
If your business collects, stores, analyses, or shares user data, you are a Data Fiduciary under the DPDP Act—even if you outsource technical tasks to third parties.
3. Obligations of Data Fiduciaries
The DPDP Act imposes several key duties on Data Fiduciaries, including:
Obligation | Description |
Consent Management | Obtain valid, informed, and specific consent from the Data Principal |
Notice Requirement | Provide clear, accessible notices before processing begins |
Data Minimisation | Only collect data that is necessary for the stated purpose |
Purpose Limitation | Use data only for the specific purpose for which consent was given |
Security Safeguards | Implement reasonable security measures to prevent data breaches |
Grievance Redressal Mechanism | Designate a Grievance Officer to resolve complaints within a set timeframe |
Erasure and Correction Mechanisms | Allow users to modify or delete their data when requested |
Breach Notification | Inform both the Data Protection Board and the Data Principal promptly |
4. Who Is a Significant Data Fiduciary?
The Central Government may classify certain entities as Significant Data Fiduciaries based on:
Volume and sensitivity of data processed
Risk to electoral democracy, national security, or public order
Potential impact on Data Principals
Additional obligations for Significant Data Fiduciaries include:
Appointing a Data Protection Officer (DPO)
Conducting periodic Data Protection Impact Assessments (DPIA)
Performing regular audits and risk assessments
Startups working at scale, in fintech, healthtech, or edtech sectors, could be designated as Significant Data Fiduciaries in the future.
5. Examples: Who Falls Under What Category?
Entity Type | Role Under DPDP Act |
Social Media App | Data Fiduciary |
E-commerce Platform | Data Fiduciary |
Individual Customer | Data Principal |
Cloud Hosting Provider | Data Processor (not Fiduciary) |
Fintech Startup Handling KYC Data | Significant Data Fiduciary (potentially) |
6. Can You Be Both?
While Data Fiduciaries and Data Principals are conceptually distinct, one party can be a Data Principal in one context (e.g., an employee of a company), and a Data Fiduciary in another (e.g., when running a business that collects customer data).
Understanding this role-based approach is essential for implementing appropriate compliance structures, consent mechanisms, and rights management interfaces.
Conclusion
The Data Principal–Data Fiduciary relationship lies at the core of India’s new digital privacy framework. For businesses, understanding their fiduciary responsibilities is key to building trust, avoiding penalties, and ensuring long-term operational sustainability in the digital economy.
Comments