Data Fiduciary

Individuals, companies, firms, governments, or other entities which determine the purpose and mode of processing an individual’s personal data are referred to as data fiduciaries.

The Digital Personal Data Protection Bill, 2023 (“DPDPB”) has certain obligations that a data fiduciary needs to fulfil.

They are as follows:

  1. A data fiduciary shall make reasonable efforts to ensure that personal data processed by or on behalf of the Data Fiduciary is accurate and complete.
  2. Every data fiduciary and data processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.
  3. In the event of a personal data breach, the data fiduciary or data processor as the case may be, shall notify the Board and each affected data principal.
  4. The personal data shall be collected only to the extent that is necessary for the purposes of processing of such personal data.
  5. Every data fiduciary shall have in place a procedure and effective mechanism to redress the grievances of data principals
  6. The data fiduciary may share, transfer or transmit the personal data to any data fiduciary, or engage, appoint, use or involve a data processor to process personal data on its behalf , only under a valid contract.
  7. In the event that personal data from individuals under the age of 18 is proposed to be processed, prior verifiable parental consent (including consent from a guardian) is required. Data fiduciaries are prohibited from tracking and behaviorally monitoring children or sending targeted advertisements to them, and any processing that may harm children.
  8. Significant data fiduciary must appoint a data protection officer who will represent the significant data fiduciary in India. The data protection officer shall be responsible for resolving grievances; appoint an independent data auditor who shall evaluate the compliance of the significant data fiduciary. Accordingly, data protection impact assessments and data audits must be conducted by the significant data fiduciary.
  9. Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of their personal data.