Written by

Sumeshwar Pandey

View Profile

Data Processors vs Data Fiduciaries: Operational Responsibilities Explained

A procurement-focused guide to turning India’s DPDP Act role definitions into concrete governance, contract terms, RFQ questions, and vendor scorecards.
Key takeaways
  • Under the DPDP Act, the data fiduciary decides why and how personal data is processed and holds primary regulatory accountability; the data processor acts on that instruction but still has meaningful operational and contractual duties.
  • Accurate role classification for each vendor relationship is now a commercial decision: it drives how you allocate risk, design contracts, evaluate security evidence, and plan ongoing oversight.
  • Leadership teams should map DPDP obligations such as consent, data principal rights, security, breach response, and cross-border transfers into a clear RACI split between internal owners and external processors.
  • Procurement can embed DPDP into sourcing by using targeted RFQ questions, a structured vendor scorecard, and a hidden-cost checklist that surface implementation effort and residual risk before contract signature.
  • Significant Data Fiduciary status raises the bar on documentation, audits, and processor oversight, so high-risk vendor categories need deeper due diligence and tighter contract controls.

Why DPDP roles matter for procurement and leadership

Imagine your organisation is replacing its customer support BPO and onboarding a new cloud CRM. Pricing looks attractive, service levels seem adequate, and the shortlist is ready for management approval. Then legal asks a basic question: in each of these relationships, who is the data fiduciary and who is the data processor under the Digital Personal Data Protection Act, 2023? Suddenly, topics like breach liability, cross-border storage, and consent records move from the annexures of the contract to the front page of the board pack.
The DPDP Act makes the entity that determines the purpose and means of processing personal data – the data fiduciary – directly accountable for compliance. That accountability does not stop when processing is outsourced. Processors must follow the fiduciary’s instructions and have their own duties, but regulators will look first to the fiduciary when something goes wrong. For leadership teams and boards, that turns vendor selection, contract structure, and ongoing monitoring into core risk controls rather than back-office administration.
For procurement and vendor management teams, this means DPDP roles are no longer just legal labels. They affect how you structure scopes of work, what evidence you require from vendors, how you negotiate indemnities and liability caps, and even which suppliers you treat as strategic partners versus interchangeable utilities. A clear understanding of data fiduciary and processor responsibilities lets you turn abstract policy requirements into a concrete operating plan that leadership, legal, security, and procurement can execute together.

How the DPDP Act defines data fiduciaries and data processors

Under the DPDP Act, a data fiduciary is the person, company, or public body that determines the purpose and means of processing digital personal data. In practical terms, this is the organisation that decides why personal data is collected, which individuals it relates to, how long it is kept, and with whom it is shared. A data processor is any person or entity that processes personal data on behalf of a data fiduciary and under its instructions. This is broadly similar to the controller–processor distinction under the GDPR, but the terminology and some liability mechanics are specific to Indian law.[1]
The easiest way to distinguish the two roles is to ask who is making the key decisions. If your organisation designs the customer journey, drafts the privacy notice, chooses what personal data fields are mandatory, and decides retention periods, then you are almost certainly the data fiduciary. If a vendor simply hosts, analyses, or transmits that data according to your documented instructions, without deciding new purposes, it is acting as a data processor. Where a vendor sets its own independent purposes – such as building its own analytics products or marketing services directly to your customers – it is likely to be a separate data fiduciary for that processing, not just your processor.
Common B2B patterns in India reflect this split. An employer is usually the data fiduciary for employee data, while its payroll provider, HRMS platform, or background verification agency processes that data as a processor. A bank or fintech lending platform is usually the data fiduciary for borrower data, and its KYC vendor, call centre BPO, or cloud hosting provider is a processor. An ecommerce platform is typically the data fiduciary for customer orders, with its logistics aggregator, payment gateway, and marketing automation provider acting as processors.
Grey areas arise where vendors combine client data, decide their own analytical models, or monetise insights. A marketing platform that profiles customers across multiple clients to sell cross-client audience segments may be a data fiduciary for that profiling, even if it is a processor for campaign execution. A cloud analytics provider that decides what behavioural data to log and how long to retain raw event data may also assume fiduciary responsibilities for that dataset. For procurement, the lesson is that role classification should be done case by case, documented explicitly, and validated with legal counsel rather than assumed from a vendor’s generic marketing label.
High-level comparison of data fiduciary and data processor roles under the DPDP Act.
Decision area Data fiduciary Data processor Procurement focus
Who decides why and how personal data is processed Determines purposes (the “why”) and essential means (the “how”), including what data to collect, which individuals it relates to, retention, and sharing. Implements processing strictly according to the fiduciary’s documented instructions and does not set independent purposes. Clarify in RFQs and contracts who owns purpose decisions for each use case and document that role in the data processing agreement.
Regulatory accountability under DPDP Primary point of accountability to the Data Protection Board for compliance with the Act, including when using processors. Accountable for duties imposed directly by law and contract, but usually secondary in regulatory focus compared with the fiduciary. Reflect this split in risk assessments, liability structures, and oversight expectations.
Typical examples in B2B outsourcing Employers for employee data; banks and fintechs for borrower data; ecommerce platforms for customer orders. Payroll providers, HRMS or CRM platforms, cloud hosting providers, KYC vendors, and call centre BPOs. Use examples to sanity-check claimed roles and identify outliers that may need deeper legal review.
Data use beyond the engagement May reuse data for its own compatible purposes consistent with notices and lawful grounds. Should not reuse or combine client data for its own independent purposes without becoming a fiduciary for that activity. Ask vendors about any data reuse, aggregation, or analytics across clients and ensure roles and consents align with those uses.
Implications for contracts and governance Specifies instructions, security baselines, rights-handling model, and audit approach; maintains the vendor register and governance framework. Documents how it will implement instructions, security controls, sub-processor management, and cooperation on rights and breaches. Make roles explicit in data processing agreements and align them with internal RACI, approval workflows, and monitoring plans.

Operational responsibilities of data fiduciaries under DPDP

The DPDP Act loads most statutory obligations onto data fiduciaries. First, they are responsible for the legal basis of processing, including notices and consent. A data fiduciary must provide clear, itemised notice to data principals describing what data is collected, for which purposes, and how rights can be exercised. Where consent is required, the fiduciary must ensure it is free, specific, informed, unconditional, and unambiguous, and must honour withdrawal of consent. Even if consent is collected through a processor – for example, via a call centre script or mobile app interface – the fiduciary remains accountable for the content of the notice, the design of consent flows, and the integrity of consent records.[1]
Second, data fiduciaries must provide and honour data principal rights. Individuals have rights to access summaries of their personal data, correct and update inaccuracies, request erasure when the purpose is fulfilled and retention is no longer required by law, and register grievances through a designated mechanism. They may also nominate another person to exercise rights on their behalf in specified circumstances. Operationally, this means fiduciaries need processes and systems to receive rights requests, verify identity, orchestrate changes across internal systems and external processors, and respond within timelines prescribed by the Act and rules. Processors typically supply the underlying capabilities – such as search, export, correction, and deletion functions – but the fiduciary owns the end-to-end obligation and the communication with the data principal.[1]
Third, fiduciaries are responsible for security safeguards, breach management, and retention. They must implement reasonable technical and organisational measures to prevent unauthorised access or breach of personal data and are required to notify the Data Protection Board of India and affected individuals of reportable personal data breaches. They must also cease processing and delete personal data when it is no longer needed for the purpose, unless retention is mandated by law. In practice, this requires fiduciaries to set baseline security and logging requirements for processors, review security evidence such as policies and independent audits, define incident response playbooks that involve vendors, and ensure processors can delete and return data at the end of the contract or when consent is withdrawn.[2]
Finally, fiduciaries bear specific duties for children’s data, cross-border transfers, and Significant Data Fiduciary status. They may need to obtain verifiable consent from parents or lawful guardians for processing children’s personal data, avoid certain forms of profiling, tracking, or targeted advertising to children where restricted, and comply with any government notifications limiting transfers to particular countries. Organisations designated as Significant Data Fiduciaries, based on factors such as volume and sensitivity of data and risks to rights, must appoint a Data Protection Officer based in India, engage an independent data auditor, and undertake more formal assessments of processing risks. For procurement, these obligations translate into stronger scrutiny of vendors that handle children’s data, store or access data outside India, or support large-scale or high-risk processing that could contribute to Significant Data Fiduciary designation.[1][4]

Operational responsibilities of data processors and their limits

Although data processors have fewer statutory obligations than data fiduciaries, their operational responsibilities are real and commercially significant. A processor must only process personal data on the basis of a valid contract and documented instructions from a data fiduciary. It should not decide new purposes or materially change the means of processing without explicit agreement. Processors are expected to implement appropriate technical and organisational security safeguards, ensure that staff and sub-contractors follow confidentiality obligations, and align their data handling with the fiduciary’s retention and deletion instructions.[1][3]
Processors also play a central role in executing the fiduciary’s DPDP obligations. They typically maintain the systems that store and process data, so they must be able to search, export, correct, and delete personal data on demand to support data principal rights. They are usually the first to detect or be affected by security incidents, so they need clear obligations to promptly notify the fiduciary of personal data breaches and to cooperate with investigations and remediation. Where processors appoint sub-processors, they should obtain the fiduciary’s authorisation where required, flow down DPDP-aligned obligations, and maintain transparency over the chain of processing, including locations where data is stored or accessed. Failure to implement adequate safeguards or comply with directions from the Data Protection Board can expose processors themselves to penalties.[1][3]
At the same time, processors must respect the boundaries of their role. A processor that unilaterally decides to build profiles across multiple clients’ data, reuse data for independent marketing, or extend retention periods for its own analytics is moving into data fiduciary territory for those activities. In such cases, it should provide its own notices, obtain any required consents, and accept fiduciary-level accountability. For procurement, this boundary is an important due-diligence topic: you should ask vendors where they reuse your data, whether they aggregate it across customers, and how they distinguish between processing as your processor and processing as an independent fiduciary. Contract terms should reflect those distinctions so that roles, responsibilities, and liabilities are clear.

Allocating accountability between fiduciary and processor in contracts and governance

Turning statutory roles into workable operations usually starts with a RACI mindset. For each DPDP obligation – from issuing notices and managing consent to handling access requests and responding to breaches – the data fiduciary is almost always accountable. Processors are frequently responsible for executing specific technical or operational activities, such as deleting data in their systems or running identity verification checks. Internal teams like legal, information security, product, and business owners are consulted in designing the controls and informed about incidents and regulatory changes. Making this split explicit, and aligning it with vendor responsibilities, reduces confusion during incidents and audits.
Contracts are where the fiduciary–processor allocation becomes enforceable. A robust data processing agreement or privacy schedule should clearly record the parties’ DPDP roles, describe the categories of personal data and data principals involved, specify purposes and lawful bases as determined by the fiduciary, and set out the processing instructions, including retention and deletion expectations. It should require the processor to implement agreed security safeguards, restrict processing to authorised personnel and sub-processors, notify the fiduciary of personal data breaches and assist with notifications to regulators and data principals, support the execution of data principal rights, and delete or return personal data at the end of the engagement. Audit and information rights, along with clear change management procedures for new features or data uses, help the fiduciary detect and manage drift from the agreed scope.
Consider a typical HR SaaS implementation. The employer generally acts as the data fiduciary for employee data and instructs the SaaS provider on which employee attributes to store, how long to retain records, and which countries data may be transferred to. The SaaS provider is a processor for core HR functions, but it may wish to use anonymised or aggregated usage data to improve its product. Contracts should separate these roles: one clause set for processing employee data purely on the employer’s behalf, and another set where the provider becomes an independent data fiduciary for limited analytics purposes, subject to its own notices and consents where needed. Allocation of liability, indemnities, and insurance should follow this split rather than assume all activities fall under a single role.
Beyond individual contracts, organisations benefit from an internal governance framework that embeds DPDP roles into supplier management. This often includes a maintained register of vendors that process personal data, with an explicit fiduciary–processor classification per use case; standardised contract templates with DPDP-aligned clauses; a review step where legal and information security sign off on high-risk vendors before procurement completes negotiations; and periodic vendor reviews that include privacy and security performance, not just commercial metrics. When the Data Protection Board investigates or issues directions, having this governance structure in place provides evidence that the fiduciary is taking its oversight responsibilities seriously.

Procurement toolkit: RFQ questions, vendor scorecard, and hidden-cost checklist

To make DPDP roles actionable in sourcing, procurement can embed targeted questions into RFQs and RFPs instead of treating privacy as a generic compliance tick-box.
  • On role clarity, ask vendors to state, for each major processing activity, whether they act as a data processor, a data fiduciary, or both, and to explain the basis for that classification.
  • On security, request a description of their security governance, including how they manage access control, encryption, logging, backup and recovery, and vulnerability management, along with any independent assessments or certifications they hold.
  • On data principal rights, ask how they would support your organisation in fulfilling access, correction, and erasure requests, what standard response timelines they can support operationally, and what tooling exists for bulk or automated requests.
  • On sub-processing and cross-border transfers, require a current list of sub-processors and data locations, along with their approach to onboarding new sub-processors and reacting to changes in applicable transfer restrictions.
A structured vendor scorecard helps turn qualitative answers into comparable scores. One practical approach is to group criteria into a small number of weighted bands and assess each vendor against those bands using consistent evidence.
Example DPDP-aligned vendor scorecard bands for assessing processors.
Band What to evaluate Evidence to request Weighting considerations
Compliance and DPDP alignment Clarity of fiduciary/processor role definitions, quality of contractual commitments, and evidence that the vendor understands DPDP obligations. Sample data protection addendum or privacy schedule, mappings of services to DPDP roles, relevant internal policies, and training materials. Give extra weight where the vendor will handle large volumes of personal data or sensitive categories that increase regulatory exposure.
Security and resilience Technical safeguards, incident response maturity, business continuity arrangements, and any history of material security incidents. Security policies, architecture diagrams, incident response playbooks, summaries of recent independent assessments or tests, and high-level breach history disclosures. Prioritise for internet-facing platforms and services that would materially disrupt operations or reputation if compromised.
Operational capability for data principal rights How easily access, correction, erasure, consent withdrawal, and data export orders can be implemented, and what level of support is offered to your teams. Product demonstrations, workflow or API documentation, sample reports, and descriptions of standard support processes for rights requests. Increase weight where you expect high request volumes, strict response timelines, or complex multi-system data flows.
Data architecture and localisation Data residency options, segregation between clients, logging depth, and ease of data portability at exit. Data flow diagrams, list of data centres and sub-processors, export formats, log retention descriptions, and standard exit support scope. Weight heavily if your organisation is subject to localisation rules or has strict cross-border and concentration risk appetites.
Commercial risk and total cost Liability caps, indemnity structure, insurance coverage, and the cost and effort of onboarding, integration, and potential exit. Draft contract terms, certificates of insurance, implementation plans, and rate cards for professional services or change requests. Align to your organisation’s risk appetite and the business criticality of the processing, not just to standard procurement thresholds.
Using RFQ questions, a scorecard, and a hidden-cost checklist together allows procurement to compare vendors not only on headline pricing and functional fit but also on the depth of their DPDP readiness and the likely effort your organisation will bear. Vendors that appear cheaper on licence fees but require significant internal work to support consent, rights fulfilment, or audits may, in practice, be more expensive and riskier. Making these trade-offs explicit in evaluation documents helps leadership take informed decisions and allocate budgets for privacy-by-design rather than treating it as an afterthought.

Common questions for procurement teams about DPDP roles

Once the basic fiduciary–processor split is understood, many procurement questions focus on complex or hybrid scenarios. Multi-tenant SaaS platforms may act as processors for core functions but as independent fiduciaries for cross-client analytics. Joint offerings, such as co-branded credit cards or marketplace platforms, can involve two or more data fiduciaries sharing data and jointly shaping the customer journey. Global vendors may process personal data of Indian residents across multiple jurisdictions, raising questions about DPDP’s extraterritorial application, sectoral localisation rules, and contractual commitments to Indian standards. Frequently asked questions tend to centre on these edge cases, and clear answers help evaluation teams engage more confidently with vendors and internal stakeholders.

Putting a DPDP operating model in place for vendors

Embedding DPDP roles into vendor management is easier if you treat it as a structured rollout rather than a one-off compliance project.
  1. Map personal data, systems, and vendors
    A practical first action is to build or update a register of systems and vendors that process personal data. For each relationship, record what categories of individuals are involved, what data is processed, for what purposes, and where it is stored or accessed. Identify whether your organisation is acting as a data fiduciary, a data processor, or both, and whether the external party is a processor, a co-fiduciary, or an independent fiduciary for some purposes. Align this register with existing supplier segmentation so that high-risk and high-impact vendors receive more attention than low-risk utilities.
  2. Align governance, templates, and procurement workflows
    Standardise DPDP-aligned data processing clauses in your master service agreements and purchase order terms, and define clear thresholds where legal, information security, and privacy teams must review or approve vendor engagements before contracts are signed. Integrate DPDP-focused questions into your standard due diligence questionnaires and RFP templates so that every new processing relationship is assessed on roles, security, rights support, and cross-border factors from the outset. For organisations that are, or may become, Significant Data Fiduciaries, build more structured oversight into the operating model, such as periodic third-party assessments of key processors or deeper review of vendors handling children’s data or large-scale profiling.
  3. Refresh existing contracts in risk-based waves
    For existing suppliers, DPDP can be an opportunity to rationalise and strengthen contracts rather than an obligation to renegotiate everything at once. Prioritise vendors that handle the largest volumes of personal data, the most sensitive categories of data, or the most critical business processes, and then work through medium-risk categories. As contracts come up for renewal, refresh them with clear role definitions, updated security and breach terms, rights support obligations, and better transparency on sub-processors and data locations. Use vendor performance reviews to discuss privacy and security metrics alongside cost and service levels, and agree improvement plans where gaps appear.
  4. Build ongoing visibility and board-ready reporting
    Over time, a DPDP-aware operating model should give leadership a consistent line of sight across the personal data ecosystem: which vendors are critical from a fiduciary perspective, what controls are in place at each, how quickly incidents can be detected and contained, and where concentration or geographic risks are building up. That visibility, supported by clear contracts and procurement tools, makes regulatory compliance more defensible and helps your organisation treat privacy as part of business resilience rather than a purely legal concern.
FAQs

Yes. Roles under the DPDP Act are determined per processing activity, not permanently attached to an organisation. A cloud HR platform, for example, may act as a data processor when it stores and manages your employee records strictly according to your instructions. For that activity, your organisation is the data fiduciary and the platform is your processor. The same vendor might also analyse aggregated usage patterns across all clients to improve its product or generate benchmarks. For that analytics activity, it is likely acting as an independent data fiduciary, deciding its own purposes and means. Contracts should separate these roles, with one part governed by your instructions as a fiduciary–processor relationship and another part where the vendor accepts its own fiduciary obligations, including appropriate notices and, where needed, consents to support its independent uses of data.

When using global vendors, procurement should work with legal and security teams to assess DPDP compliance alongside any sectoral localisation rules that apply to your organisation. Ask vendors to map where personal data of Indian data principals is stored and accessed, list all sub-processors and data centres, and explain how they will comply with any government notifications restricting transfers to particular countries. Contracts should require the vendor to comply with DPDP obligations applicable to processors, assist your organisation in meeting its fiduciary duties, and notify you before material changes in data location or sub-processors. For regulated sectors that already have data localisation or outsourcing guidelines, ensure the global vendor’s architecture and contractual commitments can accommodate those sector-specific requirements as well as DPDP standards.

You are moving towards a co-fiduciary arrangement when both parties jointly determine the purposes and essential means of processing personal data. Joint marketing initiatives, co-branded financial products, or marketplace platforms where both parties shape the customer journey and decide how data is used for profiling or cross-selling are common examples. In these cases, it may be artificial to describe one party purely as a processor of the other. Instead, both may be data fiduciaries with overlapping but distinct obligations. Contracts should then address how responsibilities are shared or divided, how rights requests are handled, who leads on breach notifications, and how each party’s notices and consents describe the joint processing. Co-fiduciary models can be more complex to govern, so they usually merit closer involvement from legal and privacy specialists during deal structuring.

In regulatory terms, the data fiduciary remains primarily answerable for ensuring that reasonable security safeguards are in place and that breaches are appropriately notified and managed. If a processor’s systems are compromised, the Data Protection Board is likely to look first to the fiduciary, which engaged the processor and is responsible for ensuring that its processing arrangements are compliant. However, processors are not insulated from exposure. Where the Act or subsequent rules impose duties directly on processors – such as implementing safeguards, adhering to instructions, or complying with directions from the Board – processors can face penalties in their own right if they fail to meet those obligations. From a commercial standpoint, contracts typically include indemnities, liability caps, and insurance requirements to share financial risk between fiduciary and processor, but those private arrangements do not remove either party’s regulatory responsibilities.[1][3]

The DPDP Act, as currently framed, does not mandate that processors obtain any specific commercial certifications or follow a single audit standard. Significant Data Fiduciaries must appoint an independent data auditor, and many organisations expect key processors to participate in audits or assessments as part of that oversight. In practice, processors often rely on recognised security frameworks or certifications as evidence of their safeguards, and fiduciaries commonly request summaries of independent assessments, penetration tests, or compliance attestations during due diligence. These instruments are best viewed as ways to demonstrate and verify that reasonable security and governance measures are in place, rather than as automatic proof of legal compliance. Procurement can treat certifications and audit reports as inputs into a broader evaluation that also considers how the vendor supports data principal rights, breach handling, and contractual commitments aligned to DPDP requirements.[1][4]

Sources
  1. The Digital Personal Data Protection Act, 2023 (No. 22 of 2023) - Ministry of Law and Justice, Government of India
  2. Top 10 operational impacts of India’s DPDPA – Obligations of data processing entities - International Association of Privacy Professionals (IAPP)
  3. The Digital Personal Data Protection Act, 2023: Comprehensive Framework, Latest Developments, and Compliance Roadmap - The Legal 500 / Maheshwari & Co.
  4. 2025 Update : Deep Dive – Digital Personal Data Protection Act (DPDPA), 2023 - Spice Route Legal
  5. India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison - Latham & Watkins LLP
  6. Data Fiduciary and Data Processor Obligations Under DPDPA, 2023 - AMLEGALS

Related pages

Updated At May 24, 2026

Managing 3PL Data Sharing: Brand, 3PL, and Processor Responsibilities

A strategic guide for Indian retail and D2C leaders on managing 3PL data sharing under the DPDP Act 2023 and DPDP Rules 2025, clarifying brand, 3PL, and processor responsibilities so first-party data programs can grow without creating regulatory risk.

 Updated At May 23, 2026

Co-Lending Consent Chain: From Lead Source to NBFC to Bank

How Indian banks, NBFCs, and fintech LSPs can design an auditable co-lending consent chain from lead source to NBFC to bank under RBI and DPDP requirements.

 Updated At May 19, 2026

Insurance Journeys: Consent for Underwriting, Wellness, and Marketing

Procurement-focused guidance for Indian insurers designing DPDP-compliant consent journeys across underwriting, wellness programmes, and marketing, and evaluating consent-management platforms for complex BFSI stacks.

 Updated At May 16, 2026

RBI vs DPDP: Erasure When KYC Retention Still Applies

How Indian banks, NBFCs, and fintechs can honour DPDP erasure rights without breaching RBI KYC and PMLA retention rules, using a practical data-governance and architecture model.

 Updated At Apr 18, 2026

Consent Logging for Regulated Financial Services

A business-style article for technical evaluators about consent logging for regulated financial services, aimed at regulated finance teams balancing customer

 Updated At Apr 18, 2026

Cross-Functional Privacy Governance: Legal, Product, Security, Marketing

A business-style piece for decision-makers that explains cross-functional privacy governance— legal, product, security, marketing and turns policy requirements

 Updated At Apr 18, 2026

The DPO Handbook for Indian Companies

A business-style piece for decision-makers that explains the dpo handbook for indian companies and turns policy requirements into an operating plan for

 Updated At May 17, 2026

What the DPDP Act Means for Indian Businesses in 2026

In 2026, India’s DPDP Act and 2025 Rules move from policy to enforcement. See how they reshape governance, data operations, vendors and risk—and what leadership teams must build now.

 Updated At May 17, 2026

The 2026 DPDP Audit Checklist: 50 Things Auditors Will Ask For

A procurement-focused guide for Indian business leaders that turns the DPDP Act 2023 and DPDP Rules 2025 into a 50-point 2026 audit checklist, with concrete artefacts, RFQ questions, and vendor scorecard criteria.

 Updated At May 16, 2026

Handling Legacy Data Collected Before DPDP

For Indian CXOs: how the DPDP Act and Rules treat personal data collected before commencement, and how to run a 12–18 month legacy data remediation programme.