Skip to main contentChat with us

DPDP Act 2023 · Sections 4–10 · Data Fiduciary Obligations

Data Fiduciary
Obligations

Complete guide to all obligations imposed on Data Fiduciaries under the DPDP Act 2023. Understanding these requirements is essential for organizational compliance.

Sections 4–10 cover lawful processing, notice, consent, security safeguards, children’s data, and Significant Data Fiduciary duties.

Get a Fiduciary Obligations AssessmentExplore the DPDP Hub
7Sections of duties (4–10)
₹250 CrMax penalty / instance
500+Audits delivered

DPDP Act 2023 · Sections 4–10 · Last reviewed June 2026

Direct Answer

What must a data fiduciary do?

A data fiduciary is the organization that decides why and how personal data is processed — the DPDP Act 2023 equivalent of a GDPR controller — and Sections 4 to 10 set out its duties. In short, a data fiduciary must process personal data only for a lawful purpose, give clear notice, obtain valid consent, keep data accurate and secure, erase it once the purpose is served, protect children’s data, and, if designated a Significant Data Fiduciary, appoint a DPO and an independent auditor and run impact assessments.

Sections 4–10

Obligations Section by Section

Section 4

Grounds for Processing Personal Data

Personal data can only be processed for lawful purposes with the consent of the Data Principal or for certain legitimate uses.

Processing only for lawful purpose
Consent must be free, specific, informed, unconditional, and unambiguous
Data Principal must have clear affirmative action
Consent can be withdrawn at any time
Section 5

Notice Requirements

Data Fiduciaries must provide clear notice to Data Principals before or at the time of collecting personal data.

Itemised description of personal data collected
Purpose of processing must be specified
Information about rights and grievance redressal
Notice in clear and plain language
Section 6

Consent Requirements

Consent must be obtained before processing and can be managed through registered Consent Managers.

Consent must be specific to each purpose
Can be obtained through Consent Manager
Must be easy to withdraw consent
Records of consent must be maintained
Section 7

Legitimate Uses

Personal data may be processed without consent for specified legitimate uses including state functions and legal obligations.

Voluntary data provided by Data Principal
State functions including subsidies and benefits
Legal obligations and court orders
Medical emergencies and public health
Section 8

General Obligations

All Data Fiduciaries must implement security safeguards, ensure data accuracy, and delete data when purpose is fulfilled.

Implement reasonable security safeguards
Ensure completeness and accuracy of data
Delete personal data after purpose is served
Appoint contact person for queries
Section 9

Processing Children's Personal Data

Special protections for processing personal data of children (under 18 years) including verifiable parental consent.

Verifiable consent from parent/guardian required
No tracking or behavioral monitoring of children
No targeted advertising to children
Exemptions for certain classes of Data Fiduciaries
Section 10

Significant Data Fiduciary Obligations

Additional obligations for organizations designated as Significant Data Fiduciaries based on data volume and sensitivity.

Appoint Data Protection Officer in India
Appoint independent data auditor
Conduct Data Protection Impact Assessment
Periodic audits and compliance reports

At a Glance

Data Fiduciary Obligations at a Glance

Every core obligation under the DPDP Act 2023, mapped to its section.

SectionObligation
Section 4Process personal data only for a lawful purpose with consent or a permitted legitimate use
Section 5Give a clear, itemised notice before or at the time of collecting personal data
Section 6Obtain free, specific, informed, unconditional, and unambiguous consent; enable easy withdrawal
Section 7Rely on legitimate uses (e.g. state functions, legal obligation, medical emergency) only where applicable
Section 8Maintain data accuracy, apply reasonable security safeguards, erase data after purpose, appoint a contact person
Section 9Obtain verifiable parental consent for children; no tracking, behavioural monitoring, or targeted ads
Section 10If a Significant Data Fiduciary: appoint a DPO in India and an independent auditor, run DPIAs and periodic audits

Frequently Asked Questions

Common questions on data fiduciary duties, SDFs, DPOs, and penalties.

What is a data fiduciary under the DPDP Act?

A data fiduciary is any person or organization that, alone or with others, determines the purpose and means of processing personal data — broadly equivalent to a controller under the GDPR. If your organization decides why and how digital personal data of people in India is processed, you are a data fiduciary and the obligations in Sections 4–10 of the DPDP Act 2023 apply to you.

What are the core obligations of a data fiduciary?

A data fiduciary must process personal data only for a lawful purpose, give clear notice, obtain valid consent (or rely on a permitted legitimate use), keep data accurate, apply reasonable security safeguards, erase data once the purpose is served, handle children’s data with verifiable parental consent, and respond to data-principal rights and grievances. Significant Data Fiduciaries carry additional duties under Section 10.

What is a Significant Data Fiduciary (SDF)?

A Significant Data Fiduciary is a data fiduciary the Central Government designates based on factors such as the volume and sensitivity of personal data processed and the risk to data principals or to the sovereignty and security of India. SDFs must appoint a Data Protection Officer based in India, appoint an independent data auditor, and conduct Data Protection Impact Assessments and periodic audits.

Do data fiduciaries have to appoint a Data Protection Officer?

Only Significant Data Fiduciaries must appoint a Data Protection Officer, and that DPO must be based in India and report to the board or equivalent. Every data fiduciary, however, must appoint a contact person (or DPO) whose details are published so data principals can raise questions and grievances.

What are the penalties for breaching data fiduciary obligations?

The Data Protection Board can impose penalties of up to ₹250 crore per instance for failing to maintain reasonable security safeguards, up to ₹200 crore for breach-notification and children’s-data failures, and lower slabs for other defaults. Penalties apply per instance, so one incident touching several obligations can compound.

Continue your DPDP research

Written By Expert Auditors

Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Last reviewed: June 2026Content verified by certified lead auditors

Keep Exploring

Related Reading

Privacy

DPDP Knowledge Hub

Rules 2025, penalties, SDF obligations and 14 deep-dive guides.

Read more
Privacy

Significant Data Fiduciary

Enhanced obligations for large-scale data processors under the DPDP Act.

Read more
Privacy

DPDP Consent Management

Lawful consent collection, withdrawal and record-keeping under the DPDP Act.

Read more
Privacy

Data Principal Rights

Access, correction, erasure and grievance redressal rights.

Read more
Privacy

DPDP Compliance Checklist

A step-by-step checklist for DPDP Act readiness.

Read more
Privacy

DPDP Act Overview

India's Digital Personal Data Protection Act, explained.

Read more

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations