Sections 4-10

Data Fiduciary Obligations

Complete guide to all obligations imposed on Data Fiduciaries under the DPDP Act 2023. Understanding these requirements is essential for organizational compliance.

Section 4

Grounds for Processing Personal Data

Personal data can only be processed for lawful purposes with the consent of the Data Principal or for certain legitimate uses.

Processing only for lawful purpose

Consent must be free, specific, informed, unconditional, and unambiguous

Data Principal must have clear affirmative action

Consent can be withdrawn at any time

Section 5

Notice Requirements

Data Fiduciaries must provide clear notice to Data Principals before or at the time of collecting personal data.

Itemised description of personal data collected

Purpose of processing must be specified

Information about rights and grievance redressal

Notice in clear and plain language

Section 6

Consent Requirements

Consent must be obtained before processing and can be managed through registered Consent Managers.

Consent must be specific to each purpose

Can be obtained through Consent Manager

Must be easy to withdraw consent

Records of consent must be maintained

Section 7

Legitimate Uses

Personal data may be processed without consent for specified legitimate uses including state functions and legal obligations.

Voluntary data provided by Data Principal

State functions including subsidies and benefits

Legal obligations and court orders

Medical emergencies and public health

Section 8

General Obligations

All Data Fiduciaries must implement security safeguards, ensure data accuracy, and delete data when purpose is fulfilled.

Implement reasonable security safeguards

Ensure completeness and accuracy of data

Delete personal data after purpose is served

Appoint contact person for queries

Section 9

Processing Children's Personal Data

Special protections for processing personal data of children (under 18 years) including verifiable parental consent.

Verifiable consent from parent/guardian required

No tracking or behavioral monitoring of children

No targeted advertising to children

Exemptions for certain classes of Data Fiduciaries

Section 10

Significant Data Fiduciary Obligations

Additional obligations for organizations designated as Significant Data Fiduciaries based on data volume and sensitivity.

Appoint Data Protection Officer in India

Appoint independent data auditor

Conduct Data Protection Impact Assessment

Periodic audits and compliance reports

Need Help Meeting Data Fiduciary Obligations?

TCSA provides end-to-end DPDP compliance services for Data Fiduciaries.

Related Certifications

Strengthen Your Compliance Posture

Explore complementary certifications that work together to provide comprehensive security and compliance coverage.

Complementary

ISO 27701

International privacy standard. Demonstrates global privacy best practices beyond DPDP.

Learn More

Foundation

ISO 27001

Information security foundation. DPDP compliance is easier with strong ISMS in place.

Learn More