Skip to main contentChat with us

Learn · DPDP Act 2023

What Is a
Data Fiduciary?

A Data Fiduciary is any person who — alone or with others — determines the purpose and means of processing personal data. It is the DPDP Act’s equivalent of a “data controller” under the GDPR.

Distinct from the Data Processor (who processes on the fiduciary’s behalf) and the Data Principal (the individual the data is about). If your organisation decides why and how personal data is processed, you are a Data Fiduciary.

DPDPAct, 2023 · India
Sec. 4–10fiduciary obligations
500+audits and engagements by TCSA

Plain-English explainer · DPDP Act 2023 · GDPR-controller analogy · Last reviewed July 2026

Under India’s Digital Personal Data Protection Act, 2023 (the DPDP Act), a Data Fiduciary is any person — an individual, a company, or the state — who, alone or with others, determines the purpose and means of processing personal data. It is the DPDP Act’s equivalent of a “data controller” under the GDPR. The two other roles the Act defines sit around it: a Data Principal is the individual the personal data is about (the GDPR’s “data subject”), and a Data Processor is anyone who processes personal data on the fiduciary’s behalf, only under its instructions. In short: the fiduciary decides, the processor acts for it, and the principal is the person whose data it is. If your organisation decides why and how the digital personal data of people in India is processed, you are a Data Fiduciary — and Sections 4–10 of the DPDP Act apply to you.

The Three Roles

Fiduciary vs Processor vs Principal

The DPDP Act 2023 defines three roles. Getting them right is the first step in any compliance programme — the obligations attach to the fiduciary, not the processor.

RoleWhat it isGDPR equivalent
Data FiduciaryDecides why and how personal data is processed.Data Controller
Data ProcessorProcesses personal data on the fiduciary’s behalf.Data Processor
Data PrincipalThe individual the personal data is about.Data Subject

Data Fiduciary

≈ GDPR Data Controller

A company that collects customer data to run its service. It sets the purpose and means, and carries the DPDP Act’s obligations.

Data Processor

≈ GDPR Data Processor

A vendor — a payroll provider, cloud host, or analytics service — that handles data only under the fiduciary’s instructions and contract.

Data Principal

≈ GDPR Data Subject

The customer, employee, or user whose data is being processed. Where the individual is a child, it includes the parent or lawful guardian.

The Definition

Why “fiduciary,” and how it maps to the GDPR controller

The DPDP Act deliberately uses the word fiduciary — a term that implies a duty of trust and care owed to the person whose data is held. The substance, however, tracks the GDPR: the Data Fiduciary is the party that determines the purpose and means of processing personal data, exactly the test that defines a “controller” in Europe. If you decide why data is collected and how it will be used, you are the fiduciary, and the obligations follow you — even where you outsource the actual processing to a vendor.

The distinction from a Data Processor matters in practice. A processor acts only on your documented instructions and cannot decide the purpose of processing for itself. Where two or more organisations jointly determine the purpose and means, each is a Data Fiduciary in its own right. Classifying every party correctly — and papering the relationship with the right contracts — is where DPDP readiness usually starts.

Core Obligations

What a Data Fiduciary Must Do

Every Data Fiduciary carries the duties in Sections 4–10 of the DPDP Act 2023. The essentials are below — the full section-by-section guide covers each in depth.

Notice

Give a clear, itemised notice — in plain language — before or at the time of collecting personal data, stating what is collected, why, and how to exercise rights (Section 5).

Consent

Obtain free, specific, informed, unconditional, and unambiguous consent for each purpose — or rely on a permitted legitimate use — and make consent easy to withdraw (Sections 6–7).

Security safeguards

Apply reasonable security safeguards to protect personal data, keep it accurate, and erase it once the purpose is served (Section 8).

Breach notification

Notify the Data Protection Board and affected data principals of a personal data breach, in the manner set out in the DPDP Rules 2025 (Section 8).

Grievance redressal

Publish the contact details of a person (or DPO) who can answer questions, and provide a readily available grievance-redressal mechanism (Sections 8 & 13).

Children’s data

For anyone under 18, obtain verifiable parental consent and carry out no tracking, behavioural monitoring, or targeted advertising (Section 9).

A Higher Tier

The Significant Data Fiduciary

A Significant Data Fiduciary (SDF) is a Data Fiduciary that the Central Government designates under Section 10, based on factors such as the volume and sensitivity of personal data processed and the risk to data principals or to the sovereignty and security of India. An organisation does not self-classify — it becomes an SDF only when notified.

Once designated, an SDF takes on three duties beyond those of an ordinary fiduciary: appoint a Data Protection Officer based in India who reports to the board; engage an independent data auditor to evaluate DPDP compliance; and run periodic Data Protection Impact Assessments (DPIAs) and audits.

The Other Side

What the fiduciary owes the Data Principal

The obligations exist to protect the Data Principal, who has enforceable rights under the DPDP Act: the right to access information about their personal data (Section 11), to correction and erasure (Section 12), to grievance redressal (Section 13), and of nomination (Section 14). A Data Fiduciary must build the workflows to honour those requests within the period prescribed by the DPDP Rules 2025.

Data Fiduciary — Common Questions

The questions people ask most about who a data fiduciary is under the DPDP Act.

Is a data fiduciary the same as a data controller?

In substance, yes. India’s DPDP Act 2023 uses the term “Data Fiduciary,” but the test is the same as the GDPR’s “data controller”: the party that, alone or with others, determines the purpose and means of processing personal data. The word “fiduciary” signals a duty of trust and care owed to the individual, but the classifying question is identical.

What’s the difference between a data fiduciary and a data processor?

A Data Fiduciary decides why and how personal data is processed and carries the DPDP Act’s obligations. A Data Processor only processes personal data on the fiduciary’s behalf, under its instructions and contract — for example a cloud host, payroll provider, or analytics vendor. A processor cannot decide the purpose of processing for itself; if it did, it would become a fiduciary in its own right.

Who is a Data Principal?

A Data Principal is the individual the personal data is about — the equivalent of a “data subject” under the GDPR. Where the individual is a child, the Data Principal includes the parent or lawful guardian; where the individual is a person with a disability, it includes their lawful guardian.

Who is a Significant Data Fiduciary?

A Significant Data Fiduciary (SDF) is a Data Fiduciary the Central Government designates under Section 10 of the DPDP Act, based on factors such as the volume and sensitivity of personal data processed and the risk to data principals or to the sovereignty and security of India. An SDF cannot self-classify — it becomes one only when notified — and it carries extra duties: an India-based DPO, an independent data audit, and periodic DPIAs.

Do I need a Data Protection Officer (DPO)?

A dedicated Data Protection Officer is mandatory only for Significant Data Fiduciaries, and that DPO must be based in India and report to the board. Every Data Fiduciary, however, must appoint a contact person (or DPO) whose details are published, so data principals can raise questions and grievances.

Is there a government “DPDP certificate” for data fiduciaries?

No. The DPDP Act 2023 is a law that imposes obligations on data fiduciaries; there is no official government “DPDP certificate” or certification a data fiduciary can obtain to prove compliance. Organisations demonstrate compliance through their own governance, records, and — for SDFs — independent data audits and DPIAs.

Continue your DPDP research

Related reading: the Learn hub, data governance frameworks, and what GRC is. More terms in the compliance glossary.

Written By Expert Auditors

Surendra Pal Singh
Surendra Pal Singh
Chief Information Security Officer & Data Protection Officer
CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor
Saundhi Chauhan
Saundhi Chauhan
Lead Auditor
ISO 27001 Lead AuditorISO 27701 Lead Auditor
Last reviewed: July 2026Content verified by certified lead auditors

Get in touch

Book a free consultation or send us your requirements. We respond within 24 hours.

Quick Call

Pick a time slot

Send Requirements

Get a custom quote in 24 hours

We're Online

⚠️ Business inquiries only. Personal email addresses will be rejected.

24hr Response
Free Consultation
No Obligations