Data Principal vs Data Fiduciary vs Data Processor — DPDP Act Roles

Q: Can an organisation be both a Data Fiduciary and a Data Processor at the same time?

Yes. An HR SaaS platform is a Data Processor toward its enterprise clients but a Data Fiduciary toward its own employees. Each role carries its own set of obligations that must be managed separately.

Q: Does the DPDP Act apply to foreign companies processing data of Indian users?

Yes. The DPDP Act applies to processing of digital personal data within India and to processing outside India if it involves offering goods or services to individuals in India. Foreign companies with Indian users are in scope regardless of where their servers are located.

Q: How does the DPDP Act define a child Data Principal?

A child is defined as an individual under 18 years of age. Processing of a child's personal data requires verifiable parental consent, and behavioural monitoring or targeted advertising directed at children is prohibited.

📚 DPDP Act SeriesPart 1: Roles Defined·Part 2: 8 Rights →

India's DPDP Act introduces a clear cast of characters — each with distinct rights, obligations, and accountability. Before your organisation can think about compliance, you need to know who you are in the data ecosystem. Confusing these roles is not a semantic error — it creates real compliance blind spots in your consent architecture and vendor contracts.

Data Principal

The Individual

The person data is about. Has 8 enforceable rights.

Section 2(j) · DPDP Act 2023

Data Fiduciary

The Decision Maker

Determines purpose and means. Primary accountability.

Section 2(i) · DPDP Act 2023

Data Processor

The Executor

Processes on behalf of a Fiduciary. Contractual accountability.

Section 2(k) · DPDP Act 2023

Data Principal — The Person Behind the Data

Definition (Section 2(j)): A Data Principal is the individual to whom the personal data relates. If the data is about you, you are the Data Principal.

Who qualifies?

A customer filling out a KYC form on a fintech app
An employee whose HR records are maintained by their employer
A patient whose medical history is stored in a hospital system
A child — in which case, rights are exercised by the parent or lawful guardian

⚠️

Children as Data Principals

The DPDP Act gives special protection to minors under 18. Any processing of a child personal data requires verifiable parental consent. Organisations are prohibited from behavioural monitoring or targeted advertising directed at children — even on general-purpose platforms.

The Act grants Data Principals 8 enforceable rights — from accessing their data to grievance redressal. These are covered in full in Part 2 of this series on the 8 rights of Data Principals.

Data Fiduciary — The Decision Maker

Definition (Section 2(i)): A Data Fiduciary is any person (including a company, firm, or government body) who alone or in conjunction with others determines the purpose and means of processing personal data. The term "fiduciary" is deliberate — the law treats this entity as holding data in trust, with a duty of care toward the Data Principal.

Who is a Data Fiduciary?

An e-commerce platform that collects customer addresses and decides why (order delivery) and how (stored in their database, shared with logistics partners) that data is used
A hospital that stores patient records and defines retention policies
An HR SaaS tool that processes employee data for payroll and compliance

Core obligations

Obligation	What it means
Consent Management	Obtain free, informed, specific, unconditional consent before processing
Purpose Limitation	Use data only for the stated purpose
Data Minimisation	Collect only what is necessary
Accuracy	Keep personal data accurate and updated
Storage Limitation	Erase data once the purpose is fulfilled
Grievance Mechanism	Maintain a functional grievance officer
Breach Notification	Notify the Data Protection Board and affected Data Principals of breaches
Children Data	Apply heightened safeguards for minors

🔑

The Key Test

Who determines the purpose of processing? If you decide why data is collected and how it is used — you are the Data Fiduciary, regardless of what your contracts say. Purpose-determination is the defining criterion, not company size or industry.

Data Processor — The Executor

Definition (Section 2(k)): A Data Processor is any person who processes personal data on behalf of a Data Fiduciary.

Who is a Data Processor?

A cloud hosting provider (AWS, Azure) storing data for a SaaS company
A payroll vendor processing salary data for an enterprise client
An analytics firm processing clickstream data on behalf of an e-commerce brand
A security firm performing VAPT on a client environment

A Data Processor does not decide why data is collected or how it is ultimately used. They act strictly within the scope defined by the Fiduciary. However, this does not mean Processors are off the hook:

The Fiduciary must ensure their Processors comply via contractual obligations
Processors must implement adequate security safeguards independently
The Fiduciary remains ultimately accountable for what their Processor does with the data

Can One Entity Hold Multiple Roles?

Yes — and this is where most compliance confusion originates. Consider an HR SaaS platform:

Toward your customers (employers): You are a Data Processor — processing employee data on your client behalf, following their configuration.
Toward your own employees: You are a Data Fiduciary — determining how your team payroll, attendance, and performance data is collected and used.
Toward your vendors (background verification firms): You are a Data Fiduciary who has engaged a Data Processor.

💡

Why This Matters

Getting this mapping wrong creates real compliance blind spots. You may be over-engineering consent workflows for data you process as a Processor — or skipping them where you actually are the Fiduciary. A documented role classification matrix is what survives an audit.

What This Means for Your Product

At SecComply, role confusion surfaces repeatedly during DPDP gap analyses. Here is a four-step process to get it right before your next audit:

Data Flow MappingMap every personal data element your product touches. For each flow, ask: are we deciding the purpose, or executing someone else decision?

Role Classification MatrixCreate a matrix: data category x processing activity x role. This feeds directly into your consent architecture and vendor contracts.

Contractual AlignmentIf you engage Data Processors, your agreements must define scope, security obligations, breach notification timelines, and sub-processing restrictions.

Role-Aware Compliance ControlsTrack obligations separately by role. Mixing Fiduciary and Processor obligations in a single control set creates gaps that auditors will find.

Summary — All Three Roles

	Data Principal	Data Fiduciary	Data Processor
Who	Individual the data is about	Entity determining purpose and means	Entity processing on Fiduciary behalf
Key right / duty	Rights to access, correct, erase	Duty of care, consent, breach notification	Duty to implement safeguards per contract
Accountability	N/A	Primary accountability	Secondary, via contract
DPDP Section	2(j)	2(i)	2(k)

Understanding your role is the starting line for DPDP compliance. Before building consent workflows, drafting privacy notices, or appointing a DPO, be clear on exactly which hat you are wearing. For the full picture on what consent obligations follow from being a Data Fiduciary, read Part 3 of this series on consent under the DPDP Act.

Frequently Asked Questions

What is the difference between a Data Fiduciary and a Data Processor under the DPDP Act?▾

A Data Fiduciary determines the purpose and means of processing personal data — they decide why data is collected and how it is used. A Data Processor processes data on behalf of a Fiduciary, following the Fiduciary instructions. The Fiduciary holds primary accountability; the Processor obligations are defined by contract.

Can an organisation be both a Data Fiduciary and a Data Processor at the same time?▾

Yes. This is common for SaaS companies. An HR SaaS platform is a Data Processor toward its enterprise clients but a Data Fiduciary toward its own employees. Each role carries its own set of obligations that must be managed separately — a single compliance programme that does not distinguish between these roles will have gaps.

Does the DPDP Act apply to foreign companies processing data of Indian users?▾

Yes. The DPDP Act applies to the processing of digital personal data within India and to processing outside India if it involves offering goods or services to individuals in India. Foreign companies with Indian users are in scope regardless of where their servers are located.

What happens if a Data Processor violates obligations — who is accountable?▾

The Data Fiduciary remains primarily accountable for the actions of their Data Processors. The Fiduciary must ensure Processors comply via contractual obligations. The DPDP Act places ultimate responsibility on the Fiduciary who engaged the Processor, though Processors must also independently implement adequate security safeguards.

How does the DPDP Act define a child Data Principal?▾

Under the DPDP Act, a child is defined as an individual under 18 years of age. When a Data Principal is a child, their rights are exercised by a parent or lawful guardian. Processing of a child personal data requires verifiable parental consent, and behavioural monitoring or targeted advertising directed at children is prohibited even on general-purpose platforms.

Data Principal vs Data Fiduciary vs Data Processor — Roles Explained Under the DPDP Act