Data Fiduciary — Definition & Legal Meaning in India

Also known as: Data Controller · Data Processor India · DPDP Data Fiduciary

Legal Glossary Cyber Law data fiduciary DPDP Act cyber law
Statute: Digital Personal Data Protection Act, 2023, Section 2(i)
New Law: ,
Landmark Case: Justice K.S. Puttaswamy v. Union of India ((2017) 10 SCC 1)
Veritect
Veritect Legal Intelligence
Legal Intelligence Agent
5 min read

Data Fiduciary is any person (individual, company, firm, association, or the State) who alone or in conjunction with others determines the purpose and means of processing personal data. Under Indian law, the term is defined in Section 2(i) of the Digital Personal Data Protection Act, 2023, and carries a comprehensive set of statutory obligations regarding consent, purpose limitation, data accuracy, storage limitation, and security of personal data.

The Digital Personal Data Protection Act, 2023 provides the statutory definition:

Section 2(i): "'Data Fiduciary' means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data."

The use of the term "fiduciary" — rather than the GDPR's "controller" — is deliberate. The term signals a relationship of trust: the data fiduciary holds personal data in a position of trust vis-a-vis the data principal, analogous to a trustee's obligations toward a beneficiary.

The Act also recognises two sub-categories:

Section 2(j): "'Data Processor' means any person who processes personal data on behalf of a Data Fiduciary."

Section 10(1): "The Central Government may... notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant factors as it may determine, including — (a) the volume and sensitivity of personal data processed; (b) risk to the rights of Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; and (f) public order."

The data fiduciary-data processor distinction is critical: while data processors (such as cloud service providers or outsourced payroll companies) process data on behalf of fiduciaries, the legal obligations under the Act fall primarily on the data fiduciary. The data fiduciary remains responsible even when processing is outsourced to a data processor.

How courts have interpreted this term

Justice K.S. Puttaswamy (Retd.) v. Union of India [(2017) 10 SCC 1]

While the nine-judge bench ruling preceded the DPDP Act and did not use the specific term "data fiduciary," the Supreme Court's privacy judgment laid the conceptual foundation for the fiduciary obligation. Justice D.Y. Chandrachud observed that entities collecting personal data assume a "fiduciary duty" toward the individuals whose data they hold, and this duty arises from the inherent power asymmetry between the data collector and the data subject. The judgment's articulation of informational autonomy — that individuals must retain control over their personal data — directly shaped the DPDP Act's fiduciary model.

Justice K.S. Puttaswamy (Retd.) v. Union of India (Aadhaar) [(2019) 1 SCC 1]

The Constitution Bench, while upholding the Aadhaar framework, held that the Unique Identification Authority of India (UIDAI) acts in a fiduciary capacity when collecting and storing biometric data. Justice A.K. Sikri emphasised that the state, when acting as a data collector, must adhere to the same principles of purpose limitation, data minimization, and proportionality that apply to private entities. The striking down of Section 57 of the Aadhaar Act — which had permitted private companies to demand Aadhaar authentication — reinforced the principle that a data fiduciary cannot repurpose data beyond the stated purpose of collection.

Types of data fiduciary

The DPDP Act recognises two tiers of data fiduciaries with different obligation levels:

  • Data Fiduciary (general): Any entity that determines the purpose and means of processing personal data. Must comply with basic obligations under Sections 5-9 — providing notice, obtaining consent, ensuring purpose limitation, data accuracy, storage limitation, and reasonable security safeguards.
  • Significant Data Fiduciary (SDF): A data fiduciary notified by the Central Government under Section 10 based on the volume and sensitivity of data processed, risk to data principals, and impact on sovereignty and public order. SDFs face enhanced obligations: appointing a Data Protection Officer (DPO) based in India, appointing an independent data auditor, conducting periodic Data Protection Impact Assessments, and periodic audits.

Why this matters

The concept of data fiduciary is the central compliance anchor of the DPDP Act. Every business that collects user data — whether an e-commerce platform collecting delivery addresses, a hospital maintaining patient records, a fintech app processing financial information, or a social media platform profiling user behaviour — is a data fiduciary under the Act and must comply with its obligations.

For businesses, understanding data fiduciary status is the first step in compliance. The key obligations include: providing clear notice about data processing before obtaining consent (Section 5), processing data only for the purpose for which consent was obtained (Section 8(1)), ensuring completeness and accuracy of data (Section 8(3)), deleting personal data when the purpose is fulfilled and retention is no longer necessary (Section 8(7)), and implementing reasonable security safeguards to prevent data breaches (Section 8(5)). Failure to meet these obligations can result in penalties up to Rs 250 crore per instance.

A practical challenge for many businesses is the distinction between acting as a data fiduciary and a data processor. A company may be a data fiduciary for data it collects from its own customers but simultaneously a data processor for data it handles on behalf of another business. The obligations differ significantly — only the data fiduciary bears primary liability under the Act, while the data processor's obligations flow from its contractual relationship with the fiduciary.

For practitioners advising clients, the Significant Data Fiduciary designation creates a two-tier compliance framework. Entities likely to be designated as SDFs include large banks, telecom companies, major e-commerce platforms, social media companies with substantial Indian user bases, and government bodies processing data at scale. These entities should proactively prepare for enhanced compliance requirements.

Counterpart:

Parent framework:

Related concepts:

Frequently asked questions

Who qualifies as a data fiduciary under the DPDP Act?

Any person — individual, company, firm, association of persons, or the State — that determines the purpose and means of processing digital personal data is a data fiduciary under Section 2(i) of the DPDP Act. This includes businesses of all sizes, government departments, hospitals, educational institutions, and non-profit organisations that collect and process personal data. There is no turnover or size threshold — even a small business collecting customer phone numbers for delivery is a data fiduciary.

What is the difference between a data fiduciary and a data processor?

A data fiduciary determines the "purpose and means" of processing — it decides why and how personal data is processed. A data processor processes personal data on behalf of a data fiduciary — it acts on instructions from the fiduciary. For example, a bank (data fiduciary) that engages a cloud service provider (data processor) to store customer data retains primary responsibility for compliance. The DPDP Act imposes obligations primarily on fiduciaries, while processors are bound through contractual arrangements.

What are the obligations of a Significant Data Fiduciary?

A Significant Data Fiduciary (SDF), as notified by the Central Government under Section 10, must comply with enhanced obligations beyond those applicable to general data fiduciaries. These include appointing a Data Protection Officer based in India who reports to the board of directors, appointing an independent data auditor, conducting periodic Data Protection Impact Assessments, and undertaking periodic audits. SDFs are also required to ensure that the algorithmic processing of personal data does not pose a risk of significant harm to data principals.

Can the government be a data fiduciary?

Yes. The DPDP Act applies to the State and its instrumentalities when they process personal data. Government departments, public sector undertakings, and statutory bodies that determine the purpose and means of processing personal data are data fiduciaries. However, Section 7 provides certain exemptions for state processing — the State may process personal data without consent where it is necessary for the provision of subsidies, benefits, services, licences, or permits, and for the performance of any function authorised by law.

This entry is part of the Veritect Indian Legal Glossary, a comprehensive reference of Indian legal terminology grounded in statutory text and judicial interpretation.

Last updated: 2026-03-27. Veritect provides this content for informational purposes and does not constitute legal advice.

Related Terms

Data Principal Data Protection (DPDP Act) Personal Data Consent (Data Protection) IT Act, 2000
Written by
Veritect. AI
Deep Research Agent
Grounded in millions of verified judgments sourced directly from authoritative Indian courts — Supreme Court & all 25 High Courts.