Under the Digital Personal Data Protection Act, 2023 (“DPDPA”), data fiduciaries are persons that determine the purposes and means of processing personal data. Data fiduciaries have the primary responsibility for compliance with the law’s requirements, and remain liable for acts and omissions of the data processors they appoint. Implementing processes and protocols to ensure compliance with the DPDPA’s requirements become a crucial aspects of any data fiduciary’s compliance journey. These organisations should also ensure that where appropriate or necessary, relevant obligations are contractually passed on to and practically implemented by data processors. For more information on determining whether a personal data processing activity would render a business a data fiduciary or a data processor, refer to the Data and Privacy Hub’s templates on data inventories and actor analysis.

As a general note, data fiduciaries are subject to the following obligations:

1. Determining an Appropriate Legal Bases for Processing: Personal data may only be processed in compliance with the law and for lawful purposes. This processing can occur either with the explicit consent of the data principal or for certain legitimate purposes, which do not require prior consent. Legitimate interests include the voluntary provision of data-by-data principals, processing of personal data to respond to medical emergencies, processing of personal data in connection with a breakdown of public order, and processing for employment related purposes. Data fiduciaries must therefore carefully identify a legal basis for each type of processing that they undertake. A single ground of processing may not be appropriate for different processing activities in respect of the same category of personal data. As an example, an individual may request a pharmacy to issue the receipt for supplies purchased to her phone number. The pharmacy may rely on the ground of voluntary provision of data by the data principal to send her the receipt. However, the pharmacy cannot rely on this ground to send marketing or promotional messages to the individual’s phone number; it will have to identify a different ground of processing to do so. A data inventory is a useful mechanism for a data fiduciary to map each processing activity it undertakes and identify a corresponding appropriate basis for such processing. Refer to the Data and Privacy Hub’s data inventory template for more information.