The Digital Personal Data Protection Act, 2023 (“DPDPA”) imposes obligations on organisations that determine the purpose and means of processing personal data, that is, “data fiduciaries”. The DPDPA does not directly regulate “data processors”, that is, organisations that process personal data on behalf of data fiduciaries. Data fiduciaries may only engage data processors upon entering into appropriate contractual arrangements with them. Given that the law does not directly apply to data processors, and imposes an overarching obligation on data fiduciaries to ensure compliance – data fiduciaries must ensure that contracts with data processors pass down all necessary obligations under the DPDPA.
This checklist is intended to serve as a guide for data fiduciaries on the legal and operational aspects of engaging data processors and ensuring compliance with the DPDPA.
| Category | S. No. | Question to Data Processor | Response |
| Contract with Processors | 1. | Is the data processor contractually bound to process data solely on the data fiduciary’s written instructions? | |
| 2. | Does the contract contain adequate provisions on allocation of liability (such as indemnities or warranties) to protect the data fiduciary’s interests? | ||
| 3. | Does the data processor agree to undertake an appropriate cyber liability insurance policy? |
