BACK TO DPDP ACT
DPDP Act 2023

Section 10

Additional Obligations of Significant Data Fiduciary

THE STATUTE

Original Text

(1) The Central Government may, having regard to the volume and sensitivity of personal data processed, the risk to the rights of Data Principals, potential impact on sovereignty and integrity of India, risk to electoral democracy, security of the State, public order, or any other factor it may consider necessary, notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary. (2) Every Significant Data Fiduciary shall — (a) appoint a Data Protection Officer who shall — (i) be based in India; (ii) be an individual responsible to the Board of Directors or similar governing body of the Significant Data Fiduciary; (iii) act as the point of contact for the grievance redressal mechanism in section 13 and represent the Significant Data Fiduciary before the Board; (b) appoint an independent data auditor to evaluate the compliance of the Significant Data Fiduciary; (c) undertake such other measures, including — (i) periodic Data Protection Impact Assessment; (ii) periodic audit; (iii) measures relating to algorithmic accountability; as may be prescribed.

Simplified

[DPDP Rules 2025 — Rule 13 operationalises this section; in force 13 May 2027] Section 10 creates a two-tier Data Fiduciary system. All Data Fiduciaries must comply with the general obligations under Sections 5–9, 11–16. Significant Data Fiduciaries (SDFs) — entities notified by the Central Government based on the factors in Section 10(1) — must comply with all of that plus the additional obligations in Section 10(2). The designation criteria are broad and discretionary: volume of data processed, sensitivity of data, risk to Data Principal rights, potential impact on India's sovereignty and integrity, risk to electoral democracy, security of the State, and public order. Large social media platforms, major e-commerce marketplaces, search engines, payment aggregators, and other entities with hundreds of millions of Indian users are the obvious candidates for SDF notification. The enhanced obligations have four main pillars. DPO in India: the Data Protection Officer must be physically based in India — not a remote DPO outside the jurisdiction. The DPO reports to the Board of Directors (not just a compliance team), must represent the SDF before the Data Protection Board, and is the contact point for the Section 13 grievance mechanism. This board-level accountability gives the DPO structural independence and elevates data protection to a governance-level function. Independent data audit: an independent (not internal) auditor must evaluate the SDF's compliance — an external check on self-reported compliance. The audit framework will be specified in the DPDP Rules. Data Protection Impact Assessment (DPIA): periodic assessment of risks that data processing poses to Data Principals — similar to GDPR's Article 35 DPIAs, which are mandatory for high-risk processing. The DPIA identifies risks before they materialise and documents mitigation. Algorithmic accountability: SDFs processing data in recommendation algorithms, content curation, credit scoring, or other algorithmic decision-making systems must demonstrate accountability for those algorithms — expected to include explainability requirements and bias audits. The potential impact on electoral democracy as a designation criterion is particularly significant: social media platforms used in election contexts — where algorithmic amplification can influence voter sentiment — may face SDF designation specifically for their role in democratic processes, requiring algorithmic accountability measures.

Common Queries

The Central Government, by notification. No entity automatically becomes an SDF — the government must specifically notify it. The criteria include data volume, sensitivity, national security implications, and electoral risks. Large social media platforms, major search engines, and payment aggregators are the most likely candidates.
The Act does not specify legal qualifications. The DPO must be an individual (not a company) based in India who is accountable to the Board of Directors. In practice, the role requires expertise in data protection law, technology, and risk management — a combination of legal, technical, and governance skills.
A DPIA is a structured assessment of the risks that a specific processing activity poses to the rights and well-being of Data Principals. It identifies risks in advance, evaluates their severity, and documents mitigation measures. It is particularly important before launching new products, features, or processing activities that involve large-scale or sensitive data.
The DPDP Rules will specify the content, but it is expected to require: documentation of how recommendation and decision-making algorithms work, impact assessments for algorithmic bias, explainability mechanisms for automated decisions affecting Data Principals, and audit trails showing the algorithm's outcomes over time.
Yes. The SDF designation applies to Data Fiduciaries under the DPDP Act — which includes foreign entities processing Indian data under Section 3(2). A foreign social media platform with hundreds of millions of Indian users could be notified as an SDF and required to appoint a DPO based in India.

Legal Context

The two-tier Data Fiduciary concept — general obligations for all, enhanced obligations for large-scale/sensitive processors — mirrors the GDPR's distinction between data controllers generally and those whose processing requires DPIAs. The DPO requirement follows GDPR Article 37-39. The algorithmic accountability requirement is more explicit than GDPR's general provisions and reflects global regulatory attention to AI and automated decision-making. The electoral democracy criterion is unique to India and responds to documented concerns about social media platforms' role in Indian elections.

Key Rules & Provisions

SDF notification is Central Government discretion — based on volume, sensitivity, national security, and electoral risks.

DPO must be in India and report to Board of Directors — not a junior compliance function.

Algorithmic accountability obligations — first statutory basis for algorithm audit in India.

Independent external audit — not just internal self-certification.

Rule 13 (DPDP Rules 2025): annual DPIA and compliance audit mandatory — Board receives report of significant findings.

Rule 13(3): algorithmic due diligence — all algorithmic software must be verified as not posing risk to Data Principal rights.

Rule 13(4): localisation obligation for government-notified personal data categories — both data and traffic data must remain in India.

Related Case Laws

Tehseen Poonawalla v. Union of India (2018)

(2018) 9 SCC 501
RELEVANCE

The Supreme Court's order directing social media platforms to prevent misuse of their platforms for mob violence — and the Court's concern about algorithmic amplification of harmful content — directly anticipates Section 10's algorithmic accountability obligation for Significant Data Fiduciaries, particularly social media platforms designated as SDFs.