BACK TO DPDP ACT
DPDP Act 2023

Section 8

General Obligations of Data Fiduciary

THE STATUTE

Original Text

(1) A Data Fiduciary shall be responsible for compliance with the provisions of this Act in respect of any processing undertaken by it or on its behalf by a Data Processor. (2) A Data Fiduciary shall, where applicable, make reasonable efforts to ensure the accuracy and completeness of personal data. (3) A Data Fiduciary shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of this Act. (4) A Data Fiduciary shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach. (5) In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, notice of such breach in such form and manner as may be prescribed. (6) A Data Fiduciary shall, unless retention is necessary for compliance with any law for the time being in force, — (a) cease to retain personal data, or (b) cause its Data Processor to cease to retain personal data, upon the purpose for which such personal data was collected being met, or upon the consent of the Data Principal being withdrawn.

Simplified

[DPDP Rules 2025 — Rules 6, 7, 8 operationalise this section; in force 13 May 2027] Section 8 contains the core compliance obligations that every Data Fiduciary must meet. Six key duties: (1) Accountability — the Data Fiduciary remains responsible even when it outsources processing to a Data Processor; it cannot contract away its DPDP obligations. (2) Accuracy — reasonable efforts to keep data accurate and complete; particularly important for financial, health, and identity data. (3) Technical and organisational measures — data protection must be built into systems and business processes. (4) Security safeguards — a reasonable security standard to prevent breaches, benchmarked against the nature and volume of data. (5) Breach notification — the most operationally demanding obligation: the Data Fiduciary must notify the Data Protection Board AND each affected individual of any breach. The DPDP Rules will specify the timeline (expected to be along GDPR's 72-hour standard for Board notification). (6) Storage limitation — data must be deleted when the purpose is fulfilled or consent is withdrawn, unless a law requires retention. This is the 'right to be forgotten' built into the Data Fiduciary's obligations. Unlike GDPR which requires a data retention policy to be documented and communicated, the DPDP Act focuses on the outcome: delete when no longer needed.

Common Queries

Under Rule 7 of the DPDP Rules 2025, notification to affected Data Principals must happen 'without delay' (immediate in practice) and to the Data Protection Board within 72 hours of becoming aware of the breach. The Board notification must include root cause, remediation steps, and a summary of Data Principal intimations.
Rule 6 of the DPDP Rules 2025 specifies minimum safeguards: encryption, obfuscation, masking, or virtual tokenisation of personal data; access controls on computer resources; logs and monitoring for detecting unauthorised access; data backups for business continuity; and security contractual obligations in every Data Processor agreement. Logs must be retained for at least one year.
Yes. Section 8(1) makes the Data Fiduciary responsible for compliance in respect of any processing undertaken by a Data Processor on its behalf. The Data Fiduciary cannot contract away its DPDP Act obligations — if a Data Processor causes a breach through inadequate security, the Data Fiduciary is liable. Rule 6(f) requires security safeguard obligations to be included in every processor contract.
Under Section 8(6), personal data must be deleted when the purpose for which it was collected is fulfilled or consent is withdrawn — unless a law requires retention. Rule 8 of the DPDP Rules 2025 adds specific erasure timelines: large e-commerce (≥2 crore users), gaming (≥50 lakh users), and social media platforms (≥2 crore users) must erase data 3 years from the Data Principal's last interaction, with 48-hour prior notice. All Data Fiduciaries must retain processing logs for at least 1 year.
Up to ₹250 crore — the highest penalty in the Act — for failure to maintain reasonable security safeguards under Section 8(4) that results in a personal data breach. A further penalty of up to ₹200 crore applies for failure to notify the Board and affected Data Principals of the breach under Section 8(5).

Legal Context

IT Act Section 43A required 'reasonable security practices' but did not specify breach notification obligations. Major breaches — the Aadhaar data exposure controversies, the CoWIN data leak, banking data breaches — all occurred without any mandatory notification to affected individuals. Section 8's breach notification requirement fills this critical gap. India joins the EU, US, UK, and Australia in mandatory breach notification.

Key Rules & Provisions

First statutory breach notification requirement for personal data breaches in India.

Accountability principle — Data Fiduciaries remain responsible for Data Processor compliance.

Storage limitation codified as a mandatory deletion obligation — not just best practice.

DPDP Rules will specify breach notification timelines and format.

Rule 6 (DPDP Rules 2025): minimum security safeguards specified — encryption/masking/tokenisation, access controls, 1-year minimum log retention.

Rule 7: two-stage breach notification — immediate Data Principal intimation; detailed 72-hour report to Board with root cause, remediation, and intimation summary.

Rule 8 + Third Schedule: 3-year erasure window for e-commerce (≥2 cr users), gaming (≥50 lakh users), and social media (≥2 cr users) platforms; 48-hour prior notice to Data Principal.

Rule 8(3): all Data Fiduciaries must retain personal data and logs for minimum 1 year from date of processing.

Related Case Laws

Virendra Khanna v. State of Karnataka (2021)

WP No. 11759/2020 (Karnataka HC)
RELEVANCE

The Karnataka High Court upheld the use of WhatsApp data as evidence in a criminal case, noting the absence of any statutory breach notification obligation in Indian law at the time. Section 8(5) of the DPDP Act and Rule 7 of the DPDP Rules 2025 directly address this gap — creating the first statutory breach notification framework.