Data Fiduciary
The entity that determines the purpose and means of processing personal data — equivalent to a 'Controller' under the GDPR, but with the stronger 'fiduciary' duty of care.
Full Definition
Section 2(j) of the DPDP Act 2023 defines 'Data Fiduciary' as any person who alone or in conjunction with other persons determines the purpose and means of processing personal data. The term 'Fiduciary' is a deliberate constitutional choice — unlike GDPR's neutral term 'Controller', the fiduciary framing draws on the concept of a fiduciary relationship (as in lawyer-client, doctor-patient) where the fiduciary owes a higher duty of trust and care to the person whose data they hold. Core obligations of a Data Fiduciary include: obtaining valid consent, providing a notice before collecting data, ensuring data accuracy, implementing security safeguards, erasing data when purpose is served, and establishing a grievance redressal mechanism.
In Indian Law
DPDP Act 2023, Section 2(j). Core obligations in Sections 5–13. The Central Government can designate certain Data Fiduciaries as 'Significant Data Fiduciaries' (SDFs) under Section 10, attracting additional obligations: mandatory Data Protection Officer (DPO), consent manager integration, Data Protection Impact Assessment (DPIA), and periodic audits by an independent Data Auditor. Breach notification to the Data Protection Board and affected Data Principals is also mandatory under Section 8(6).
Related Legal Sections
Landmark Cases
K.S. Puttaswamy v. Union of India (2017) — Fiduciary framing reflects the Puttaswamy court's emphasis on the asymmetric power relationship between data collectors and individuals
Frequently Asked Questions
Is every company that collects customer data a Data Fiduciary?
Yes — if they determine the purpose and means of processing personal data. A hospital collecting patient records, an e-commerce platform processing purchase history, and a bank holding account data are all Data Fiduciaries.
What is a Significant Data Fiduciary?
An SDF is a Data Fiduciary designated by the Central Government based on the volume and sensitivity of data processed, risk to Data Principals, national security considerations, and impact on sovereignty. SDFs face additional obligations including mandatory DPO appointment and periodic Data Protection Impact Assessments.