Data>Nuance Logo
Home/DPDPA Resources/Section 8 of Digital Personal Data Protection Act, 2023
Section Analysis

Section 8 of Digital Personal Data Protection Act, 2023

General obligations of Data Fiduciaries under the DPDP Act

12 min read
Section Analysis
Updated Dec 2024

Introduction

The Digital Personal Data Protection Act, 2023 (DPDP Act) establishes the general obligations of Data Fiduciaries, delineating their roles and responsibilities in adherence to the compliance requirements stipulated within the DPDP Act. Data Fiduciaries assume a critical function in the realization of a secure data protection environment, ensuring privacy, and safeguarding the rights of Data Principals.

The aim of this article is to highlight the general obligations of the Data Fiduciaries provided under Section 8 of the DPDP Act.

What are the obligations of a Data Fiduciary?

Compliance with the DPDP Act is mandatory for Data Fiduciaries when processing personal data of Data Principals, whether directly or through a Data Processor. This obligation is absolute and supersedes any conflicting contractual terms and any non-performance of duties by the Data Principal as outlined in the DPDP Act.

1. Appointment of a Data Processor
  • According to Section 8(2) of the DPDP Act, the Data Fiduciary is permitted to appoint, utilize, or engage a Data Processor for the processing of personal data on its behalf.
  • Such processing must be pertinent to the business activities of the Data Fiduciary concerning goods and services offered to the Data Principal.
  • The Data Fiduciary is mandated to execute a legally binding contract with the Data Processor to undertake any processing activity on its behalf.
2. Ensuring Completeness, Accuracy and Consistency of Personal Data

Section 8(3) of the DPDP Act mandates that Data Fiduciaries maintain the accuracy, completeness, and consistency of personal data when it is used for decisions impacting Data Principals' rights or when disclosed to another Data Fiduciary.

  • Personal data should accurately reflect the Data Principal's information.
  • Personal data collected should be comprehensive enough to fulfill its intended purpose.
  • Personal data should be standardized and uniform across all forms of identification.
3. Implementation of reasonable technical and organizational measures

Under Section 8(4) of the DPDP Act, the Data Fiduciary is required to ensure that effective technical and organizational measures are in place to ensure appropriate compliance with the provisions of the DPDP Act.

4. Security Safeguards

Under Section 8(5) of the DPDP Act, read with Rule 6 of the Draft Digital Personal Data Protection Rules, 2025 (DPDP Rules) a Data Fiduciary is obligated to safeguard personal data under its possession or control, encompassing any processing conducted by itself or a Data Processor acting on its behalf. These safeguards shall, at a minimum, comprise the following:

  • Implementation of suitable data security measures, such as the securing of personal data via encryption, obfuscation, masking techniques, or the utilization of virtual tokens mapped to said personal data.
  • Establishment of appropriate controls over access to the computer resources utilized by the Data Fiduciary or the aforementioned Data Processor.
  • Adoption of measures to ensure the continuity of processing operations in the event of compromise to the confidentiality, integrity, or availability of personal data.
  • Incorporation of explicit and suitable provisions within the contractual agreement entered into between the Data Fiduciary and the Data Processor, concerning the undertaking of reasonable security safeguards.
  • Deployment of appropriate technical and organizational mechanisms to ensure the consistent and effective observance of security safeguards.
5. Breach Notification

Under Section 8(6) of the DPDP Act read with Rule 7 of the Draft DPDP Rules, the Data Fiduciary is under an obligation to inform the Data Principal and the Data Protection Board of India of the data breach.

a) Intimation to the Data Principal

Rule 7(1) of the draft DPDP Rules mandates that the Data Fiduciary, to the best of its knowledge, shall promptly notify each affected Data Principal in a succinct, unambiguous, and readily comprehensible manner, through either the Data Principal's user account or any communication method registered with the Data Fiduciary.

The prescribed manner for intimating the Data Principal entails:

  • A description of the breach, encompassing its nature, extent, and the timing and location of its occurrence.
  • The consequences relevant to the Data Principal that are likely to arise from the breach.
  • The measures implemented and being implemented by the Data Fiduciary to mitigate risk.
  • The safety measures that the Data Principal may take to protect their interests.
  • Business contact information of a designated person who is able to respond on behalf of the Data Fiduciary to any queries from the Data Principal.

b) Intimation to the Data Protection Board of India

As soon as the Data Fiduciary becomes aware of the data breach, it shall intimate to the Board, without delay, a description of the breach, including its nature, extent, timing and location of occurrence and the likely impact. Within seventy-two hours of becoming aware of the breach, or within such longer period as the Board may allow upon a written request, provide:

  • Updated and detailed information in respect of the initial description.
  • The broad facts related to the events, circumstances, and reasons leading to the breach.
  • Measures implemented or proposed, if any, to mitigate risk.
  • Any findings regarding the person who caused the breach.
  • Remedial measures taken to prevent recurrence of such breach.
  • A report regarding the intimations given to affected Data Principals.
6. Erasure of Personal Data
  • Under Section 8(7) of the DPDP Act, a Data Fiduciary shall, except where retention is mandated for compliance with extant legal statutes, undertake the erasure of personal data.
  • The Data Fiduciary is obligated to erase personal data when the Data Principal withdraws consent, or when it is reasonably determined that the specified purpose for data collection is no longer being served, whichever precedes the other.
  • Furthermore, the Data Fiduciary is required to ensure that its designated Data Processor erases any personal data provided by the Data Fiduciary for processing purposes.

Illustration:

(I) Z signs up for a streaming service provided by W and agrees to allow W to process their personal data to receive personalized content recommendations. If Z cancels their subscription and withdraws consent, W is obligated to erase Z's personal data because the data is no longer required for its intended purpose.

(II) In the given scenario, Z, a business, has entered into a contract with W, a telecommunications provider. Due to legal obligations, W is required to retain records of all business transactions for a period of seven years for audit purposes. Therefore, even if Z terminates the contract, W is still legally obligated to retain the transaction data for the mandated seven-year period.

7. Publication of Business Contact Information of Data Protection Officer

Section 8(9) of the DPDP Act, specifies that the Data Fiduciary shall publish the business contact information of the Data Protection Officer (DPO) or a person who will be responsible to answer the questions on behalf of the Data Fiduciary raised by the Data Principals.

Rule 9 of the Draft DPDP Rules specifies:

  • Mandatory Display of Contact Information: Data Fiduciaries must prominently display the professional contact details of the DPO, if appointed, or an authorized person on their official website or application.
  • Inclusion in Communications: The contact information must also be included in every response to Data Principal communications regarding their rights under the Act.
  • Purpose: This ensures Data Principals have a clear point of contact for inquiries about their personal data handling.
8. Establishment of a Grievance Redressal Mechanism

Section 8(10) of the DPDP Act provides that the Data Fiduciary has a mandatory obligation to establish a grievance redressal mechanism for the Data Principal. Herein, it is pertinent to ensure that the mechanism is efficient in resolving their grievances.

Conclusion

Section 8 of the DPDP Act imposes specific obligations on Data Fiduciaries. These obligations include adhering to regulatory standards when processing personal data, formally appointing Data Processors through legally binding agreements, and ensuring data accuracy and consistency. Additionally, they must implement robust technical and organizational security measures.

Furthermore, Data Fiduciaries are obligated to formally notify Data Principals and the Data Protection Board of India in the event of a data breach. They must also erase personal data when consent is withdrawn or processing objectives are met, except where legal retention requirements apply. Lastly, they are required to provide contact information for a designated Data Protection Officer or an authorized representative to address inquiries from Data Principals.

Get Started with Data>Nuance

Reach out to Data>Nuance to ensure compliance with the provisions of the DPDP Act and ensure you are well equipped with best practices that meet legal standards while safeguarding your business from regulatory penalties. Let's make compliance effortless—before regulators make it expensive!

Section 7 of the DPDPASection 9 of the DPDPA

Need Expert DPDPA Implementation Support?

Get personalized guidance on implementing Section 8 compliance requirements for your organization.

Schedule Expert ConsultationBook Free Call