Data Principal, Data Fiduciary, and Data Processor under DPDP Act 2023:
The Digital Personal Data Protection Act (DPDP Act) 2023 defines three key roles in the processing of personal data:
1. Data Principal: This is the individual whose personal data is being processed. In simpler terms, it’s you! The Act grants you several rights regarding your data, including:
- Right to access: You can request information about your data, how it’s used, and who has access to it.
- Right to correction: You can ask for your data to be corrected if it’s inaccurate or incomplete.
- Right to erasure: You can request deletion of your data if it’s no longer needed or you withdraw consent.
- Right to restrict processing: You can limit how your data is used.
- Right to data portability: You can request your data in a format that allows you to transfer it to another service provider.
Example: You are the Data Principal when a social media platform collects your name, profile picture, and location data.
2. Data Fiduciary: This is the organization responsible for determining the purpose and means of processing your personal data. They must comply with the Act and fulfill your rights as the Data Principal. Some key responsibilities include:
- Providing clear and transparent information: You should be informed about how your data is collected, used, and shared.
- Obtaining your consent: Processing generally requires your consent, unless certain exceptions apply.
- Taking security measures: The Fiduciary must protect your data from unauthorized access, use, or disclosure.
- Responding to your requests: They must respond to your requests regarding your data within a reasonable timeframe.
Example: The social media platform mentioned earlier is the Data Fiduciary responsible for your data on their platform.
3. Data Processor: This is an entity that processes personal data on behalf of the Data Fiduciary, according to their instructions. They have specific obligations to:
- Process data only as instructed by the Fiduciary.
- Implement appropriate security measures.
- Not sharing data with unauthorized third parties.
- Assist the Fiduciary in fulfilling your rights as the Data Principal.
Example: A cloud storage provider used by the social media platform to store your data would be a Data Processor.
Important points to note:
- The DPDP Act classifies Data Fiduciaries into two categories: “Significant Data Fiduciaries” and “Non-Significant Data Fiduciaries.” The former face stricter obligations due to the volume and sensitivity of data processed.
- The Act specifies various exemptions and exceptions where certain provisions may not apply.
The above are simple explanations of the roles of Data Principal, Data Fiduciary, and Data Processor under the DPDP Act 2023. Please note that this is not legal advice, and you should consult a professional for specific guidance. For better clarity read the Digital Personal Data Protection Act 2023 from MeitY website