Top 10 operational impacts of India’s DPDPA – Obligations of data processing entities
This article provides insight on obligations of data processing entities in relation to India's DPDPA.
Published: 5 Oct. 2023
Last updated: 20 Jan. 2026
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
India's data privacy law, the Digital Personal Data Protection Act, is unique in that it eschews the EU General Data Protection Regulation's model of data privacy legislation in favor of a simpler, less prescriptive law. In November 2025, the Ministry of Electronics and Information Technology announced the law will largely come into force 13 May 2027. The government finalized the rules under the law, providing additional details.
In the DPDPA, the regulation of data processors is minimal with only a handful of provisions on the topic. The act defines a data processor as anyone who processes personal information on behalf of a data fiduciary, the term used for a data controller under the law. Correspondingly, a data fiduciary is defined as any person who "alone or in conjunction with other persons determines the purpose and means of processing of personal data."
In fact, the law is focused almost entirely on data fiduciaries, including fulfilling the data principals' rights to access, correct and delete personal information. Only data fiduciaries are subject to provisions relating to special protections for children's personal data, procedures for addressing data principals' grievances and several other requirements.
The law requires a valid contract for transferring personal information to a data processor. The rules require the contract to contain provisions on reasonable security measures to be adopted by the data processor, even though the statute does not specify what must be included in the contract. These measures should, at a minimum, include encryption, obfuscation or masking of personal information, use of virtual tokens, restriction on access, maintenance of access logs, retention of logs for a period of one year, etc.
The rules also require the data fiduciary to retain personal data, associated traffic data and other processing logs for one year and ensure its data processor does the same. The data fiduciary's responsibility to verify the data processor's compliance is significant. As such, it may be interpreted that the law largely does not directly impose obligations on data processors; instead, it places responsibility on the data fiduciary to ensure the data processors comply with the law.
If a data processor violates the act, it is possible only the data fiduciary will be held liable. However, this is not entirely clear. In the schedule for penalties, only two provisions refer specifically to the obligation of the data fiduciary, including the requirement to maintain reasonable security safeguards. The penalty provision refers to a "person," rather than a data fiduciary. Nevertheless, it is true that individual data principals can also be held liable for failure to observe their obligations under the law. Overall, these provisions create some doubt about liability only being imposed on the data fiduciary.
The data fiduciary should be extra cautious in negotiating contracts with data processors as the data fiduciary must assume they will be held liable for any violation. As such, the data fiduciary will want to carefully review indemnity and limitation of liability clauses to ensure they can transfer responsibility onto the data processor if held liable for the data processer's violations of the law. In this regard, it should be noted that penalties can go up to about USD28 million.
Significantly, this means the data fiduciary will initially be liable for violations by data processors. Moreover, the Data Protection Board of India or the appellate authority may conclude a violation has occurred, but may not allocate the degree of blame between the two relevant parties — the data fiduciary and the data processor — requiring litigation before courts or through arbitration. This could potentially involve substantial evidentiary proceedings to determine who was responsible and to what extent.
It should also be highlighted that the law does not specifically deal with situations of multiple data fiduciaries or joint data fiduciaries as the GDPR does. Going by the definition of a data fiduciary, multiple data fiduciaries may exist if multiple entities determine the means and purpose of data processing. In this case, a party that processes personal data on behalf of a data fiduciary may actually be a data fiduciary, not a data processor, and would be directly liable.
In India where data privacy compliance is still relatively nascent, data fiduciaries may have a heightened sense of fear about the likely consequences of privacy law violations by the data processor. Liability aside, it is important for data fiduciaries to ensure that data processors simply do not violate the act. Hence, data fiduciaries may need to impose strict standards on data processors, including periodic audits. This could also increase the costs of outsourcing.
A global impact
India plays a key role in the digital economy with its extensive outsourcing and offshore services industry. The country processes a significant portion of the world’s data. So how does the DPDPA apply to data processors in India?
One of the law’s provisions exempts most personal data belonging to people outside India when processed in India under a cross-border contract, meaning the law generally does not apply to such data.
This may initially raise eyebrows — after all, one of the reasons for having a data privacy law is to ensure personal data is protected in India. However, when personal data is collected in the country of the data subject, it is done so under that country's laws. Applying the law of the processor would lead to confusion, especially where the laws of the data processor are substantially different.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Top 10 operational impacts of India’s DPDPA – Obligations of data processing entities
This article provides insight on obligations of data processing entities in relation to India's DPDPA.
Published: 5 Oct. 2023
Last updated: 20 Jan. 2026
Contributors:
Stephen Mathias
Partner, Kochhar & Co
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
This article is part of a series that explores the most important components of the DPDPA, as clarified by the DPDP Rules, 2025. The full series can be accessed here.
Editor’s note: On 13 Nov. 2025, India's government notified the Digital Personal Data Protection Rules, laying out a phased framework for implementing the provisions of the Digital Personal Data Protection Act. The aim is to avoid repetition across the articles as each author addressed it slightly differently.
India's data privacy law, the Digital Personal Data Protection Act, is unique in that it eschews the EU General Data Protection Regulation's model of data privacy legislation in favor of a simpler, less prescriptive law. In November 2025, the Ministry of Electronics and Information Technology announced the law will largely come into force 13 May 2027. The government finalized the rules under the law, providing additional details.
In the DPDPA, the regulation of data processors is minimal with only a handful of provisions on the topic. The act defines a data processor as anyone who processes personal information on behalf of a data fiduciary, the term used for a data controller under the law. Correspondingly, a data fiduciary is defined as any person who "alone or in conjunction with other persons determines the purpose and means of processing of personal data."
In fact, the law is focused almost entirely on data fiduciaries, including fulfilling the data principals' rights to access, correct and delete personal information. Only data fiduciaries are subject to provisions relating to special protections for children's personal data, procedures for addressing data principals' grievances and several other requirements.
The law requires a valid contract for transferring personal information to a data processor. The rules require the contract to contain provisions on reasonable security measures to be adopted by the data processor, even though the statute does not specify what must be included in the contract. These measures should, at a minimum, include encryption, obfuscation or masking of personal information, use of virtual tokens, restriction on access, maintenance of access logs, retention of logs for a period of one year, etc.
The rules also require the data fiduciary to retain personal data, associated traffic data and other processing logs for one year and ensure its data processor does the same. The data fiduciary's responsibility to verify the data processor's compliance is significant. As such, it may be interpreted that the law largely does not directly impose obligations on data processors; instead, it places responsibility on the data fiduciary to ensure the data processors comply with the law.
If a data processor violates the act, it is possible only the data fiduciary will be held liable. However, this is not entirely clear. In the schedule for penalties, only two provisions refer specifically to the obligation of the data fiduciary, including the requirement to maintain reasonable security safeguards. The penalty provision refers to a "person," rather than a data fiduciary. Nevertheless, it is true that individual data principals can also be held liable for failure to observe their obligations under the law. Overall, these provisions create some doubt about liability only being imposed on the data fiduciary.
The data fiduciary should be extra cautious in negotiating contracts with data processors as the data fiduciary must assume they will be held liable for any violation. As such, the data fiduciary will want to carefully review indemnity and limitation of liability clauses to ensure they can transfer responsibility onto the data processor if held liable for the data processer's violations of the law. In this regard, it should be noted that penalties can go up to about USD28 million.
Significantly, this means the data fiduciary will initially be liable for violations by data processors. Moreover, the Data Protection Board of India or the appellate authority may conclude a violation has occurred, but may not allocate the degree of blame between the two relevant parties — the data fiduciary and the data processor — requiring litigation before courts or through arbitration. This could potentially involve substantial evidentiary proceedings to determine who was responsible and to what extent.
It should also be highlighted that the law does not specifically deal with situations of multiple data fiduciaries or joint data fiduciaries as the GDPR does. Going by the definition of a data fiduciary, multiple data fiduciaries may exist if multiple entities determine the means and purpose of data processing. In this case, a party that processes personal data on behalf of a data fiduciary may actually be a data fiduciary, not a data processor, and would be directly liable.
In India where data privacy compliance is still relatively nascent, data fiduciaries may have a heightened sense of fear about the likely consequences of privacy law violations by the data processor. Liability aside, it is important for data fiduciaries to ensure that data processors simply do not violate the act. Hence, data fiduciaries may need to impose strict standards on data processors, including periodic audits. This could also increase the costs of outsourcing.
A global impact
India plays a key role in the digital economy with its extensive outsourcing and offshore services industry. The country processes a significant portion of the world’s data. So how does the DPDPA apply to data processors in India?
One of the law’s provisions exempts most personal data belonging to people outside India when processed in India under a cross-border contract, meaning the law generally does not apply to such data.
This may initially raise eyebrows — after all, one of the reasons for having a data privacy law is to ensure personal data is protected in India. However, when personal data is collected in the country of the data subject, it is done so under that country's laws. Applying the law of the processor would lead to confusion, especially where the laws of the data processor are substantially different.
Full series overview
The overview page for the full series can be accessed here.
- Scope, key definitions and lawful data processing
- Individual rights
- Obligations of data processing entities
- Enforcement and the Data Protection Board
- Cross-border data transfers
- Comparative analysis with the GDPR and other major data privacy laws
- Consent management
- Data audits for significant fiduciaries
- Data protection impact assessments
- Data breaches
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
US State Privacy Legislation Tracker
Data Protection Officer Requirements by Country
Top 10 operational impacts of India’s DPDPA