Call Us
search
search

Tag: DPDP Act

Understanding the Draft Digital Personal Data Protection Rules, 2025

Posted on by Treelife

On January 3, 2025, the Union Government released the draft Digital Personal Data Protection Rules, 2025 1 (“Draft Rules”). Formulated under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Draft Rules have been published for public consultation, with objections and suggestions on the same to be provided to the Ministry of Electronics and Information Technology by February 18, 2025. Formulated to further safeguard citizens’ rights to protect their personal data, the Draft Rules seek to operationalize the DPDP Act, furthering India’s commitment to create a robust framework to protect digital personal data. 

In this blog, we break down the key provisions of the Draft Rules having regard to their background in the DPDP Act, and highlight certain challenges found in the draft legislation. 

Background: the DPDP Act, 2023

The DPDP Act was a revolutionary step towards India’s adoption of a robust data protection regime. This legislation marks the first comprehensive law dedicated to the protection of personal data and received presidential assent on August 11, 2023. However, the Act itself is yet to be notified for enforcement and the implementation is expected in a phased manner. To understand the impact of the Draft Rules2, it is crucial to first understand the key terms and legal framework introduced by the DPDP Act.

A. Key Terms:

  • Board: the Data Protection Board of India established by the Central Government. 
  • Consent Manager: a person registered with the Board who acts as a single point of contact to enable a Data Principal to give, manage, review, and withdraw consent through an accessible, transparent and interoperable platform.
  • Data Fiduciary: any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.
  • Data Principal: the individual to whom the personal data relates. The ambit of this definition is expanded where the Data Principal is: (i) a child, to include their parents and/or lawful guardian; and (ii) a person with disability, to include their lawful guardian.
  • Data Processor: person processing personal data on behalf of a Data Fiduciary.
  • Personal Data: any data about an individual who can be identified by or in relation to such data.
  • Processing: (in relation to personal data) wholly or partly automated operation(s) performed on digital personal data. Includes collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.  

B. Legal Framework:

  • Scope and Applicability: Applies to the processing of personal data within India and to entities outside India offering goods/services to individuals in India. Covers personal data collected in digital form or data that is digitized after collection and excludes personal data processed for a personal or domestic purpose and data made publicly available by the Data Principal.
  • Data Processing: Statutory requirement for clear, informed and unambiguous consent from Data Principals including a notice of rights. Certain scenarios (such as compliance with legal obligations or during emergencies) allow data processing without explicit consent – i.e., for a legitimate purpose3
  • Data Principals: Given rights that include access to information, correction and erasure of data, grievance redressal, and the ability to nominate representatives for exercising rights in case of incapacity or death. 
  • Data Fiduciaries: Obligated to implement data protection measures, establish grievance redressal mechanisms, and ensure data security. Significant Data Fiduciaries4 are required to additionally conduct Data Protection Impact Assessments (DPIAs), and appoint Data Protection Officer and an independent data auditor evaluating compliance with the DPDP Act.
  • Cross-Border Data Transfer: In a departure from the earlier regime requiring data localisation, the DPDP Act permits cross-border transfer of data unless explicitly restricted by the Indian government.
  • Organisational Impact: Organizations must assess and enhance their data protection frameworks to comply with the DPDPA. Key steps include appointing Data Protection Officers (for significant data fiduciaries), implementing robust security measures, establishing clear data processing agreements, and ensuring mechanisms for data principals to exercise their rights.
  • Penalties: Monetary penalty can be imposed by the Board based on the circumstances of the breach and the resultant impact (including whether any gain/loss has been realised/avoided by a person). 

Enabling Mechanisms: the DPDP Rules, 2025

Under Section 40 of the DPDP Act, the Central Government is empowered to formulate rules to enable the implementation of the Act. Pursuant to this, the Draft Rules seek to provide guidance on compliance, operational aspects, administration and enforcement of the DPDP Act. The Draft Rules are to come into force upon publication however, certain critical provisions will only become effective at a later date5.  

Key Provisions:

  • Notice Requirements for Data Fiduciaries: The notice for consent required to be provided to the Data Principal should be clear, standalone, simple and understandable. Most crucially, the Draft Rules specify that the notice should include an itemized list of personal data being collected and a clear description of the goods/services/uses which are enabled by such data processing. The Data Principal should also be informed of the manner in which they can withdraw their consent, exercise their rights and file complaints. Data Fiduciaries should provide a communication link and describe applicable methods that will enable the Data Principal to withdraw their consent or file complaints with the Board. 
  • Consent Managers: Strict eligibility criteria have been prescribed for persons who can be appointed as Consent Managers – this must be an India-incorporated company with sound financial and operational capacity, with a minimum net worth of INR 2,00,00,000, a reputation for fairness and integrity and certified interoperable platform enabling Data Principals to manage their consent. These Consent Managers must uphold high standards of transparency, security and fiduciary responsibility and are additionally required to be registered with the Board and act as a single point of contact for Data Principals. Any transfer of control of such entities will require the prior approval of the Board.
  • Data Processing by the State: The government can process personal data to provide subsidies, benefits, certificates, services, licenses or permits. However such processing must comply with the standards prescribed in the Draft Rules6 and the handling of personal data is lawful, transparent and secure. 
  • Reasonable Security Safeguards: The Draft Rules call for the implementation of ‘reasonable security measures’ by Data Fiduciaries to protect personal data. This includes encryption of data, access control, monitoring of access (particularly for unauthorised access), backup of data, etc. The safeguards should also include provisions to detect and address breach of data, maintenance of logs, and ensure that appropriate safety measures are built into any contracts with Data Processors.
  • Data Breach Notification: Data Fiduciaries are required to promptly notify all affected Data Principals in the event of a breach. This notification shall include a clear explanation of the breach, the nature, extent, timing, potential consequences, mitigation measures and safety recommendations to safeguard the data. The Board is also required to be informed of such breach (including a description of the breach, nature, extent, timing, location and likely impact) within 72 hours of the Data Fiduciary being aware. Longer intimation timelines may be permitted upon request. 
  • Accountability and Compliance: Grievance redressal mechanisms are mandated to be published on Data Fiduciary’s platforms and the obligation is borne by such persons to ensure lawful processing of personal data. Processing is required to be limited to ‘necessary purposes’ and the data is only permitted to be retained for ‘as long as needed’.
  • Data Retention by E-Commerce Entities and Online Gaming and Social Media Intermediaries: The Draft Rules require the deletion of user data after 3 years7 by: (i) e-commerce entities having minimum 2,00,00,000 registered users in India; (ii) online gaming intermediaries having minimum 50,00,000 registered users in India; and (iii) social media intermediaries having minimum 2,00,00,000 registered users in India.
  • Consent for Children and Persons with Disabilities: The DPDP Act and Draft Rules envisage greater protection of personal data of children and persons with disabilities. Verifiable consent must be obtained from parents or legal guardians in accordance with the requirements set out in the Draft Rules. Critically, a Data Fiduciary is required to implement measures to ensure that the person providing consent on behalf of a child/person with disabilities is in fact, that child/person’s parent or legal guardian, who is identifiable. The Data Fiduciary is further required to verify that the parent is an adult by using reliable identity details or virtual tokens mapped to such details. 
  • Impact Assessment: Predominantly an obligation on Significant Data Fiduciaries, the Draft Rules impose a mandate to conduct yearly DPIAs to evaluate the risks associated with the data processing activities. This requires observance of due diligence to verify the algorithmic software8 to ensure there is no risk to the rights of Data Principals. 
  • Data Transfer Outside India: Discretion is left to the Central Government to set any requirements in respect of making personal data available to a foreign state or its entities. Data Fiduciaries processing data within India or in connection with goods or services offered to Data Principals from outside India must comply with these requirements as may be prescribed from time to time. 
  • Exemptions: The Draft Rules prescribe exemptions from the applicability of the DPDP Act for processing of personal data carried out: (i) for research, archival or statistical purposes, subject to compliance with the standards set out in Schedule II of the Draft Rules9; and (ii) by healthcare professionals, educational institutions, creche or day care facilities and their transporters, subject to compliance with conditions set out in Schedule IV of the Draft Rules.  
  • Enforcement: Including establishment of the regulatory authority (i.e., the Board), appointment of its chairperson, members, etc. and the appellate framework for decisions of the Board, the Draft Rules prescribe the mechanism for enforcement of the DPDP Act, including redressal of grievances and any consequent penalties imposed for contraventions of the law.

Implications of the Draft Rules

While the Draft Rules have been long awaited, there is still no clarity on the implementation timeline. Further, while the Ministry of Electronics & Information Technology have requested public comments on the Draft Rules, it is unlikely that the same would be released to the public. At the outset, it is apparent that the Draft Rules will require organisations to make significant investment in compliance measures to meet the requirements outlined. Including robust consent management systems, enhanced security protocols and transparent communication mechanisms with users, this will increase the overall compliance costs borne by businesses – particularly impacting smaller scale entities. Some of the key issues found in this framework as below:

  • Operational Costs: Businesses may be required to restructure their platforms at a design and architecture level of application, leading to increased costs. With the added compliance burdens, this will also result in increased costs related to conducting regular audits and verifying algorithmic software (particularly by Significant Data Fiduciaries) and can lead to stifled innovation and limit market entry for upcoming businesses.
  • Vagueness: Terms such as “reasonable safeguards”, “appropriate measures” or “necessary purposes” are used liberally in the Draft Rules however the same have not been adequately defined in the law, leaving a lack of clarity on what constitutes “reasonable”, “appropriate” or “necessary” standards. Further, use of phrasing such as “likely to pose a risk to the rights of data principals” does not provide clarity in satisfaction of due diligence obligations, which can lead to subjective enforcement.
  • Significant reliance on discretionary authority: The Union Government has been given significant authority in determining exemptions, processing standards, data transfer and government functions involving data processing. There is consequently a lot of power given to the Government to determine the limits of the law and there is no clear criteria provided for an objective assessment, leading to questions on fairness and transparency. The Draft Rules also do not appear to adhere with the directions of the Supreme Court in the landmark judgment of K.S. Puttaswamy v Union of India 10 which explicitly states that: “the matter shall be dealt with appropriately by the Union Government, with due regard to what has been set out in this judgment” (emphasis supplied). Further, large parts of the implementation and enforcement will be administered per the discretion of the competent government ministry, leaving a lack of clarity in the foundational framework.
  • Potential for mandatory universal registration: Verifiable parental consent requirements for children’s data can be used to require every online user to verify their age through governmental credentials, while seemingly placing reliance on self-verification. Consequently, parents/legal guardians would be required to provide government-issued identity to verify their credentials. Further, this mechanism not only violates the principles of data minimization and retention limitations but risks over-collection, prolonged storage and potential mass surveillance11.
  • Lack of clarity in the law: In addition to a lack of guiding frameworks for mode of delivery of issuance of notices12, the Draft Rules create further ambiguity in legislations such as the Rights of Persons with Disabilities Act, 2016, Guardians and Wards Act, 1890, National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999, or the Mental Health Act, 2017 with respect to consent notices issued to persons with disabilities/children. The DPDP Act also does not consider regulation of non-personal data (such as traffic) and defined procedures for processes such as appointment of nominees or appeal timeline for orders of the Board, are not clearly outlined in the Draft Rules. The Draft Rules are also required to be harmonized with existing legislations such as the Information Technology Act, 2000 and the CERT-In directions issued thereunder, where the mandated reporting of cyber incidents is required to be made within 6 hours.

Concluding Thoughts

The Draft Digital Personal Data Protection Rules, 2025, represent a significant step toward operationalizing India’s ambitious DPDP Act, 2023, and businesses can use the Draft Rules as guidelines to determine the extent of revision of their existing data protection framework that may be required. While the Draft Rules aim to create a robust framework for safeguarding personal data, their implementation will require businesses to overhaul their data protection systems, leading to increased compliance costs and operational challenges. However, despite progressive provisions like Consent Managers and enhanced security measures, the Draft Rules leave room for ambiguity, particularly with undefined terms and broad discretionary powers. As stakeholders await further clarity and finalization, it is evident that achieving a balance between privacy rights, operational feasibility, and fostering innovation will be crucial for the success of this legislation. 

India’s journey toward a comprehensive data protection regime has begun, but a clear roadmap for implementation, harmonization with existing laws, and addressing key gaps will be pivotal in building trust and driving compliance across sectors. For businesses, the time to prepare is now—building compliant frameworks will not just ensure legal adherence but also enhance user confidence in the digital ecosystem.

Stay tuned for more #TreelifeInsights as the Draft Rules evolve into actionable mandates.

References

  1. [1]  https://pib.gov.in/PressReleasePage.aspx?PRID=2090271
    ↩︎
  2. [2]  https://pib.gov.in/PressReleasePage.aspx?PRID=2090271
    ↩︎
  3. [3]  This marks a change from the earlier regime which included a concept of “deemed consent”. The DPDP Act creates a category of permitted use that does not require explicit consent. See Section 7 of the DPDP Act.
    ↩︎
  4. [4]  Data Fiduciaries notified by the Central Government under Section 10 of the DPDP Act, on the basis of factors such as: (i) volume and sensitivity of personal data processed; (ii) risk to the rights of the Data Principal; (iii) potential impact on the sovereignty and integrity of India; (iv) risk to electoral democracy; (v) security of the state; and (vi) public order. Significant Data Fiduciaries have additional obligations under the DPDP Act. 
    ↩︎
  5. [5]  Rules 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 21 and 22. See: Explanatory Note to Digital Personal Data Protection Rules, 2025 published by the Ministry of Electronics & Information Technology on January 3, 2025 here:
    https://www.meity.gov.in/writereaddata/files/Explanatory-Note-DPDP-Rules-2025.pdf 
    ↩︎
  6. [6]  See Schedule II of the Draft Rules.
    ↩︎
  7. [7]  Subject to users actively maintaining their accounts.
    ↩︎
  8. [8]  The verification exercise focuses on software deployed for hosting, display, uploading, modification, publishing, transmission, storage, updation or sharing of personal data processed by the Data Fiduciary.
    ↩︎
  9. [9]  This exemption is granted to ensure necessary data processing for academic and policy research can occur while maintaining safeguards and standards to protect such data.
    ↩︎
  10. [10]  (2018) 8 S.C.R. 1, where principles of “proportionality” and “necessity” were held to be essential safeguards of any data protection regime.
    ↩︎
  11. [11]  https://internetfreedom.in/statement-on-the-draft-dpdp-rules-2025/
    ↩︎
  12. [12]  https://www.fortuneindia.com/macro/draft-dpdp-rules-2025-a-closer-look-at-the-hits-and-misses/119825
    ↩︎

Contractual Requirements under DPDP ACT, 2023

Posted on by Treelife

BACKGROUND

Under India’s new Digital Personal Data Protection Act, 2023 (the “DPDP Act”), entities which process any personal data in digital form will be required to implement appropriate technical and organizational measures to ensure compliance. In addition, entities will remain responsible for protecting such data as long as it remains in their possession or under their control, including in respect of separate processing tasks undertaken by data processors on their behalf. These overarching responsibilities will extend to taking reasonable security safeguards and procedures to prevent data breaches, as well as complying with prescribed steps if and when a breach does occur.

Importantly, compared to its predecessor draft and unlike the General Data Protection Regulation (“GDPR”) of the European Union which places direct regulatory obligations on data processors, the DPDP Act appears to attribute sole responsibility upon the main custodians of data vis-à-vis the individuals related to such data – as opposed to a mechanism of ‘joint and several’ or shared liability with contracted data processors – even when the actual processing may be undertaken by the latter pursuant to a contract or other processing arrangement.

This position appears to be based on the principle that an entity which decides the purpose and means of processing should be held primarily accountable in the event of a personal data breach. Such liability may also be invoked when an event of non-compliance arises on account of the negligence of a data processor. While processing tasks can be delegated to a third party, such delegation and/or outsourcing needs to be made under a valid contract in specified cases.

Further, organizations need to ensure that their own compliance requirements and other statutory obligations remain mirrored in their supply chain in terms of (i) implementing appropriate technical and organizational measures, as well as (ii) taking reasonable security safeguards to prevent a personal data breach. This parallel compliance regime will extend to the actions and practices of data processors, including in terms of rectifying or erasing data. For example, when an individual withdraws a previously issued consent with respect to the processing of personal data for a specified purpose, all entities processing their data – including contracted data processors – must stop, and/or must be made to stop, the processing of such information – failing which the primary entity may be held liable.

 

 

CONTRACTUAL ARRANGEMENTS

Although the term ‘processing,’ as defined in the DPDP Act, involves automated operations, such operations can be either fully or partially automated. Besides, the definition includes any activity among a wide range of operations that businesses routinely perform on data, including the collection, storage, use and sharing of information. Thus, even those business operations which involve some amount of human intervention and/or stem from human prompts will be covered under the definition of ‘processing,’ and thus, the DPDP Act will remain applicable in all such cases.

A “data fiduciary” (i.e., those entities which determine the purpose and means of processing personal data, including in conjunction with other entities) can engage, appoint, use or otherwise involve a data processor to process personal information on its behalf for any activity related to the offering of goods or services to “data principals” (i.e., specifically identifiable individuals to whom the personal data relates) as long as it is done through a valid contract. However, irrespective of any agreement to the contrary, a data fiduciary will remain responsible for complying with the provisions of the law, including in respect of any processing undertaken on its behalf by a data processor.

 

 

DUE DILIGENCE AND RISK ASSESSMENT

Given that data fiduciaries may be ultimately responsible for the omissions of data processors, contracts between such entities need to be negotiated carefully. In this regard, the risks associated with such outsourced data processing activities need to be taken into account by data fiduciaries, including in respect of risks related to the following categories:

  1. Compliance: where obligations under the DPDP Act with respect to implementing appropriate technical and organizational measures, preventing personal data breach and protecting data are not adequately complied with by a data processor;
  2. Contractual: where a data fiduciary may not have the ability to enforce the contract;
  3. Cybersecurity: where a breach in a data processor’s information technology (“IT”) systems may lead to potential loss, leak or breach of personal data;
  4. Legal: where the data fiduciary is subjected to financial penalties due to the negligence or omission of the data processor; and
  5. Operational: arising due to technology failure, fraud, error, inadequate capacity to fulfill obligations and/or to provide remedies.

Thus, data fiduciaries need to (1) exercise due diligence, (2) put in place sound and responsive risk management practices for effective supervision, and (3) manage the risks arising from outsourced data processing activities. Accordingly, data fiduciaries need to select data processors based on a comprehensive risk assessment strategy.

A data fiduciary may need to retain ultimate control over the delegated data processing activity. Since such processing arrangements will not affect the rights of an individual data principal against the data fiduciary – including in respect of the former’s statutory right to avail of an effective grievance redressal mechanism under the DPDP Act – the responsibility of addressing such grievances will rest with the data fiduciary itself, including in respect of the services provided by the data processor.

If, on the other hand, a data fiduciary outsources its grievance redressal function to a third party, it needs to provide data principals with the option of accessing its own nodal officials directly (i.e., a data protection officer, where applicable, or any other person authorized by such data fiduciary to respond to communications from a data principal for the purpose of exercising their rights).

In light of the above, before entering into data processing arrangements, a data fiduciary may want to have a board-approved processing policy which incorporates specific selection criteria for: (i) all data processing activities and data processors; (ii) parameters for grading the criticality of outsourced data processing; (iii) delegation of authority depending on risks and criticality; and (iv) systems to monitor and review the operation of data processing activities.

 

 

DATA PROCESSING AGREEMENT

The terms and conditions governing the contract between the data fiduciary and the data processor should be carefully defined in written data processing agreements (“DPAs”) and vetted by the data fiduciary’s legal counsel for legal effect and enforceability. Each DPA should address the risks and the strategies for mitigation. The agreement should also be sufficiently flexible to allow the data fiduciary to retain adequate control over the delegated activity and the right to intervene with appropriate measures to meet legal and regulatory obligations. In situations where the primary or initial interface with data principals lies with data processors (e.g., where data processors are made responsible for collecting personal data on behalf of data fiduciaries), the nature of the legal relationship between the parties, including in respect of agency or otherwise, should also be made explicit in the contract. Some of the key provisions could incorporate the following:

  • Defining the data processing activity, including appropriate service and performance standards;
  • The data fiduciary’s access to all records and information relevant to the processing activity, as available with the data processor;
  • Providing for continuous monitoring and assessment by the data fiduciary of the data processing activity, so that any corrective measures can be taken immediately;
  • Ensuring that controls are in place for maintaining the confidentiality of customer data, and incorporating the data processor’s liability in case of a security breach and/or a data leak;
  • Incorporating contingency plans to ensure business continuity;
  • Requiring the data fiduciary’s prior approval for the use of sub-contractors for all or part of a delegated processing activity;
  • Retaining the data fiduciary’s right to conduct an audit of the data processor’s operations, as well as the right to obtain copies of audit reports and findings made about the data processor in conjunction with the contracted processing services;
  • Adding clauses which make clear that government, regulatory or other authorized person(s) may want to access the data fiduciary’s records, including those that relate to delegated processing tasks;
  • In light of the above, adding further clauses related to a clear obligation on the data processor to comply with directions given by the government or other authorities with respect to processing activities related to the data fiduciary;
  • Incorporating clauses to recognize the right of the data fiduciary to inspect the data processor’s IT and cybersecurity systems;
  • Maintaining the confidentiality of personal information even after the agreement expires or gets terminated; and
  • The data processor’s obligations related to preserving records and data in accordance with the legal and/or regulatory obligations of the data fiduciary, such that the data fiduciary’s interests in this regard are protected even after the termination of the contract.

 

 

LEARNINGS FROM THE GDPR

Many companies that primarily act as data processors have standard DPAs which they ask data fiduciaries to agree to, or negotiate from. The GDPR provides a set of requirements for such DPAs, including certain compulsory information. In India, such standards could evolve through practice, such as by including clauses in DPAs related to the following:

  • Information about the processing, including its: (i) subject matter; (ii) duration; (iii) nature; and purpose
  • The types of personal data involved
  • The categories of data principals (e.g., customers of the data fiduciary)
  • The obligations of the data fiduciary

A DPA in India could also set out the obligations of a data processor, including those that require it to:

  • Act only on the written instructions of the data fiduciary
  • Ensure confidentiality
  • Maintain security
  • Only hire sub-processors under a written contract, and with the data fiduciary’s permission
  • Ensure all personal data is deleted or returned at the end of the contract
  • Allow the data fiduciary to conduct audits and provide all necessary information on request
  • Inform the data fiduciary immediately if something goes wrong
  • Assist the data fiduciary, where required, with respect to: (i) facilitating requests from data principals in exercise of their statutory rights; (ii) maintaining security; (iii) data breach notifications; and (iv) data protection impact assessments and audits, if required.

 

 

CAN A DPA BE USED TO TRANSFER LIABILITY?

Even if a personal data breach or an incident of non-compliance arises on account of a data processor’s act or omission, a DPA alone may not be sufficient to relieve the corresponding data fiduciary of its obligations (including in terms of a financial penalty, as may be imposed by the Data Protection Board of India (the “DPBI”)). However, a DPA may be negotiated such as to allow the data fiduciary to recover money from the data processor in some circumstances.

To be sure, if a data processor fails to comply with its contractual obligations under a DPA and thereby causes a data breach or leads to some other ground of complaint under the DPDP Act, the data fiduciary may still be required to pay the penalty, if and when imposed by the DPBI. However, if such breach and/or non-compliance occurs because the data processor did (or did not do) something, thus amounting to a breach of its DPA with the data fiduciary, then the data fiduciary may be able to seek compensation from the data processor for a breach of the DPA and/or invoke the indemnity provisions under such contract.

For example, a DPA can include a “hold harmless” clause. Such clauses may serve to govern how liability falls between the parties. On the other hand, a limitation (or exclusion) of liability clause may aim to limit the amount that one party will pay to the other in the event that it breaches the contract.

 

 

WHAT IF A DATA PROCESSOR PROCESSES PERSONAL DATA OUTSIDE THE CONFINES OF A DPA?

If a data processor processes personal data beyond what is permitted under a DPA, or does so contrary to the data fiduciary’s directions, such processor may become a data fiduciary by itself (other than possibly being in breach of the DPA). As long as a data processor operates pursuant to the instructions of a data fiduciary, it is only the latter that will remain directly responsible to data principals under the DPDP Act (for the specified purpose with respect to the processing of such personal data). However, as soon as a data processor determines the means and purpose of processing in its own right, it may become directly responsible to corresponding data principals.

In this regard, a data fiduciary may wish to include a clause in the DPA that obliges the data processor to process personal data only in accordance with the DPA, and to the extent necessary, for the purpose of providing the services contemplated under such DPA. Alternatively, a data processor could be permitted to process personal data further to the written instructions of corresponding data principals. Further, processing outside the scope of the DPA could require a prior contract between the data principal(s) concerned and the data processor, respectively, with respect to a separate arrangement.

Nevertheless, the personal information that a data processor receives from a data fiduciary for the purpose of processing, or that it collects on the latter’s behalf, can only be processed pursuant to the restrictions of a DPA. If the data processor starts processing such personal data outside the confines pf a DPA, e.g., by gathering additional personal data that it has not been instructed to collect, or starts processing data in a way that is inconsistent with, or contrary to, the data fiduciary’s directions, such data processor is likely to be considered a data fiduciary for the purposes of the DPDP Act.

 

INDEMNIFICATION

As mentioned above, data fiduciaries may need to include indemnity clauses in their DPAs with data processors, where data processors agree to indemnify the data fiduciary against all third-party complaints, charges, claims, damages, losses, costs, liabilities, and expenses due to, arising out of, or relating in any way to a data processor’s breach of contractual obligations. A mutual “hold harmless” clause is one in which the protections offered and/or excluded are reciprocal between the parties.

 

CONFIDENTIALITY AND SECURITY

Data fiduciaries need to ensure the security and confidentiality of customer information which remains in the custody or possession of a data processor. Accordingly, the access to customer information by the staff of the data processor should be strictly on a ‘need-to-know’ basis, i.e., limited to such areas and issues where the personal information concerned is necessary to perform a specifically delegated processing function.

Further, the data processor should be able to isolate and clearly identify the data fiduciary’s customer information to protect the confidentiality of such individuals. Where the data processor acts as a processing agent for multiple data fiduciaries, there should be strong safeguards (including via encryptions of customer data) to avoid the co-mingling of such information related to different entities.

Nevertheless, a data fiduciary should regularly monitor the security practices of its data processors, and require the latter to disclose security breaches and/or cybersecurity-related incidents, including, in particular, a personal data breach. After all, a data fiduciary is required to notify the DPBI as well as each affected individual if a personal data breach occurs. In addition, cybersecurity incidents also need to be reported to the Indian Computer Emergency Response Team (“CERT-In”) within six hours from the identification or notification of such incident. At any rate, the data processor must be obliged through a DPA to notify the data fiduciary about any breach of security or leak of confidential information related to customers or other individuals as soon as possible.

 

BUSINESS CONTINUITY AND DISASTER RECOVERY

Data processors could be required to establish a framework for documenting, maintaining and testing business continuity and recovery procedures arising out of any data processing activity. The data fiduciary could then ensure that the data processor periodically tests such continuity and recovery plans. Further, a data fiduciary could consider conducting occasional joint exercises with its data processors for the purpose of testing such procedures periodically.

To mitigate the risk of an unexpected DPA termination or the liquidation of a data processor, the data fiduciary should retain adequate control over the data processing activities and retain its contractual right to intervene with appropriate measures to continue business operations and customer services. As part of its contingency plans, the data fiduciary may also want to consider the availability of alternative data processors, as well as the possibility of bringing back the outsourced processing activity in-house, especially in the event of an emergency. In this regard, the data fiduciary may need to assess upfront the cost, time and resources that would be involved in such an exercise.

In the event of a DPA termination, where the data processor deals with the data fiduciary’s customers directly, the fact of such termination should be adequately publicized among data fiduciary customers to ensure that they stop dealing with the concerned data processor.

 

 

CONCLUSION

As discussed in our previous note, organizations need to check whether and to what extent the DPDP Act applies to them and their operations. Although the provisions of the DPDP Act are not effective as yet, organizations may need to improve their IT and cybersecurity systems to meet new compliance requirements. Relatedly, organizations should monitor entities in their supply chains, such as suppliers and vendors, about data processing obligations. Further, existing contractual arrangements may need to be reviewed, and future contracts with data processors must be negotiated in light of the DPDP Act’s compliance requirements.

© 2025 Treelife Ventures Services Private Limited. All Rights Reserved.

For Customer Support

+91 99301 56000

[email protected]

Mumbai | Delhi |
Bangalore | GIFT City

Get in touch with us

    or Directly Schedule a Consultation with us here