Data Fiduciary, Data Principal, Data Processor: DPDP Act Definitions

THE PEOPLE — Six definitions describe the key roles. A "Data Principal" is the individual whose personal data is being processed — in everyday terms, the person the data is about. For children (anyone under 18) and persons with disability, the Data Principal includes their parent or lawful guardian. A "Data Fiduciary" is any person or organisation that, alone or in conjunction with other Data Fiduciaries, determines why and how personal data is processed — if your company decides to collect customer email addresses for marketing, your company is the Data Fiduciary. A "Data Processor" is any person or organisation that processes personal data on behalf of a Data Fiduciary — for example, a cloud hosting provider or a payroll outsourcing firm acting on your instructions. A "Significant Data Fiduciary" is a Data Fiduciary (or a class of them) that the Central Government specifically notifies under Section 10, based on factors like data volume or sensitivity — think of it as a "high-impact" designation that triggers additional obligations. A "Data Protection Officer" (DPO) is an individual that every Significant Data Fiduciary must appoint under Section 10(2)(a) to oversee compliance. A "Consent Manager" is a person registered with the Data Protection Board who acts as a single point of contact for individuals to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform — essentially a consent intermediary that makes it easier for people to control their data permissions across multiple services.

THE DATA — Five definitions describe what counts as data and what can go wrong with it. "Data" in the broadest sense means any representation of information, facts, concepts, opinions, or instructions that is suitable for communication, interpretation, or processing by humans or by automated means. "Personal data" is any data about an individual who is identifiable by or in relation to that data — so a name linked to a purchase history is personal data, but a fully anonymised statistic is not. "Digital personal data" simply means personal data in digital form — this is the specific category the Act regulates. "Processing" covers any wholly or partly automated operation performed on digital personal data, and the Act lists a comprehensive range: collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, dissemination, restriction, erasure, or destruction. If you do anything with digital personal data, it is likely processing. A "personal data breach" is any unauthorised processing of personal data, or any accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the data's confidentiality, integrity, or availability — in short, any incident where personal data is exposed, tampered with, or made inaccessible without authorisation.

THE INSTITUTIONS — Four definitions cover the regulatory and governmental bodies. The "Board" refers to the Data Protection Board of India, established under Section 18 of the Act — this is the regulator that hears complaints, conducts inquiries, and imposes penalties. The "Appellate Tribunal" is the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under the TRAI Act 1997, which hears appeals against Board decisions. "State" carries the same meaning as in Article 12 of the Constitution of India — it includes the Government of India, state governments, Parliament, state legislatures, and all local and other authorities within or under the control of the Government of India. A "digital office" is an office that adopts an online mechanism for handling proceedings from start to finish — the Board is intended to function as a digital office, conducting its work electronically rather than through physical paperwork.

THE CONCEPTS — Thirteen definitions cover the operational and procedural terms that run through the Act. "Consent" itself is not separately defined in Section 2, but "certain legitimate uses" refers to the lawful bases for processing personal data described in Section 7 — these are the situations where an organisation can process data without obtaining consent (for example, for a State function, compliance with a court order, or a medical emergency). "Specified purpose" means the purpose stated in the notice given under Section 5 for which consent was obtained, or in the case of legitimate uses, the purpose described in Section 7 — organisations can only process data for the specific purpose they declared, not for anything else. "Automated" means any digital process capable of operating automatically in response to instructions for processing data. "Prescribed" means as specified in the rules made under this Act — whenever the Act says something will be "as prescribed," it means the detailed requirements will appear in the DPDP Rules. "Notification" means a notification published in the Official Gazette — this is how the government formally announces new rules, dates, and designations. A "proceeding" means any action taken by the Board. The terms "gain" and "loss" have matching definitions: "gain" means gain in property (whether movable or immovable), services, remuneration, or financial advantage, and "loss" means loss in the same categories — these terms are relevant to penalty calculations. "Person" is defined broadly to include not just individuals but also Hindu Undivided Families (HUFs), companies, firms, associations of persons or bodies of individuals, the State, and any artificial juristic person — meaning the Act's obligations apply to virtually any type of entity. "Chairperson" means the Chairperson of the Data Protection Board. "Member" means a Member of the Board and includes the Chairperson. "She" is used as a gender-neutral reference to the Data Principal throughout the Act.