Any person or organisation that determines the purpose and means of processing personal data.
A Data Fiduciary is any person, company, or entity that alone or in conjunction with others determines the purpose and means of processing digital personal data. Under DPDPA 2023, the Data Fiduciary bears primary responsibility for lawful processing, notice, and safeguards. This is analogous to a "data controller" under GDPR but uses distinct Indian legal terminology. Every organisation collecting personal data from Indian citizens acts as a Data Fiduciary regardless of where it is incorporated.
If your startup collects any personal data — even just email addresses for login — you are a Data Fiduciary under DPDPA. This triggers all compliance obligations including consent, breach notification, and penalty exposure up to Rs 250 crore.
A Bengaluru-based SaaS company collecting employee names and Aadhaar numbers for payroll is a Data Fiduciary. It must issue proper consent notices, honour data principal rights within 30 days, and report breaches to the Data Protection Board within 72 hours.
Many startups believe only large enterprises are Data Fiduciaries. In reality, any entity — even a solo founder collecting customer emails — qualifies.
DPDPA Shield automates Compliance Dashboard. See how →