Naavi.org

It is legally correct to say that DPDPA does not directly impose any liability  directly under the Act to Data Processors. The law only mandates that the Data Fiduciaries shall be responsible even for the processing done by the Data Processor.

It is however not ethical for Data Processors to think that they have no responsibility towards the data fiduciary being in compliance with the law. If necessary they have to take the lead and alert the data fiduciary if there is any risk of non compliance. This also makes prudent commercial sense since if there is a penalty on the data fiduciary and his business is shaken, the downstream data processor may also lose an opportunity to grow with the data fiduciary.

Currently the Data Fiduciary enters  into a contract to protect his responsibilities under DPDPA and  directs the Data Processor on how to process the  data in compliance with the DPDPA.  The Data Processor Contract therefore is not limited  to the commercial benefits or functional requirements but should have a clear description of the Data Processing responsibilities.  A DPDPA compliant Data Processing Contract will therefore have necessary data protection related clauses.

Though DPDPA might not have specified liabilities to the data processor directly, it should be recognized that Section 72A of ITA 2000 creates a liability for the data processor if a Data Processing Contract involving “Personal Data” is violated.

Recognizing the need therefore for Data Processors to be responsible for DPDPA Compliance, FDPPI promotes that a Data Processor should take measures to be compliant with DPDPA as if he is a “Deemed Data Fiduciary”.

In this context DGPSI (Data Governance and Protection Standard of India) has introduced a variant framework DGPSI-Data Processors exclusively to address the need for Data Processors to be voluntarily compliant with DPDPA.

The DGPSI-DP as it is being referred to adopts the unique principle that  “A Data Processor inherits the responsibilities of the data fiduciary through  the contract”. Under this principle, Data processor should look through the contract as if it is a transparent glass and  view the DPDPA on the other side.

Since many data processors are bigger than the data fiduciaries themselves, the voluntary adoption of DGPSI-DP by them will provide confidence to the Data Fiduciaries to use their services. This is ideal for such businesses who run a “Platform” for a specialized data processing service and invite data fiduciaries to use them.

According to the inheritance principle, a Data Processor of a Significant Data Fiduciary is a “Significant Data Processor” and needs to show the same level of responsibility that the Significant Data Fiduciary is expected to show.

As a part of this, the  Data Processor depending  on the volume and sensitivity of data processed by him cumulatively as an organization,  needs to conduct a DPIA, designate an internal DPO and also conduct external  Data Audits from time to time.

The DGPSI-DP is built therefore to reflect both the contractual obligations without losing sight of  DPDPA  liabilities.

We therefore urge all Data Processors to start understanding the essence of DPDPA and take steps to be in compliance. They should also realize that every Data Processor will himself be a Data Fiduciary to the  extent of the Data of employees. Hence there is no clean escape  from DPDPA for any Data Processor. They can however explore the DGPSI-HR as a framework for their manpower related obligations while looking at DGPSI-DP for compliance related to their data processing Contracts.

Hence, emancipated Data Processors should look for a combination of DGPSI-DP and DGPSI-HR  and this will be a hallmark of Ethical responsibility that an organization may exhibit in terms of certifications.

In the coming days we should not be surprised if ISO certification marks may be replaced with DGPSI certification marks on the  websites of responsible companies as a symbol of assurance.

Naavi

Yesterday a cream of professionals in the Data Protection domain congregated to discuss a  framework of compliance titled “DGPSI-HR”.

Since it was the first exposure of this framework, it was a time for most to absorb the information  and contemplate the implications of what was discussed.

I have started receiving some queries in this regard and  would be happy to discuss the same and continue the debate.

Question 1: 

While there is already a framework DGPSI-Full and  DGPSI-Lite which can be extended to DGPSI-AI, one of the first thoughts is what additional business needs that this new framework will address. ?

It is a pertinent question. DPDPA is a law and is conceptually a framework of its own. This has been captured in the DGPSI-Lite version which is a simple conversion of compliance clauses in DPDPA into a framework.

DGPSI -Full is a broader framework that adds certain governance issues and also enables DTS calculation. It is more comprehensive than DGPSI Lite and includes some higher level concepts such as Data Valuation and Distributed Responsibility.

However  the Data Driven industry has some sectors to whom a sharper framework that addresses specific needs are required.

There were a few such sectors which were under consideration for us to think of DGPSI-HR.

One was the a large section of ancillary manufacturing industries typically the units in an industrial estate where there is one engineering entrepreneur who engages 10 workers and a few lathes or similar equipment and manufactures   goods for specific customers.

DPDPA is applicable to such units and there is no specific dilution of the Act. I agree that the Government is empowered to provide some exemptions under Section 17 for such units and in fact may do so in the next 5 years. However, till such time law provides concessions we need to assist such organizations to be compliant to the law without too much of a pain.  Such organizations mainly handles “Business Contact Data” and  does  not process personal data of the public. They do process the personal data of the employees some of them may be covered by employment contract and some under contract.

Such companies need to have a simpler version of DGPSI.DGPSI-HR may be  more than sufficient for them to be compliant with the DPDPA.

Secondly there are many HR service  organizations who are into back ground verification, payroll management, manpower hunting and placement etc. Such activities are project based activities which  have joint data fiduciary responsibilities for the project.  They “employ and deploy” human resources under a B2B contract with customers where these employees will process personal data of the customers. They may also “Contract and deploy” in some cases.

Thirdly in the health care sector there could be hospitals which engage medical practitioners on contract basis to render services as part of the hospital service but with the expert being in full control of the activity and often using the data for presentation for research and other purposes as a joint data fiduciary.

Fourthly there are many large IT organizations who work on “Employ and Deploy” model where they send their employees to work in client’s place. Such organisations can consider segregating this activity into a subsidiary activity and function like a Hybrid entity.  In such a case DGPSI-HR may become useful as a focussed implementation framework for such a subsidiary.

It was necessary to innovate the new framework to address such instances.

We invite  more use-cases to be referred so that we can continue to debate how the framework will be a useful for both the industry and the data auditors.

Naavi

In debating the DPDPA implications arising out of employment contracts, one issue that comes forth is how the “GIG Workers” get represented in the DPDPA. In this connection we can refer to the The Karnataka Platform Based Gig Workers (Social Security and Welfare) Act, 2025, Act No. 72 of 2025 which has been effective from 30th May 2025

Also refer here

As per the Karnataka act, “Gig worker” means a person who performs work or participates in a work arrangement that results in a given rate of payment, based on terms and conditions laid down in such contract and includes all piece-rate work, and whose work is sourced through a platform, in the services specified in the Schedule;

(The Act is applicable only to platform based Gig workers and not others. Applicability for others who might apply for registration with the Board is not clear.)

Currently, Indian labour and employment laws recognize three main categories of employees: government employees, employees in government-controlled corporate bodies known as Public Sector Undertakings (PSUs) and private sector employees who may be managerial staff or workmen. All these employees are ensured certain working conditions, such as minimum wages under The Minimum Wages Act, 1948, a set number of hours of work, compensation for termination, etc. Currently, gig workers lack the ‘employee’ status under Indian law, thereby resulting in several consequences, such as an inability to form unions to represent their interests, exploitative contacts, etc

The Contract Labour (Regulation and Abolition) Act, 1970 regulates engagement of contract labour in India, including work done through third-party contractors. There is scope for gig workers who work for platforms to be “contractors” under this law. This imposes obligations on employers to comply with the requirements under this law, including welfare and health obligations to be provided to employees such as the provision of canteens, first aid, etc

Under DGPSI we have been frequently mentioning that an “Individual” who works under a contract with another organization in a capacity other than “Employment” should be considered as a “Joint Data Fiduciary” or a “Data Processor” depending on the terms of the contract and whether it deals with personal data processing.

[Recently, there was a debate with an AI model on whether an individual can be a “Data Processor” under the DPDPA 2023, and I held the view that if an individual can be a data fiduciary under DPDPA, then he can also be a data processor. This was like the Arnab-Blue Machine  debate and finally I decided to keep my view for the time being as the Jurisprudential view consistent with our approach to DGPSI.

The “Jurisprudential” view whether  right or wrong is the prerogative of the human. An AI can only respond from the training data and is not capable of expressing the “Jurisprudential View”. The “Jurisprudential View” falls within the “Creative interpretation” which also introduces the “Unknown Risk” and hence not expected of an AI tool. This is another indication that AI as a tool can substitute lower level employee decisions which are routine in nature and not decisions which are not supported by past data. ]

Leaving this digression aside, let us dive deeper into the Karnataka Act which was aimed towards rapido, amazon kind of aggregators and a “Platform” defined as

… any arrangement providing a service through electronic means, at the request of a recipient of the service, involving the organization of work performed by individuals at a certain location in return for payment, and involving the use of automated monitoring and decision making systems or human decision making that relies on data.

To the extent this law tries to regulate “Cyber Space Activities”, we still consider that such laws made by State Governments are ultra-vires section 90 of Information Technology Act 2000, though even the central Government is not interested in pressing this nuance.

The main purpose of the Act is to provide “Social Security” for GIG workers with the constitution of a Welfare Board.

One of the obligations of the platform is to enter into “Fair Contract” with the Gig workers.

More importantly, the law states

“Section 13 (1) The aggregator or platform must inform the platform based gig worker, in simple language and in Kannada, English or any other language listed in the Eighth Schedule of the Constitution of India known to the Gig worker, regarding the procedure to seek information in respect of the automated monitoring and decision making parameters employed by the aggregator or platform, which have an impact on their working conditions, including but not limited to fares,
earnings, customer feedback and allied information, as may be prescribed.
(2) The aggregator or platform shall take measures to prevent discrimination on the basis of religion, race, caste, gender, or place of birth or on the grounds of disability by the automated monitoring and decision making systems deployed by
them”.

While the platform is obliged to follow the law as mentioned in sec 13(2), it fails to recognize the right of choice of the consumer to designate the  qualifications of a worker who provides the service. This needs to be debated.

This act is applicable to the following services.

1. Ride sharing services.
2. Food and grocery delivery services.
3. Logistics services.
4. e-Market place (both marketplace and inventory model) for wholesale/retail sale
of goods and/or services Business to Business /Business to Consumer (B2B/B2C).
5. Professional activity provider.
6. Healthcare.
7. Travel and hospitality.
8. Content and media services

When we discuss “Health Care” for GIG workers, we normally associate it with platforms such as “Practo” or “Nursing services” etc .

A point to discuss is whether a “Specialized Surgeon providing services in a hospital not as an employee but as a consultant” would also fall into the definition of a “Gig Worker”?

If so, then the “Right of Choice” of the consumer to restrict the choice of the service provider  should also be recognized since it is a life critical decision.

If the principle of “Right of Choice to chose a service provider” is recognized for the medical profession, the next question is why it should not be applied to the food delivery like situation or a ride sharing service. Can the consumer restrict that the service should be provided only by a certain gender or religion etc without it being considered as “Discriminatory”?

We recall the debate in UP where the Government mandated that food stalls should display the owner details too enable the consumers to chose which stall to chose. Though this was opposed at that time for political reasons, in a neutral situation, this should be a “Consumer Choice”.  If so, the platforms need to ask for such choice from the consumer and follow his “Permission” to use any specific category of service provider.

I am sure that this will be flagged as undesirable, but needs an impassioned debate . However the presence of this law corroborates the need to recognize three  kinds of “Contractual Employees”  in the DGPSI-HR framework namely

1. 1. An employee of organization A being placed to work in organization B under an organization to organization contract with a possible Personal Data Processing assignment.
   2. An employer B who accepts contractual employees from another organization A and assigns personal data processing work to them.
   3. A Contractual employee (GIG worker) of organization A being assigned to organization B for personal data processing assignments.

The DGPSI-HR framework suggests appropriate policies and back to back contracts to ensure that the responsibilities of a Data Fiduciary are properly managed in such situations.

Let us debate this today in the open house discussion on DGPSI-HR. Be there if you are interested.

Naavi

While I was debating on DGPSI-HR and a specific provision related to “Contract Employees”, the issue of GIG workers came to the table. In this context I am trying to look into the Karnataka platform based gig workers (Social Security and Welfare Act 2025) which is interesting to discuss.  This is a topic for deeper discussion amongst HR law experts but I am presenting this here to draw their attention and to comment on the specific provision of DGPSI-HR.

The DGPSI-HR is a special framework under the DGPSI (Data Governance and Protection Standard of India) meant for providing a guideline for DPDPA compliance by HR divisions of organizations as well as HRMS companies.

There are two model implementation specifications in the framework which state as follows.

MIS  4( DGPSI-HR) :

All contract employees, consultants, and outsourced personnel engaged by the Organization who have access to or process Personal Data shall act under the authority of the Organization and shall be bound by written confidentiality, security and data-protection obligations aligned to the Digital Personal Data Protection Act, 2023 (DPDPA).

Where a consultant or service provider independently or jointly determines the purposes and means of processing Personal Data, such party shall be treated respectively as a Data Fiduciary or Joint Data Fiduciary for that processing.

MIS  5( DGPSI-HR) :

Where the Organization supplies its employees to another organization and such personnel process Personal Data under the instructions of the recipient organization, the recipient organization  is the primary Data Fiduciary

The  supplying Organization to which the individual worker has “Employment” obligations shall be considered as jointly determining the means of processing and hence both organizations shall be considered as data fiduciaries.  (This is consistent with the employment status of such workers )

The Organization supplying personnel shall ensure project specific back-to-back contractual obligations with such personnel, including confidentiality, security and lawful-processing duties, aligned with its obligations under any Data Processing or Joint Data Fiduciary agreements.

We shall discuss these provisions in today’s open house discussion on DGPSI-HR in a zoom session (Link available in the image above). Interested persons may attend and contribute their thoughts on this 27 specifications framework.

…To Be continued

Naavi

A Case Zulu Nyala Game Ranch (PTY) Ltd vs Christian Bukes and Custom Trails (PTY) limited which discusses some interesting thoughts on employee information and privacy act, has been reported.

The order protects the right of an employer to restrain an outgoing employee from disclosing its confidential trade sensitive customer information which is bound by the confidentiality under privacy laws.

The issue is that the applicant is a business entity which provides services to individuals and therefore holds the personal data of its customers as part of its business activity. Such information has economic value to the company besides providing certain privacy rights to the individuals.

The first respondent was an employee and the second respondent was a company promoted by the wife of the employee.

The first respondent’s employment contract contained confidentiality clauses that expressly prohibited him from disclosing, inter alia, trade secrets, marketing material, customer lists or supply lists, business affairs, technical methods, electronic mail and processes of the applicant’s operations. The employment  contract also mandated return of such material on termination.

The employee even during employment was sharing the company’s customer information to his wife’s entity and was dismissed from service. He then continued to use the information and converted it into a business opportunity which was similar to that of the applicant.

The applicant proceeded against the wife’s business entity for infringement of its trade secrets etc.

The action of the employee was considered a “Breach of Trust” whether or not a “Breach of Contract” (ed: Which depends on the clauses in the employment contract).

The essence of the judgement was that the personal information recognized as such under the Privacy Act was also the business information and hence qualified to be considered for breach of trade secrets act.

This establishes the dual nature of the data and the concept of “Joint ownership of transaction data between the business entity and the individual”.

In the Indian context the ITA 2000 would have recognized this as “Unauthorized diminishing  of value” [Section 66(i)] and also breach of  trust under BNS. It also establishes  the DGPSI concept of recognizing such data as a transaction data which can be retained after the immediate purpose . However such retention should be for legitimate use and must be adequately secured.

Employee’s breach of data ble acquired during their employment would amount to a criminal activity and is punishable under ITA 2000 and BNS.

Judgement copy

(Comments are welcome)

Naavi

It is well known that every organization that has employees, is exposed to DPDPA non compliance risk. Though “For Employment” is considered a reason for bringing a personal data processing situation under “Legitimate Use” basis, it only covers the exemption from notice and consent and leaves the rest of the obligations in tact.

Some organizations use HRMS services from third parties and also use manpower on contract basis.

Application of DPDPA in these special circumstances need to be analysed to determine how to navigate the compliance requirements.

FDPPI recommends  use of a specific framework DGPSI-HR to manage  the DPDPA compliance in HR operations.

As a part of the development process, an open house  presentation would be made on 15th January 2026 at 7.00 pm . Interested parties are welcome to attend and contribute to the thoughts.

Naavi