In February 2025, we had introduced the concept of “Super Data Fiduciary” as part of our discussions on DPDPA Compliance for Hotels who work under a Brand Franchise basis. Examples of this category were the Oyo, Treebo, Airbnb or even the Hotel brands like Hilton, Taj, Hyatt, Radisson or Hospital Brands like Apollo or Manipal, Fortis or Kims, or Wockhart etc.
The law clearly recognizes only two types of entities under DPDPA namely the Data Fiduciaries and Data Processors.
(Under ITA 2000, there are two types of entities namely “Intermediaries” and “Data Consumers”. A “Data Consumer” under ITA 2000 such as say is always a Data Fiduciary. An “Intermediary” under ITA 2000 can be a Data Processor or a Data Fiduciary depending on the functions.)
We can however derive a category of Data Fiduciaries as “Joint Data Fiduciaries” if the purpose and means of use of personal data is shared between two different entities. The data fiduciary which collects the data for a specified purpose is the main data fiduciary and another entity which may determine the means of finance will be the Joint Data Fiduciary. The question of sharing of “Purpose” does not arise since collection is purpose based and who ever declares the purpose and collects the data becomes the Data Fiduciary and the second person who processes the data is always the Data Processor or a Joint Data Fiduciary.
Now all instances of Business relationships related to DPDPA cannot be classified as an activity between a Data Fiduciary, Joint Data Fiduciary and a Data processor. The umbrella Brand owner may have only licensed the use of the brand name but is not directly involved in the collection of personal data. But a data principal who approaches say Atria may be seeing Atria Hotel as part of the Radisson Blue brand. His relationship is dependent on the brand image of Radisson rather than Atria. Most Franchisee may in order to protect their own reputation may also impose policies and procedures on their affiliates and even have a “Data Sharing” mandate.
In such cases the conflict is whether the data principal wants to share his data with Radisson brand or Atria Brand? Who is the Data Fiduciary in the minds of the data principal? If the data principal tomorrow raises a legal claim on Radisson for any negligence of Atria, what is the legal liability?. These are difficult questions to answer.
It is in this context that we introduced the concept of a “Super Data Fiduciary” who stands at the top of the Fiduciary pyramid on perception basis, under which an operational data fiduciary collects personal data of the data principal, processes it himself or through other Joint data fiduciaries, Data Processors etc.
Now a similar concept appears to be essential for developing the DGPSI system for the Educational Sector where the University remains at the top . Below the university are the Colleges. Colleges have their own autonomous departments both for teaching, examination, Research, Library maintenance, Sports Maintenance etc.
Personal Data is actually originated at the College level where admissions happen. (The CET system may be an exception where the admissions are allocated by the CET authority to a specific college.)
Colleges provide the education, conduct examinations and the examination authority declares the results under the banner of the University. Colleges consume the information as given and record it as part of the student records.
Thus there may be different “Data Generators” within the Education system who are the first data fiduciaries for the given purpose. Others become joint data fiduciaries or Data Processors. The University however remains the Super Data Fiduciary where every thing is done under their name but executed by other autonomous delegated departments.
Conceptually each of the delegated departments should be considered as “Data Fiduciaries” and the university should be a “Super Data Fiduciary”.
For the purpose of DGPSI, we may need to adopt a precise definition of the Super Data Fiduciary as a jurisprudential thought and we adopt the following definition.
“A Super Data Fiduciary is an entity which, though not necessarily the primary collector or operational processor of personal data, exercises overarching reputational, governance, policy, economic or ecosystem control over subordinate Data Fiduciaries operating under a common brand, institutional framework or delegated authority.”
Points to ponder:
1.The liabilities of the Super Data Fiduciary under DPDPA is not defined and hence DGPSI need to deefine the responsibilities.
2. a)The University often comes under the direct governance of a State Government and could be a claimant for the status of “Instrumentality of State” and the associated exemptions. But should this privileged status is to be given to the Colleges? is a moot question.
b) Does the current interpretations of the “Instrumentalities of State” given out in various Supreme Court decisions in the context of the status of employment of different persons can also be applied to the Data Processing environment? is another moot point to be clarified.
Let us discuss these in another article in our bid to to explore the DGPSI-Education framework.
Naavi
