Data Processor is a “Deemed Data Fiduciary”

Posted on December 16, 2025 by Vijayashankar Na

In 2022, Naavi/Ujvala Consultants Pvt Ltd had suggested “Data Importer Assurance Certification”  for Data Processors who were processing EU data in India on behalf of Data Controllers. The focus was to meet the Standard Contract Clause requirements under Cross border data transfer to the extent legally feasible in India.

With  the advent of DPDPA 2023 which imposes the burden of compliance solely on the Data Fiduciary, there is a debate on what are the responsibilities of a Data Processor in this new era of DPDPA Compliance.

At the same time, FDPPI considers that DPDPA Compliance is indirectly the duty of a Data Processor also and while the Data Fiduciary tries to add Data Protection Clauses to protect himself, unless the Data Processor considers himself as a “Deemed Data Fiduciary” the Data Fiduciary will not be able to fulfil his obligations under the Act.

DGPSI, the Crown Jewel of Compliance Frameworks already recognizes that the responsibility of Compliance in the Data Fiduciary is considered “Distributed” with all persons who process the personal data whether they are designated as DPO or not. It also recognizes that the “Whistle Blower” status is recognized even for external vendors.

Under the same principle of distributed responsibility extended to Data Processors, DGPSI considers that “Data Processors are Deemed Data Fiduciaries”.  What this means is that a Data Processor should consider himself to be a Data Fiduciary and voluntarily undertake all the responsibilities as if he is a “Joint  Data Fiduciary” whether the contract mentions so or not.

To further cement this  concept, Ujvala Consultants Pvt Ltd which is the patron member of FDPPI introduces “Data Processor Assurance Certificate” under DPDPA. Under this Certification, any Data Processor may get themselves as “DPDPA Compliant Data Processor” to increase his competitive position in the service market.

The process of certification would follow the general DGPSI principles duly simplified for the role of the processor. It would be a bit wider than the recommended 18 PIMS implementation Controls for processors under ISO 27701:2025  (Table A.2) and 29 Security controls recommended under Table A.3.

Perhaps we may call such certified Data Processors as “Emancipated  Data Processor”.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Privacy. Bookmark the permalink.