Publications

The hidden accountability: Why data processors must take DPDPA seriously

An article titled “The hidden accountability: Why data processors must take DPDPA seriously” authored by our Partner, Akshayy S Nanda, has been published by The Times Of India.

The Hidden Accountability: Why Data Processors Must Take DPDPA Seriously.

While the Digital Personal Data Protection Act, 2023 (DPDPA) places primary liability on Data Fiduciaries rather than Data Processors, a casual observer might conclude that processors operate in a low-risk environment with minimal compliance obligations. This interpretation would be profoundly mistaken. While processors may not face direct regulatory penalties under the DPDPA, they operate within an ecosystem of contractual liability, reputational risk, and business consequences that makes compliance equally—if not more—critical to their commercial survival.

Defining the Data Processor: The Service Provider in the Shadows

Under the DPDPA, a ‘Data Processor’ is fundamentally distinguished from a Data Fiduciary by one critical characteristic: ‘decision-making authority over personal data’. A processor processes personal data ‘on behalf of’ the fiduciary, following the fiduciary’s instructions, without independently determining the purpose or means of processing.

A logistics company delivering packages for an e-commerce platform is a processor—it receives customer names, addresses, and phone numbers from the platform (the fiduciary) and processes that data solely to enable delivery. The logistics company does not decide what data to collect, how long to retain it, or for what purposes beyond fulfilling the delivery service. It acts on instructions.

This distinction matters because liability and accountability flow from decision-making authority. The entity that determines ‘why’ and ‘how’ personal data is processed bears primary responsibility for ensuring that processing complies with legal requirements. Fiduciaries under the DPDPA make those decisions; processors implement them. It is also pertinent for processors to understand that for some activities they may be a processor and for some other activities, they may be a fiduciary. As such, all data processors must undertake a processing wise assessment to understand their status under the DPDPA.

The DPDPA Framework: Primary Liability Rests with Data Fiduciaries

The DPDPA explicitly places compliance responsibility on fiduciaries. A fiduciary is responsible for complying with the DPDPA in respect of any processing undertaken by it or on its behalf by a processor. This provision is unambiguous—the fiduciary cannot contract out of its legal obligations. Even if a processor causes a breach, the fiduciary remains accountable to the Data Protection Board of India (DPB) and to affected Data Principals.

The Illusion of Immunity: Why Processors Still Face Significant Liability

The absence of direct regulatory liability under DPDPA does not mean processors operate without consequence. In fact, processors face three powerful sources of accountability that can be more commercially devastating than regulatory fines: contractual indemnification obligations, transformation into fiduciaries through unauthorized processing, and market exclusion through failed vendor due diligence.

Contractual Indemnification: The Financial Guillotine

The DPDPA requires fiduciaries to engage processors ‘under a valid contract’. In practice, this means Data Processing Agreements that allocate responsibility and liability between the parties. A well-drafted Data Processing Agreement will include ‘indemnification clauses’ requiring the processor to compensate the fiduciary for losses arising from the processor’s breach of its obligations. If a processor suffers a data breach due to inadequate security measures, the fiduciary may be fined by the DPB with penalties of up to ₹250 crore for significant breaches. The fiduciary will then pursue the processor for indemnification, seeking to recover the full amount of the regulatory penalty, remediation expenses, and reputational damages.

Fiduciaries will impose comprehensive security obligations on processors and to enforce obligations under the DPDPA through contractual remedies. A processor that fails to encrypt data, fails to implement access controls, or fails to detect unauthorized access in violation of its contractual commitments faces not just reputational harm but potentially existential financial liability through indemnification claims.

Consider a cloud services provider processing customer data for multiple fiduciaries. If the provider suffers a breach affecting data of customers across ten different fiduciary clients, each fiduciary may pursue separate indemnification claims. The cumulative liability could far exceed any regulatory penalty a single fiduciary might face, because the processor bears the aggregated consequences of a single security failure across its entire client base. This multiplier effect makes contractual liability potentially more severe than direct regulatory penalties.

Status Transformation: When Processors Become Fiduciaries

The second accountability mechanism is even more consequential: a processor that exceeds its mandate and processes personal data for purposes beyond those authorized by the fiduciary transforms itself into a fiduciary for that unauthorized processing. The distinction between processor and fiduciary is functional, not formal, and is determined by actual conduct rather than contractual labels.

If a logistics company engaged to deliver packages begins using customer address data to build its own marketing database and sends promotional offers to customers without the e-commerce platform’s authorization, the logistics company has ceased acting as a processor and has begun acting as a Fiduciary. It is now making independent decisions about the purpose of processing (marketing) that were not authorized by the original fiduciary. As a fiduciary, the logistics company must independently comply with all DPDPA obligations: providing notice to Data Principals, obtaining consent, establishing grievance redressal mechanisms, implementing security safeguards, and complying with data retention and deletion requirements. The practical consequence is that unauthorized processing exposes the processor to direct regulatory liability as a fiduciary for that processing as well as civil liability for breaching the agreement with the fiduciary.

Vendor Due Diligence: Market Exclusion Through Compliance Failure

The third accountability mechanism is market-driven rather than legal: Fiduciaries facing regulatory scrutiny and potential penalties will implement rigorous vendor due diligence processes to assess processor compliance before engagement. A processor with weak security practices, inadequate incident response capabilities, or poor compliance track records will simply be excluded from consideration by sophisticated fiduciaries. This creates a competitive dynamic where compliance becomes a market differentiator and non-compliance becomes a disqualification.

A fiduciary cannot escape liability by blaming a processor—the fiduciary must ensure its processors are competent and compliant. Rational fiduciaries will therefore conduct detailed assessments of prospective processors: security audits, certification reviews (ISO 27001, SOC 2), penetration testing results, incident response protocols, data encryption practices, access control architectures, employee training programs, and sub-processor management frameworks. Processors that cannot demonstrate robust compliance will lose business to competitors who can.

The Business Case for Processor Compliance

Beyond avoiding liability, robust compliance creates commercial advantages. Processors that can demonstrate superior data protection capabilities command premium pricing because they reduce risk for fiduciaries. Compliance certifications and audit reports become marketing collateral that differentiates processors in competitive bidding. Processors with strong compliance track records gain access to enterprise clients and regulated industries (financial services, healthcare, education) that smaller, non-compliant processors cannot serve.

Conversely, processors that suffer breaches or fail compliance assessments face reputational damage that extends far beyond individual client relationships. In an interconnected market where vendor due diligence is standard practice, a single significant breach can trigger contract terminations across a processor’s entire client base as nervous fiduciaries seek to distance themselves from risky vendors. The cost of non-compliance is not merely the indemnification liability from one breach—it is the potential collapse of the entire business.

The absence of direct regulatory liability under DPDPA is an illusion—processors face indemnification claims that can exceed regulatory fines, transformation into fiduciaries through unauthorized processing that exposes them to direct liability, and market exclusion through failed vendor due diligence that eliminates business opportunities. Processors that invest in robust security measures, comprehensive compliance programs, and third-party certifications will thrive in this environment.

Published On:

  • March 12, 2026

Counsel Involved:

DISCLAIMER AND CONFIRMATION

Current rules of the Bar Council of India impose restrictions on maintaining a web page and do not permit lawyers to provide information concerning their areas of practice. Saraf and Partners is, therefore, constrained from providing any further information on this web page.

The rules of the Bar Council of India prohibit law firms from soliciting work or advertising in any manner. By clicking on ‘I AGREE’, the user acknowledges that The user wishes to gain more information about Saraf and Partners, its practice areas and its attorneys, for his/her own information and use;

The information is made available/provided to the user only on his/her specific request and any information obtained or material downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site is not intended to, and will not, create any lawyer-client relationship; and None of the information contained on the website is in the nature of a legal opinion or otherwise amounts to any legal advice.

Saraf and Partners, is not liable for any consequence of any action taken by the user relying on material/information provided under this website. In cases where the user has any legal issues, he/she in all cases must seek independent legal advice.

Please Read & Accept our website's Privacy Policy & Terms of Use.

Agree Disagree

Scroll to Top