DPDPA Contracts: Ensuring Compliance in Fiduciary-Processor Engagements

The Digital Personal Data Protection Act, 2023 (DPDPA), now fully in force with its accompanying Rules, marks a significant shift in India’s data governance landscape. For businesses operating in India, a critical area demanding immediate attention is the relationship between a Data Fiduciary and a Data Processor. While the DPDPA doesn’t explicitly use the term “Data Processing Agreement” like its European counterpart, the obligations outlined in Section 8(2) unequivocally necessitate robust contractual frameworks.

The Mandate of Section 8(2) and Processor Accountability

At its core, the DPDPA defines a ‘Data Fiduciary’ as any person who determines the purpose and means of processing personal data (Section 2(j)), and a ‘Data Processor’ as any person who processes personal data on behalf of a Data Fiduciary (Section 2(k)). Section 8(2) places a clear responsibility on the Data Fiduciary to ensure that any Data Processor engaged by them processes personal data only for the purposes for which the Data Fiduciary is processing it. Furthermore, it mandates that the Data Fiduciary must implement appropriate technical and organisational measures to ensure compliance with the DPDPA by the Data Processor. This dual requirement – purpose limitation and security safeguards – forms the bedrock of processor accountability under Indian law. It implies that the Fiduciary cannot simply delegate responsibility; they must actively manage and oversee how their processors handle personal data.

Formalising the Relationship: The Role of DPDP Rules

While Section 8(2) sets the principle, the recently notified Digital Personal Data Protection Rules, 2025 (the “Rules”) are expected to provide the granular detail on how Fiduciaries must give effect to these obligations. These Rules likely elaborate on the specific elements that must be included in any agreement between a Data Fiduciary and a Data Processor. Drawing parallels from global best practices, such agreements are crucial for defining the scope, purpose, and duration of processing, the types of personal data involved, and the categories of Data Principals. They are also expected to delineate the Data Processor’s obligations regarding confidentiality, security measures, assistance to the Data Fiduciary in fulfilling Data Principal rights, and handling of data breaches. The Rules are also likely to address sub-processing, requiring prior authorisation from the Data Fiduciary and ensuring that sub-processors are bound by equivalent obligations.

Beyond the DPDPA: Sectoral and Ancillary Regulations

The DPDPA does not operate in a vacuum. Indian businesses must consider how sectoral regulations and other IT laws intersect with DPDPA processor requirements. For instance, entities regulated by the Reserve Bank of India (RBI), such as banks and NBFCs, already adhere to stringent outsourcing guidelines that cover data security, audit rights, and business continuity. Similarly, SEBI-regulated entities in the capital markets and IRDAI-regulated insurers have their own specific norms for third-party engagements involving sensitive data. The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, particularly Rule 3(1)(b), also mandate intermediaries to exercise due diligence, which can extend to their data processing arrangements. These existing frameworks often impose additional layers of security, auditability, and data localisation requirements that must be integrated into DPDPA-compliant contracts, ensuring a comprehensive approach to data governance.

Key Elements of a DPDPA-Compliant Processor Contract

For Indian businesses, drafting or reviewing processor contracts requires careful consideration of several key clauses. Beyond the explicit purpose limitation and security mandates of Section 8(2), robust agreements should include:

1. Clear Instructions: Detailed instructions from the Data Fiduciary on the scope and manner of processing.
2. Confidentiality: Strict confidentiality obligations on the Processor and its personnel.
3. Security Measures: Specification of technical and organisational security measures to protect personal data, including regular audits and assessments.
4. Assistance to Fiduciary: Obligations for the Processor to assist the Fiduciary in responding to Data Principal requests (e.g., right to access, correction, erasure) and in notifying data breaches to the Data Protection Board of India (DPBI) and affected Data Principals (Section 17).
5. Sub-processing: Requirements for prior written authorisation for any sub-processors and ensuring flow-down of DPDPA obligations.
6. Audit Rights: The Data Fiduciary’s right to audit the Processor’s compliance with the DPDPA and the contract.
7. Data Return/Deletion: Procedures for the return or secure deletion of personal data upon termination of the agreement.
8. Liability and Indemnification: Clear allocation of liability for breaches and non-compliance.
9. Compliance with Indian Laws: An overarching requirement for the Processor to comply with the DPDPA, its Rules, and all other applicable Indian laws.

Practical Takeaway

Indian businesses, particularly Data Fiduciaries, must proactively review and update their existing vendor contracts to align with DPDPA Section 8(2) and the DPDP Rules. This is not merely a legal formality but a critical exercise in risk management. General Counsels and Data Protection Officers should collaborate to develop standardised DPDPA-compliant contractual clauses, conduct thorough due diligence on their processors, and establish clear oversight mechanisms. Failure to ensure that Data Processors comply with the DPDPA can expose Data Fiduciaries to significant penalties under Section 33, making robust contractual arrangements an indispensable element of their overall compliance strategy.