Navigating DPDPA Processor Relationships: The Section 8(2) Imperative

As India’s Digital Personal Data Protection Act, 2023 (DPDPA) and its accompanying rules have come into full force, data fiduciaries across sectors are intensely reviewing their operational frameworks. A critical area demanding immediate attention is the relationship with entities that process personal data on their behalf. While the DPDPA does not explicitly use the term “data processor” in the same vein as the GDPR, Section 8(2) unequivocally establishes the data fiduciary’s enduring responsibility for all processing activities, regardless of who undertakes them. This provision fundamentally reshapes vendor management, outsourcing, and third-party agreements for Indian businesses.

The Fiduciary’s Undeniable Accountability

The DPDPA defines a ‘data fiduciary’ as any person who alone or in conjunction with other persons determines the purpose and means of processing personal data [Section 2(i)]. In contrast, the Act refers to any entity carrying out processing activities on behalf of the data fiduciary. Section 8(2) is the linchpin here: it mandates that a data fiduciary shall be responsible for complying with the provisions of the Act in respect of any personal data processed by any person on its behalf. This means that even if an external vendor handles data, the primary legal accountability for DPDPA compliance rests with the data fiduciary. This principle is akin to the controller-processor relationship under GDPR, where the controller remains accountable, but the DPDPA places this responsibility directly and unambiguously on the fiduciary.

Contractual Mandates Under Section 8(2)

The explicit responsibility under Section 8(2) necessitates robust contractual arrangements between data fiduciaries and their service providers. These contracts are no longer merely commercial agreements; they are compliance instruments. While the DPDPA Rules, 2025, elaborate on specific aspects, the spirit of Section 8(2) implies that such agreements must ensure the “person processing on its behalf” adheres to several key DPDPA obligations:

1. Purpose Limitation and Data Minimisation: The processor must only process data for the specific purposes communicated by the fiduciary and to the extent necessary [Section 6].
2. Security Safeguards: The contract must stipulate that the processor implements reasonable security safeguards to prevent personal data breaches [Section 8(5)]. This includes technical and organisational measures appropriate to the risks.
3. Data Retention: The processor must ensure data is retained only for as long as necessary for the stated purpose and delete it thereafter [Section 8(7)].
4. Data Principal Rights: The processor must assist the fiduciary in fulfilling its obligations to data principals, such as responding to requests for access, correction, or erasure of data [Section 13].
5. Breach Notification: In the event of a personal data breach, the processor must promptly notify the data fiduciary, enabling the fiduciary to report to the Board and affected data principals as required by Section 19.
6. Audit Rights: Fiduciaries should reserve the right to audit their processors’ compliance with DPDPA obligations.
7. Sub-processing: Any further engagement of sub-processors must be with the prior authorisation of the data fiduciary, with similar contractual obligations flowing down the chain.

These contractual clauses are not optional; they are essential for the data fiduciary to demonstrate due diligence and compliance under Section 8(2).

Sectoral Overlays and Existing Regulatory Frameworks

Indian businesses operate under a complex web of regulations. The DPDPA does not supersede these but rather adds a crucial layer of privacy-specific obligations. Sectoral regulators like the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), and Insurance Regulatory and Development Authority of India (IRDAI) have long-standing guidelines on outsourcing and data handling.

For instance, RBI’s master directions on outsourcing of financial services by banks or payment system operators already mandate stringent due diligence, confidentiality, and security requirements. Similarly, SEBI’s circulars on outsourcing by market intermediaries and IRDAI’s guidelines for insurers engaging third-party administrators (TPAs) contain provisions for data protection. The DPDPA now requires that all existing and future outsourcing agreements under these sectoral regimes explicitly incorporate the privacy safeguards mandated by Section 8(2) and the DPDPA Rules. This often means re-evaluating existing contracts to ensure they meet the DPDPA’s higher bar for personal data protection, including specific clauses for data principal rights, breach management, and audit. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which previously governed data protection, are now largely subsumed by the DPDPA for personal data, but their principles of reasonable security remain relevant and are reinforced by Section 8(5).

Challenges and Future Outlook

The implementation of Section 8(2) presents several challenges. Indian businesses must undertake a comprehensive vendor assessment to identify all entities processing personal data on their behalf. This includes cloud service providers, HR and payroll vendors, marketing agencies, analytics firms, and even simple IT support. Amending existing contracts with potentially hundreds of vendors will be a significant undertaking. Furthermore, ensuring that smaller vendors, who may lack sophisticated privacy frameworks, can meet the DPDPA’s requirements will require guidance and support from data fiduciaries. The explicit accountability under Section 8(2) means that a fiduciary cannot simply pass the buck; it must actively ensure its processors are compliant.

Practical Takeaway

For Indian businesses, General Counsels, and Data Protection Officers, the message from Section 8(2) is clear: accountability for personal data processing cannot be outsourced. Begin by mapping all third-party vendors and service providers that process personal data on your behalf. Review all existing contracts to identify gaps against DPDPA requirements, particularly those related to purpose limitation, security safeguards, data retention, data principal rights, and breach notification. Develop a robust vendor assessment and management program that includes privacy-specific due diligence and regular audits. New contracts must incorporate comprehensive DPDPA-compliant clauses from the outset. Proactive engagement with vendors to uplift their privacy practices, especially for smaller entities, will be crucial to mitigate risks and ensure collective compliance with India’s new privacy regime.