Section 10 DPDPA

Additional obligations of Significant Data Fiduciary.


10.(1) The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant factors as it may determine, including—
(a) the volume and sensitivity of personal data processed;
(b) risk to the rights of Data Principal;
(c) potential impact on the sovereignty and integrity of India;
(d) risk to electoral democracy;
(e) security of the State; and
(f) public order.
(2) The Significant Data Fiduciary shall—
(a) appoint a Data Protection Officer who shall—
(i) represent the Significant Data Fiduciary under the provisions of this Act;
(ii) be based in India;
(iii) be an individual responsible to the Board of Directors or similargoverning body of the Significant Data Fiduciary; and
(iv) be the point of contact for the grievance redressal mechanism under the provisions of this Act;
(b) appoint an independent data auditor to carry out data audit, who shall evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of this Act; and
(c) undertake the following other measures, namely:—
(i) periodic Data Protection Impact Assessment, which shall be a process comprising a description of the rights of Data Principals and the purpose of processing of their personal data, assessment and management of the risk to the rights of the Data Principals, and such other matters regarding such process as may be prescribed;
(ii) periodic audit; and
(iii) such other measures, consistent with the provisions of this Act, as may be prescribed.

Applicable DPDP Rule 2025

Rule 12: Additional obligations of Significant Data Fiduciary

Section 11 DPDPA →
DPDPA
Table of contents


Report error

Legal Interpretation of the

Section 10 of the Digital Personal Data Protection Act, 2023 (DPDPA)

1. Purpose and Scope of Section 10

Purpose: To impose higher accountability standards for Significant Data Fiduciaries (SDFs) handling large volumes of personal or sensitive data.

Scope: Applies to large organizations like FANG (Facebook, Amazon, Netflix, Google), e-commerce platforms, and financial services handling high-risk processing activities.

2. Alignment with Constitutional Principles and Indian Laws

Right to Privacy: Under Article 21, fiduciaries must ensure responsible data handling to uphold individuals' privacy rights, as per Justice K.S. Puttaswamy v. Union of India.

IT Act, 2000: Mandates reasonable security practices for sensitive personal data.

Consumer Protection Act, 2019: Protects users from unfair trade practices, including data misuse by e-commerce companies.

Aadhaar Case (Puttaswamy-II): Reinforces the necessity of robust data protection mechanisms for entities with substantial datasets.

3. Practical Examples and Illustrations

  • Social Media Platforms (Facebook/Instagram): Conduct DPIAs to assess risks of profiling and implement protective measures for sensitive data.
  • E-Commerce Platforms (Amazon/Flipkart): Maintain data minimization practices, retaining only necessary purchase data for personalization.
  • Streaming Services (Netflix): Appoint DPOs to ensure compliance with privacy regulations and anonymize user data.
  • Search Engines (Google): Conduct regular audits to verify lawful and secure processing of user behavior data.
  • Financial Services: Digital wallets assess risks associated with potential data breaches through DPIAs.

4. Implications for Data Fiduciaries and Data Principals

For Data Fiduciaries:

  • Increased Compliance Costs: Requires investments in audits, DPOs, and DPIAs.
  • Operational Challenges: Enhancing grievance redressal mechanisms and implementing risk assessments.
  • Legal Liability: Non-compliance risks penalties and reputational harm.

For Data Principals:

  • Enhanced Privacy Protections: Greater transparency and accountability ensure better data handling practices.
  • Grievance Mechanisms: Simplified processes for addressing complaints and exercising rights.
  • Empowered Users: SDFs must provide tools for accessing, correcting, or deleting personal data.

5. Summary of Safeguards to Prevent Misuse

  • Appointment of DPO: Ensures compliance with data protection laws and serves as a grievance redressal officer.
  • DPIA Requirements: Identifies risks in high-risk data processing activities.
  • Regular Audits: Verifies compliance through independent reviews.
  • Transparency Obligations: Publish comprehensive privacy policies and annual audit reports to foster user trust.
  • Data Minimization: Collect and retain only necessary data.
  • User Rights Mechanisms: Provide tools for accessing, correcting, and deleting personal data.
  • Accountability Standards: Maintain documentation of data handling activities for regulatory compliance.

Conclusion

Section 10 of the DPDPA holds Significant Data Fiduciaries accountable through stringent obligations. Platforms like FANG, e-commerce companies, and financial services must implement advanced safeguards to protect user privacy. These measures align with constitutional principles and global best practices, fostering trust in data processing ecosystems.

© 2024 Advocate (Dr. Prashant Mali