Every good story has clearly defined characters, and the DPDPA is no different. The entire law is built around three roles, and understanding them is the only prerequisite to understanding everything else. The Data Principal is you — the person the data belongs to. The Data Fiduciary is the entity you hand that data to, say Zomato when you place an order or your bank when you open an account. And the Data Processor is a third party the fiduciary may engage to handle the data on its behalf, like a cloud infrastructure provider or an analytics firm. Three roles, one data transaction, very different levels of accountability.
The most important relationship here is between the Principal and the Fiduciary, and the word “fiduciary” is doing a lot of heavy lifting. In Indian law, a fiduciary relationship already exists in contexts like a doctor and patient, or a lawyer and client — someone entrusted with something valuable, bound to act in the interest of the person who entrusted them. DPDPA extends that same logic to data. When you share your health records with a hospital app or your location with a cab aggregator, they become your data fiduciary. They cannot use that data for purposes you haven’t consented to, cannot hold it indefinitely, and cannot pass it along casually to others.
The Data Processor sits at the end of this chain, but that doesn’t mean it escapes accountability. The fiduciary remains responsible for ensuring the processor also handles data appropriately — which has significant implications for how businesses structure their vendor relationships. A company cannot outsource its compliance obligations along with its data processing. Understanding these three roles is not legal trivia. It is the operating vocabulary every business leader and every aware citizen in India now needs.