In the ever-evolving digital landscape, safeguarding our personal data has become paramount. The Indian government’s Digital Personal Data Protection Act, 2023 (DPDP Act) aims to strike a balance between individual privacy and the legitimate use of data. But navigating the Act’s intricacies requires a firm grasp of its key terminology. This article serves as your guide, demystifying the essential terms that define your rights and responsibilities in the digital age.

From “data principal” to “significant data fiduciary,” we’ll unpack each term, explaining its meaning and significance within the Act’s framework.

Data Principal

Data Principal means the individual to whom the personal data relates and
where such individual is—

(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her
Behalf;

Essentially, the Data Principal is the one to whom the personal data belongs. He/she is the one who gives consent to the Data Fiduciary to process their personal data for legitimate use.

Data Fiduciary

Data Fiduciary means any person who alone or in conjunction with other
persons determines the purpose and means of processing of personal data;

He is the second principal party under the DPDP Act besides the Data Principal. The act is built upon the relationship between the Principal and the Fiduciary.

Personal Data
As per the DPDP Act, Personal Data means any data about an individual who is identifiable by or in relation to such data;

The term “personal data” has a common definition across various jurisdictions. It typically refers to information that can be used to identify an individual directly or indirectly. This includes details like names, identification numbers, location data, online activity, and even factors related to a person’s physical, physiological, genetic, mental, economic, cultural, or social identity. Per GDPR, even data that doesn’t directly identify someone, but can be linked to them, is considered personal data. Examples include telephone numbers, credit card numbers, identification numbers, and addresses.

Consent

Consent is the most important relationship between a Data Principal and the Data Fiduciary. No personal data can be processed by the Data Fiduciary without the prior consent of Data Principal.

As per the act, A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose,—
(a) for which the Data Principal has given her consent; or
(b) for certain legitimate uses

Data Processor

A Data Processor is defined in the Digital Personal Data Protection Act as any person who processes personal data on behalf of a Data Fiduciary . In simpler terms, a Data Processor is a third party or entity that processes personal data on behalf of he Data Fiduciary.

Example: Imagine a scenario where Company A, an e-commerce platform, collects personal data from its customers for order processing. To handle the payment transactions securely, Company A engages Company B, a payment processing service provider, to process the financial data of customers. In this case:

● Company A is the Data Fiduciary as it determines the purpose and means of processing the personal data of its customers.
● Company B, the payment processing service provider, is the Data Processor as it processes the personal financial data on behalf of Company A.

In this example, Company B must adhere to the data processing instructions provided by Company A, maintain data security standards, and ensure compliance with the regulations outlined in the Digital Personal Data Protection Act.

Tags: