top of page

Privacy Law & Order: Inbox Series – The evolving responsibilities of Data Processors

  • Writer: Shreya Gupta
    Shreya Gupta
  • 4 days ago
  • 10 min read
ree

“In today’s series – the evolving responsibilities of Data Processors”


As India’s data protection regime takes shape under the Digital Personal Data Protection Act, 2023 (“Act”), and with the release of Digital Personal Data Protection Rules on the horizon, it is not just Data Fiduciaries (“DF”) who must be prepared. Data Processors (“DP”) (like cloud service providers, CRM Platforms, analytics and tracking services providers, etc. who process personal data on behalf of DFs, play a pivotal role in ensuring compliance within the data protection ecosystem. While the Act does not impose direct obligations on DPs, it places important responsibilities on them through the DFs. Under the Act, a DF is responsible for complying with the provisions of the Act, including any processing conducted on its behalf by a DP.

This simplified FAQ sheds light on some crucial questions that you as a DP may have:

  1. How can an organization determine whether it is acting as a DP or a DF for a specific data processing activity?

An entity is a DF if it determines the purpose and means of processing digital personal data. A DP on the other hand is an entity that only manages the processing of such digital personal data on behalf of a DF and as per its instructions and does not determine the purpose or means of such processing.

 

  1. How do the key compliance obligations of a DP differ from those of a DF under the Act?

A DP does not have any direct compliance obligations under the Act. A DF is responsible for complying with all obligations under the Act, including providing notice to the Data Principals, recording consent, establishing a lawful basis for processing, facilitating the exercise of rights by the Data Principal, and ensuring security safeguards. Accordingly, a DF shall impose adequate safeguard and obligations on a DP through contractual obligations to ensure protection of personal data.


  1. Are DPs required to ensure fulfilment of the consent requirements or legitimate basis requirements before processing any digital personal data?

No, the responsibility to establish a lawful basis for processing, seek valid and informed consent or process for a legitimate use rest with DF. A DP is required to process personal data as instructed by a DF.


  1. Are DPs allowed to reuse the digital personal data they receive for their own purpose (for example – improvement and training of software, analytics etc.)?

It is important to note here that DPs can only process personal data on the instructions and behalf of DFs and hence must restrict the processing of personal data to the specific purpose and instructions given by a DF. Put it simply, a DP can process personal data only for the specific purpose directed by a DF and not for any other purpose such as training or analytics.

 

If a DP wants to process personal data for its own purpose, then they must take the role of a DF in this regard and obtain new, informed, and specific consent for processing of personal data for their own purpose. In this case, the DP will accept the role and responsibilities of a DF and will have to comply with all DF’s obligations under the Act.

 

Note: In some instances, upon written agreement with a DF, a DP may be allowed to anonymise personal data before using it for its own personal use like training and analytics. It is advisable to ensure that such data, once anonymised, is rendered incapable of being used to re-identify any Data Principal, and does not qualify as personal data under the Act.

 

  1. When DPs further want to sub-contract and appoint a sub processor, what are their obligations in this regard? 

A DP may appoint a sub-processor only with the prior authorisation of the DF as per the contract with the DF.

 

  1. How can a DP ensure that the appointed sub-processors have obligations equivalent to those imposed by the DF on such DP?

It is suggested that the DP enters a written contract with the sub-processor obligating the sub-processor with equivalent obligations as set out in its contract with the DF. These may include obligations such as the record and purpose of processing, confidentiality, implementation of security safeguards, return or deletion of data upon termination, and breach notification. The DP should also regularly check sub-processor's compliance through periodic reviews.

 

  1. Is a contract mandatory between the DP and the DF?

Yes. The Act mandates that DF may only engage DPs under a valid contract.

 

Note: A suggestive form of contract is a Data Processing Agreement (DPA), that clearly highlights the scope and duration of processing and other rights and obligations of both DP and DF.

 

  1. What all legal obligations must be included in contracts DPA between a DF and a DP? 

The Act requires the DFs to engage a DP only under a valid contract. Further, as highlighted above, a DF is responsible for complying with the provisions of the Act and the rules made thereunder. Accordingly, to ensure that the DP is undertaking processing on behalf of the DF in a compliant manner, the DF must include data protection obligations in the agreement or a DPA with the DP. Some of the clauses that should be incorporated are obligations to maintain record for processing activities, access management controls, information security safeguards, breach notification, rights of audit, data subject rights, restrictions on sub-processing, and data return or deletion upon contract termination.


  1. How often should a DPA be reviewed and updated?

While the Act does not prescribe a specific timeline, a DPA may be reviewed periodically, particularly when there are changes in the nature and purpose of processing, changes in law or regulation, security incidents, or in case of a change of business or operational model.


  1. Who will manage any Data Principal requests such as access, rectification, nomination, or deletion? Will it be DP or the DF?

Under the Act, the responsibility to respond to requests from Data Principals lies with the DFs. A DP may be contractually required to first notify the DF on receipt of such requests and later assist the DF to fulfil such requests.

 

  1. What happens when a Data Principal contacts a DP directly?

The DP is not obligated under the Act to respond directly to such requests and therefore should not do so. It should function as per the terms of the contract/DPA entered between the DP and the DF. In case the contract is silent on this aspect, it may choose to inform the Data Principal that the request should be directed to the relevant DF and share the contact details of the DF. The DP may also notify the DF on receipt of such communication by a DP and maintain a record of the same.


  1. Do DPs also have to provide a direct interface or a direct grievance redressal mechanism to the DPs?

No, the obligation to establish a grievance redressal mechanism for Data Principals lies entirely with the DF under the Act. DP’s have no direct statutory obligation to provide grievance mechanisms. However, the DP may be contractually required to assist the DF in addressing grievances by providing relevant information, assisting in investigation, or implementing required measures.


  1. What are the security measures that a DP must comply with? Are these limited to encryption, anonymisation and access controls or is there a check list of the security measure to implement?

The Act does not directly impose security obligations on DPs. The Act makes the DF responsible for protecting personal data "including in respect of any processing undertaken by it or on its behalf by a DP". However, DP’s will typically be contractually required to implement reasonable security safeguards as agreed in their DPA’s. This may include technical measures such as encryption, access controls, secure data storage, and organisational measures such as staff training, incident response protocols, and secure infrastructure. The extent of safeguards should be proportionate to the nature and volume of personal data processed and the risk associated with such processing.


  1. Do all DPs need to conduct third-party security assessments or audits or is this voluntary?

The Act does not impose a statutory obligation on DPs to undergo security audits. However, DFs may include audit rights in their contracts and require DPs to submit to periodic assessments to demonstrate compliance with the contractual requirements.

 

  1. How is a DP required to prove its security posture to the data fiduciaries? Will a check list suffice or is a third-party report or certification advisable?

A DP can demonstrate its compliance through the maintenance of policies and procedures, internal audit logs, records of staff training, incident response documentation, and independent third-party certifications or audit reports, where available. DFs may also require specific evidence of compliance as part of them ensuring compliance with the Act.

 

  1. Who will notify the Data Protection Board (DPB) and Data Principals regarding a data breach?

The DF is solely responsible for notifying the DPB and the affected Data Principals under the Act. DPs have no statutory obligation to notify the DPB or Data Principals directly.

However, DPs will typically be contractually required to notify data breach to the DFs promptly and at the earliest upon becoming aware of a personal data breach and must provide all relevant information to enable the DF to fulfil its statutory obligations.

 

  1. What is the timeline in which DPs need to notify a DF regarding a data breach? Does a DP also need to have a data breach management process in place?

The Act does not specify any timeline for DPs to notify the DFs in case of a breach. The Act only requires DFs to notify the DPB and Data Principal, the manner and timeline of which will be prescribed in the upcoming rules under the Act. Prompt notification by a DP is critical to allow the DF to meet its statutory obligations under the Act.

 

  1. If DPs transfer digital personal data outside India, do DPs need to comply with cross border data transfer obligations or is it an obligation for the DF?

A DP cannot take independent decision on cross border transfer of data. The responsibility for ensuring lawful cross-border transfers lies entirely with the DF under Act. DPs have no independent statutory obligations regarding cross-border transfers. However, the DP must not initiate any transfer of personal data outside India unless expressly authorised by the DF and in accordance with any terms set out in the contract or a DPA.

 

Note: As the Act currently stands, a DF may transfer personal data outside India unless the Central Government by way of a notification adds a country to the negative list. In case of a stricter data localisation requirement, under sectoral regulations, such regulations will also apply. Thus, a DP should not transfer any digital personal data outside India without a written confirmation from a DF.

 

  1. What if one of our sub-processors is situated in a country outside India? What will be the DPs compliance requirements?

The DP should obtain prior authorisation from the DF before engaging a foreign sub-processor, unless specifically stipulated in the DPA between the DP and DF. The DP should also ideally ensure that the sub-processor is subject to equivalent contractual obligations and that adequate safeguards are in place. All cross-border transfer compliance remains the DFs responsibility under the Act. The engagement of the sub-processor must be consistent with the terms set by the DF in the DPA and with applicable data transfer restrictions under the Act.

 

  1. How long can a DP retain the digital personal data after the agreement with the DPs expires or is terminated?

It is pertinent to note here that a DP does not have any independent right to retain any personal data. The Act mandates a DF to delete all personal data once a) purpose for which it was collected is fulfilled and b) retention of such personal data is not required under a contractual or regulatory obligation and mandates a DP to delete all personal data when directed by a DF to do so.

In this regard, a DP must delete all personal data under the direction of a DF and can retain such personal data only if mandatorily required under law. However, even under such circumstances, the DP must ensure that such personal data is segregated, kept secure and not used for any other purpose.

 

  1. Is it mandatory to provide a certification of deletion by the DPs to DFs?

The Act does not mandate a certificate of deletion. However, since the Act requires a DF to erase personal data once the purpose is fulfilled, consent is withdrawn, a data deletion request is made, or retention is no longer required under law or contract, the DF may require the DP to certify deletion to ensure its own compliance.

Separately, sectoral regulators have increasingly required proof of data deletion to verify adherence to applicable retention norms. Accordingly, issuing a certificate of deletion is a prudent contractual and compliance practice for DPs to avoid breach and mitigate liability under indemnity provisions.

 

  1. Is a DP also obligated to delete all data backups?

In different scenarios where DF contractually or otherwise obligates a DP to delete any digital personal data, “erase personal data” under the Act is advised to be interpreted in broad terms to also include all copies and backups, unless there is a regulatory obligation to retain such personal data.

 

Note: Unless there is a specific regulatory or legal obligation to retain any personal data (such as tax or audit records) or if the personal data is necessary for legal proceedings or fulfilment of a contractual obligation, the DP must delete the personal data (including all copies and latest backups) and not use it for any other purpose. 

 

  1. Is it mandatory to allow DFs to audit an organisation acting as a DP? What documents should a DP maintain for such internal audits?

The Act does not mandate audits of DPs by a DF. However, given that the DF is responsible for compliance with the Act in respect of processing activities being conducted by the DP, it is expected that DFs will include contractual provisions requiring periodic audits of DPs to ensure adherence with applicable obligations.

 

As good practice, we recommend DPs to regularly get their service offering audited by trusted third party auditors and ensure that such audit certificates and reports are regularly updated. It is also recommended to have proper internal security mechanisms in place which will include inter alia documented ROPAs, documented access control management and auditable access logs, firewalls and breach detection, deletion and retention policies, encryption policy, breach notification management.

 

  1. What happens if a DP is responsible for a personal data breach? Are DPs directly liable to the DPB or only to the DFs or both?

A DPs liability dependent on its contractual obligations with the DF. In case of a personal data breach, the DF remains accountable to the Data Principals and the DPB. However, the DF may recover any losses or penalties arising from such liability through contractual indemnities with the DP.



For any queries regarding implementation of the Act, any further question, feedback or to set up a call, please write to us at  shreya.gupta@chandhiok.com and tmt@chandhiok.com.

Comments


bottom of page