Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

With over 751 million internet users, India is the world’s second largest internet market. This makes it a goldmine of data for businesses. But to handle personal data in India, you must comply with the Digital Personal Data Protection Act 2023.

The DPDPA lets you use an external data processor, but in the event of a breach, it holds you, the data fiduciary, solely responsible. So, what can you do to protect yourself? Or how can you ensure data processors follow the rules to avoid breaches in the first place?

This is where a Data Processing Agreement (DPA) comes in.

Let's understand the details of data processing contracts under the DPDPA.

What is a DPA?

If your organisation relies on external parties to process personal data for you, you need a data processing agreement. This agreement, also known as a data protection agreement (DPA), data sharing agreement (DSA) or data processing contract (DPC), protects both you and your customers by clearly outlining how data should be handled. It's a legally binding contract that defines the roles and responsibilities of both the data fiduciary (you) and the data processors, and it sets the terms for how data will be processed.

DPAs usually cover:

• The specific purposes for processing personal data
• The types of personal data that will be processed
• The duration of the processing
• The geographic scope of the processing
• The security measures to protect personal data
• The rights of individuals regarding their personal data
• The obligation of the parties to follow applicable laws

Data Processing Contracts under the DPDPA

To share data in line with the DPDPA, your business must have a contract in place. Specifically, section 8, paragraph 2 of the Act states: “A Data Fiduciary may engage, appoint, use, or otherwise involve a Data Processor to process personal data on its behalf for any activity related to the offering of goods or services to Data Principals only under a valid contract.”

Also, unlike the European Union’s General Data Protection Regulation (GDPR), which places direct responsibilities on data processors, the DPDPA makes the data fiduciary solely responsible, regardless of any agreement.

So, how can you, as a data fiduciary, protect yourself?

Creating Stringent Agreements

Organisations must ensure their compliance requirements and legal obligations are reflected in their supply chain by:

• implementing proper technical and organisational measures
• taking reasonable security precautions to prevent data breaches.

This compliance must extend to the activities of data processors, including actions like rectifying or erasing data. For instance, if an individual withdraws consent for data processing, all entities, including data processors, must stop processing the data, or the primary entity may be held liable.

Also, each data processing agreement (DPA) should address risks and mitigation strategies, while allowing the data fiduciary to retain control and intervene as needed to meet legal obligations.

Key provisions of the agreement could include:

• Defining data processing activities with service and performance standards.
• Granting the data fiduciary access to all relevant records and information.
• Allowing continuous monitoring and assessment by the data fiduciary for immediate corrective actions.
• Ensure confidentiality controls and specify the data processor's liability for breaches or leaks.
• Including contingency plans for business continuity.
• Requiring prior approval of the data fiduciary for the involvement of subcontractors in processing activities.
• Retaining the data fiduciary's right to audit the data processor's operations and obtain audit reports.
• Clarifying that government or regulatory authorities may access the data fiduciary’s records, including those related to delegated processing.
• Specifying the obligation of the data processor to comply with government or authority directives regarding processing activities.
• Allowing the data fiduciary to inspect the data processor’s IT and cybersecurity systems.
• Maintaining confidentiality of personal information after the agreement ends.
• Ensuring the data processor preserves records and data to meet the data fiduciary’s legal and regulatory obligations even after contract termination.

What Happens if a Data Processor Exceeds the Scope of a DPA?

If a data processor handles personal data beyond what the DPA allows or against the data fiduciary’s instructions, the processor may become a data fiduciary itself. Under the DPDP Act, as long as the data processor follows your instructions, you remain responsible to the data principals. However, if the processor starts deciding the means and purposes of processing, they may become directly responsible to the data principals.

To prevent this, you should include a clause in the DPA requiring the processor to handle personal data only as specified in the DPA and only as needed for the mentioned services. Alternatively, the processor could process personal data according to written instructions from the data principals. Any processing outside the DPA’s scope should require a prior agreement between the data principals and the processor.

Related:Top 5 Recent Data Breaches in India (2024)

Beyond DPAs — A Complete Compliance Solution

By entering into a well-drafted DPA, businesses can ensure data processing complies with the DPDPA, mitigating legal risks, building trust, and protecting privacy.

Data processing agreements are essential, but they're only part of the solution. For seamless compliance and strong data security, you need a comprehensive platform focused on both your business and your customers' privacy. That's where DPDP Consultants come in.

Our team, specialising in data protection and privacy compliance, provides customised solutions tailored to your needs, giving you the skills, tools, and knowledge to effectively navigate these regulations.

• The DPDPA Readiness Review helps organisations assess the extent of the DPDPA's impact on their operations.
• The Data Protection Consent Management (DPCM) tool ensures valid consent, automating personal data consent requests and establishing a robust system for tracking and handling such requests within companies.
• For existing contracts with data processors, the Contract Review service ensures alignment with DPDP specifications, necessitating revisions when necessary.
• Our dedicated team provides comprehensive DPDPA Compliance Assistance, establishing internal audit frameworks for regulatory alignment and monitoring entities in your supply chain.
• We assist in conducting DPIAs to assess and mitigate risks in data processing. Our Data Protection Impact Assessment (DPIA) tool automates the process, allowing concerned individuals/DPOs to conduct DPIAs through a user-friendly platform. It tracks identified risks and ensures all concerned are informed about mitigation progress.
• The Data Principal Grievance Redressal (DPGR) tool enables data principals to raise their rights through a user-friendly platform, accessed manually or automatically by Data Protection Officers/concerned persons. This reduces response time and ensures compliance.
• Our Data Protection Awareness Program (DPAP) enables regular and mandatory awareness sessions, followed by assessments, ensuring every employee understands the DPDP Act and the repercussions of non-compliance.

Take Control of Your Privacy Management with DPDP Consultants!

Looking for expert advice from top consultants?

Whether you need guidance on legal compliance consulting or tool-based technical solutions, DPDP Consultants can help you with the best professional services in the industry. Get tailored insights and practical solutions to help you succeed.

For News updates, expert insights, and practical tips on DPDP compliance and personal data security please subscribe to our newsletter Privacy Talks.