The DPDP Act creates a structured framework with different roles.Each role has a specific identity within the data protection ecosystem.

1. Data Principal (DP)

Definition

A Data Principal is the individual to whom the personal data relates.

In simple terms:It is the person whose data is being collected, stored, or processed.

Complete Scope of the Term

Under the Act, this includes:

• Any natural person (individual)

• Children (below 18 years of age)

• Persons with disabilities

In the case of:

• Children

• Individuals with disabilities

Their legal rights under the Act are exercised by:

• Parents, or

• Lawful guardians

Important Clarification

The Data Principal is always:

• A natural person

• Not a company

• Not an organization

Only individuals qualify.

2. Data Fiduciary (DF)

Definition

A Data Fiduciary is any person, company, firm, state body, or other entity that:

• Determines the purpose of processing personal data

• Determines the means (methods) of processing personal data

This means it decides:

• Why data is collected

• How data is processed

Nature of the Role

The term “fiduciary” indicates a position of trust. It reflects a relationship where one party handles data responsibly on behalf of individuals.

Who Can Be a Data Fiduciary?

It can include:

• Private companies

• Startups

• Banks

• Hospitals

• Educational institutions

• Government bodies

• Digital platforms

Any entity that decides the purpose and method of data processing qualifies.

3. Data Processor (DP)

Definition

A Data Processor is any person or entity that processes personal data:

• On behalf of a Data Fiduciary

• According to the instructions of the Data Fiduciary

Structural Role

The Data Processor:

• Does not decide the purpose of processing

• Does not control the primary decision-making

• Acts under contractual instructions

It is essentially a service provider in the data ecosystem.

Examples of Processing Activities

Processing includes operations such as:

• Collection

• Storage

• Organisation

• Retrieval

• Use

• Disclosure

• Deletion

• Restriction

4. Significant Data Fiduciary (SDF)

Definition

A Significant Data Fiduciary is a Data Fiduciary that the Central Government designates based on specified criteria.

The Act allows classification depending on:

• Volume of data processed

• Sensitivity of data

• Risk to rights of individuals

• Risk to sovereignty, integrity, or public order

Structural Purpose

This category exists to identify entities that:

• Handle large-scale data

• Operate critical digital infrastructure

• Process sensitive information

• Pose higher systemic risks

They are subject to enhanced regulatory classification.

5. Consent Manager

Definition

A Consent Manager is a registered entity under the Act that provides a platform enabling Data Principals to:

• Give consent

• Manage consent

• Review consent

• Withdraw consent

Structural Role

The Consent Manager acts as:

• An intermediary system

• A technological facilitator

• A consent management infrastructure

It must be registered and operate in accordance with regulatory requirements.

6. Data Protection Board of India (DPB)

Definition

The Data Protection Board of India is the regulatory authority established under the DPDP Act.

Structural Function

It serves as:

• The enforcement body

• The adjudicatory authority

• The complaint-handling mechanism

It is empowered to:

• Investigate violations

• Examine breaches

• Impose penalties

• Issue directions

It represents the regulatory backbone of the Act.

Overall Structure of the DPDP Ecosystem

The Act creates a clear hierarchy:

• Individuals → Data Principals

• Decision-makers → Data Fiduciaries

• Service providers → Data Processors

• High-risk entities → Significant Data Fiduciaries

• Consent infrastructure → Consent Managers

• Enforcement authority → Data Protection Board

Together, these roles form the complete institutional framework of the DPDP Act, 2023.