Data Fiduciary vs. Data Processor: Why the Distinction Will Decide Your Liability

Any person who, alone or in conjunction with others, determines the purpose and means of processing personal data. Carries primary accountability: consent obligations, grievance redressal, Data Principal rights, and breach notifications.

≈ "Controller" under GDPR Art. 4(7)

Any person who processes personal data on behalf of and under the instruction of a Data Fiduciary. Liability is derivative; it arises only from a breach of contractual obligations or processing outside the given instructions.

≈ "Processor" under GDPR Art. 4(8)

01

Data Principal

The Individual

02

Data Fiduciary

Decides purpose & means

03

Data Processor

Acts on instruction

04

Sub-Processor

Further delegation

🇪🇺  GDPR PRECEDENT

Insufficient Processor Controls (Austrian DPA, 2019)

A marketing analytics firm processed subscriber data strictly on the instruction of a media company. When the analytics firm began sharing data with unrelated third parties, beyond the scope of their agreement, the Data Protection Authority investigated. Crucially, the media company (the Controller) was held partially liable; not for authorising the sharing, but for failing to put in place adequate contractual controls to prevent unauthorised use. The lesson: Controllers cannot disclaim responsibility simply because the misuse was done by a vendor. The obligation to supervise processors rests entirely with the Controller.

VERDICT  The Controller was penalised for inadequate processor oversight. The contract was silent on data-sharing restrictions, which the regulator treated as negligence.

🇮🇳  INDIA DPDP CONTEXT

Your HR & Payroll Software Vendor

Your organisation (Data Fiduciary) engages an HRMS vendor to manage employee payroll, leave records, and performance data. The vendor's data science team uses the salary and performance data, without your knowledge or instruction, to train an internal AI compensation benchmarking model. Under the DPDP Act, your organisation faces regulatory scrutiny not because you authorised the misuse, but because your Data Processing Agreement (DPA) failed to explicitly prohibit the vendor from using the data for any purpose beyond payroll administration. The obligation to contractually bind your processor rests on you as the Fiduciary. This is particularly relevant for HR departments that procure SaaS tools rapidly and treat the vendor's standard terms as sufficient. They rarely are.

🇪🇺  GDPR PRECEDENT

Clearview AI; Multiple EU DPAs (2021 to 2022)

Clearview AI positioned itself as a data processor, supplying facial recognition services to law enforcement agencies, which it argued were the Controllers. EU Data Protection Authorities across France, Italy, Greece, and the UK rejected this characterisation comprehensively. The regulators found that Clearview independently decided to scrape billions of facial images from the internet and build a biometric database. The purpose of collection, building and monetising the database, was determined by Clearview, not by its law enforcement clients. Clearview was therefore a Controller (Fiduciary) in its own right, with all attendant GDPR obligations. Clearview was ordered to delete data and faced fines across multiple jurisdictions totalling over €50 million. Claiming processor status did not reduce liability; it actually worsened the regulatory response, as it was treated as a misrepresentation of their role.

VERDICT  Regulatory authorities pierce contractual labels and look at operational reality. If you determine what data is collected and why, you are a Controller/Fiduciary. There is no contractual workaround.

🇮🇳  INDIA DPDP CONTEXT

Legal-Tech, InsurTech & Data Aggregator Platforms

An Indian legal-tech startup aggregates publicly available court judgments, land records, and company filings; structures them into a searchable database; and licenses access to law firms and corporate legal teams. The startup positions itself as a "data infrastructure provider", essentially a Processor for its law firm clients. However, if the startup independently decides what court records to scrape, how to classify and tag them, and what fields to index, it is determining the purpose and means of processing. Under the DPDP Act, it would be classified as a Data Fiduciary. Its consent obligations, grievance mechanism requirements, and Data Principal rights obligations arise from that classification, not from what it calls itself. The same analysis applies to InsurTech platforms that aggregate medical data, credit aggregators, and HR analytics companies. The regulatory test is functional, not formal.

🇪🇺  GDPR PRECEDENT

Schrems II; CJEU, 2020 (Data Transfers to the US)

The Court of Justice of the EU invalidated the EU-US Privacy Shield framework, ruling that US surveillance laws did not provide equivalent protection to EU residents. This forced every EU Controller transferring personal data to US-based processors (including AWS, Microsoft Azure, Google Cloud) to implement Standard Contractual Clauses (SCCs) and conduct Transfer Impact Assessments (TIAs). The critical point: AWS and Azure remained Processors. But Schrems II did not relieve EU Controllers of their transfer-compliance burden. On the contrary, it substantially increased the compliance obligations on Controllers; because the responsibility for ensuring adequate protection in the destination country rests with the Controller, not the processor.

VERDICT  Even when a cloud provider is unambiguously a Processor, the Controller bears full responsibility for cross-border transfer compliance. "We use a reputable cloud provider" is not a legal defence.

🇮🇳  INDIA DPDP CONTEXT

Indian Enterprises Using Cloud Infrastructure Outside India

An Indian e-commerce company (Data Fiduciary) uses AWS with servers in Mumbai for its primary database but routes analytics workloads through AWS Frankfurt for cost efficiency. AWS remains a Data Processor throughout. Once the Indian government notifies the blacklist of countries to which personal data may not be transferred under the DPDP Act, this Frankfurt routing may constitute a cross-border transfer requiring legal basis. The obligation to assess this, obtain necessary approvals, or restructure the data architecture falls entirely on the e-commerce company, the Fiduciary, not on AWS. For multinational companies with Indian subsidiaries: the DPDP Act is likely to treat data transfers from Indian entities to foreign parent companies as cross-border transfers. This is a significant compliance gap that most transfer pricing and structuring exercises currently ignore.

Role Assessment First

For every data processing activity, formally document who determined the purpose. If your organisation made that decision, you are the Fiduciary. This classification should be captured in a Data Processing Register and reviewed by legal counsel before any new data initiative launches.

Data Processing Agreements (DPAs)

Bind all vendors, cloud providers, analytics platforms, and any other third party touching personal data by written contract. The DPA must specify: permitted purposes (with explicit prohibitions on other uses), sub-processing restrictions, breach notification timelines (recommend 24 hours), data return or deletion on termination, and audit rights for your organisation.

Cross-Border Transfer Mapping

Identify every country where personal data under your control currently resides or transits, including cloud regions, backup locations, and vendor processing centres. When the DPDP Act's country whitelist is notified, validate that all transfers fall within permitted geographies. Build a remediation plan for non-compliant flows.

Significant Data Fiduciary (SDF) Assessment

Monitor the government's criteria for SDF designation. If your organisation processes large volumes of data, sensitive personal data (health, financial, biometric), or data of children, you are likely to be designated. SDFs face mandatory DPO appointment, Data Protection Impact Assessments, and periodic audits. Prepare now rather than scramble at designation.

Processor Breach Notification Protocols

Even if your vendor causes a data breach, your obligation as Fiduciary is to notify the Data Protection Board of India. Your DPAs must contractually compel processors to notify you within a defined window (recommend 6 to 12 hours of discovery) so you can meet your statutory timeline. Silence in the DPA on notification is a critical gap.

Avoid Role Ambiguity in Contracts

Joint data processing arrangements, where two or more organisations together determine purpose and means, create shared Fiduciary liability under GDPR (Art. 26 'Joint Controllers'). India's DPDP Act does not yet explicitly address this, but regulators are expected to follow GDPR precedent. Any arrangement where your organisation and a partner jointly decide on data use should be documented with a clear allocation of responsibilities.

Vendor Due Diligence Before Onboarding

GDPR enforcement has consistently penalised Controllers for inadequate vendor due diligence; selecting processors without verifying their security practices, sub-processing arrangements, or data localisation policies. Implement a structured vendor privacy assessment before onboarding any new processor, and build a periodic review cycle into existing contracts.

THE BOTTOM LINE

Under both GDPR and India's DPDP Act, liability follows decision-making power, not data flow. If your organisation determines why personal data is processed, you are a Fiduciary; and no contractual re-labelling will change that.

Build your privacy programme around this reality. Get the classification right. Everything else follows from it.