There is a lack of clarity on Consent Managers’ role qualification when they are engaged by a third party, that is, if they function as a data fiduciary or data processor when collecting and managing consent for a third party.
As the Digital Personal Data Protection Act, 2023 (DPDPA) comes to force in a phased manner, the provisions pertaining to Consent Managers will come to force in one year from the date of publication of the rules in the Official Gazette, 15 November 2025. Though one year appears to be a long time, the time sense of the businesses focusing on achieving preset goals gets distorted, eventually causing the new compliance to be sidelined till the last moment leaving it as an open risk.
A Consent Manager1 has the duty of collecting and managing consent under DPDPA2. However, there is a lack of clarity on their role qualification when they are engaged by a third party, that is, if they function as a data fiduciary or data processor when collecting and managing consent for a third party. This article aims to clarify this point by interpreting the legal framework around the nature of the role of Consent Managers in the context of the duty performed by them. In the process, this article will discuss the fundamental process of assessing any data processing activity with the help of an illustration for easier understanding.
Context of the data processing activity
The foremost step in assessing any data processing activity is to understand the context of that specific data processing activity. Context of data processing activity for any specific activity includes certain essential elements like the purpose for which the personal data is being processed, the kinds of processing activities that the data will undergo, the kinds of personal data categories that are being processed, the stakeholders (parties) involved in the activities along with a few more elements not really pertinent to the scope of this article.
Each of the elements mentioned above acts as a building block and ultimately reveals the whole context of processing. Data processing activities by institutions involve numerous contexts like processing for providing goods/services, for marketing, for meeting regulatory requirements, etc. It is important that only one specific data processing activity should be considered when analysing the context, as considering many activities will lead to intertwining of the activities and failure in identifying the correct data flow. Consent Managers are usually one of the stakeholders in the data processing activity, facing the customers.
The importance of isolating the context can be explained with the following scenario:
Say Company AB has 2000 employees, and its object is to sell books online. The company also employs the services of Company XY for disbursing salaries of its employees and Company DE to manage consent of its online customers. A diagram below will aid in visualising the activities of Company AB.
For the activity of selling books to customers online, let us assume the data processed is name, address, phone number, email ID and the customer’s consent, where it has been given. In this data flow, there is also a Consent Manager, Company DE that manages consent given by the online customers.
For the other activity of disbursing salaries, employees’ data will be processed by the company and let us assume that name, address, work identification number, time period worked per month, vacations taken, pension details are processed. Company XY will process these details to disburse salaries to the employees of Company AB.
It should be appreciated that Company AB is doing two separate personal data processing activities depending on the target data principals and the type of data that is processed, etc.—
(1) selling books to online customers (depicted on the left side) and Company DE acting as a Consent Manager; and
(2) disbursing salaries to its employees (depicted on the right side) by engaging the services of Company XY for the disbursement.
In this illustration the personal data is being processed in two different contexts. For the purpose of understanding the role of the Consent Manager, the focus will be solely on the left side of the diagram that has the Consent Manager in the loop. In real life, the data flow is usually way more complicated than the illustration and will involve many stakeholders and activities. But no matter how complex, if one picks a specific activity and maps the data flow, the context for that specific activity becomes apparent. Fixing the context will help in the qualifying roles for the stakeholders which is the next step.
There are legal principles applicable even in the context isolation step like purpose specification3, data limitation, however they fall outside the scope the purpose of this article.
Role qualification of Consent Manager
Now that the context has been isolated, role qualification is the next important step in assessing any personal data processing activity. Simply stated, it is a step that pins the role that each stakeholder takes on in the data processing activity. This is depending on the activity they perform. Three roles with varying obligations and liabilities under the DPDPA are data fiduciary, data processor and data principals.
Essentially role qualification helps in pinpointing the data fiduciary, data processors and data principal in the data flow. As the data processing activities can get very complicated, sometimes involving multiple data fiduciaries and processors, independent or joint, this step clearly sets the legal perimeter of operation along with laying out their rights and obligations.
Identifying data principal
For discussing the roles of stakeholder, the left side activity in the illustration may be considered, as the ultimate goal is to understand the role of a Consent Manager. Section 2(j) DPDPA defines data principals as “…means the individual to whom the personal data relates and where such individual…”.4
It is self-explanatory that the persons to whom the personal data belong are data principals and, in our illustration, the online customers are data principals. There is hard-and-fast rule as to which roles must be identified first, but identifying data principals is the easiest of all and gives an overview on the extra-territorial application of Indian law and other laws to be considered.
Identifying data fiduciary/controller
After identifying the data principals the next step is to identify data fiduciary or data fiduciaries, if there are more. The DPDPA defines this term under Section 2(i)5 as someone that determined the “purpose and means of processing”. It may be a legal or natural person.
This language has been borrowed from General Data Protection Regulation, 2018 (GDPR)6. Article 4(7) defines “Controller” as—
…means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
The European Data Protection Board (EDPB)7 published guideline — “Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR” which helps in interpreting the terms “means and purpose”8. The authority explains that the party that determines the “why” and the “how” of the data processing activity meaning “why is the activity taking place or to what for” and “how is the objective achieved” will fall under the category of controller.9 There should exist a supervisory/constructive control or a “level of influence”10 over the data processing activity.
This is important as the authorities anticipate that processors sometime have room for making technical decisions when they are engaged by the controllers/data fiduciaries which may give an impression as if the processors determine the “means” of processing and take up the role of controllers. However, in such cases the “purpose” of processing will determine the controller/data fiduciary. As the data fiduciary/controller may lack the knowhow for implementing the technical requirements for achieving their goals, this room for making decision is given to the processors. If the Controller decided to engage a data processor for its technical specialisation, it might seem like the processor controls the “means” of the assignment, but it does not. In such cases where a processor is engaged by the controller, the person who determines the “purpose” is the controller.
In a fairly recent case law, C-683/2111, the European Court of Justice (EUCJ) discussed the role of a controller in the context of data processing activity and its liabilities. The facts of the case in brief are — during the COVID-19 Pandemic, Minister for Health of the Republic of Lithuania [Nacionalinis Visuomenės Sveikatos Centras (NVSC)] wanted to commission a mobile application for tracking the infected persons in Lithuania. UAB “IT sprendimai sėkmei” (ITSS), a technology-based company, was shortlisted and selected for developing the app. NVSC gave instructions to ITSS for developing the application and a confidential policy was agreed between both the parties which styled both the parties as controllers. After the app was developed it was made available to the Lithuanian public via Google Play Store. The application processed the ID number, geographical coordinates (latitude and longitude), country, city, municipality, postcode, street name, building number, surname, first name, personal identification number, telephone number and address of its users (Lithuanians).
NVSC had the intention of procuring the app from ITSS, but the transaction did not go through due to financial reasons. The Lithuanian Data Protection Authority imposed fine on NVSC on the ground that they were the controllers of the data and the personal data collected through the app was not handled properly as the project was abandoned. Among other grounds, NVSC argued that it did not qualify as a controller because it did not even receive the data that was processed by the mobile application and there was no contract with ITSS. The EUCJ held that existence or non-existence of contract was not essential for determining controller’s role. Anyone that exerts influence over processing of personal data and participates in determination of means and purpose will become a controller.12 In this case, the app was commissioned by NVSC to keep track of COVID-19 infected persons and it also issued instructions to ITSS on how the app should be developed.13 Hence, NVSC will qualify as a controller even if it did not receive the personal data.14
Applying the same test to the illustration under consideration, personal data of the data principals (online customers) is processed for selling books to online customers by Company AB. So, the purpose of processing data is determined by Company AB as it is for its own benefit. Hence, in this illustration Company AB is a data fiduciary/controller. The role of Company DE still remains to be assessed and assigned. This company is a Consent Manager and it manages consent of the online customers that purchase book from Company AB.
Identifying data processor
The DPDPA defined data processors in Section 2(k) as “ ‘data processor’ means any person who processes personal data on behalf of a data fiduciary”. The definition of a processor under the DPDPA is similar to GDPR definition of processor in Article 4(8) which states “ ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller”. The EDPB guideline discussed above “Guidelines 07/2020” lays down two conditions15 required for a processor—
(1) should be a separate entity in relation to a processor; and
(2) should process personal data on behalf of the controller.
The first condition is the processor should be a body independent of the controller (data fiduciary). For the second condition, the guideline goes on to describe the words “on behalf of” to mean serving someone else’s interest under instructions.16 It means the processor should act under the instructions of and for the benefit of the controller. It also states that the processor may process the personal data under the influence or control of the Controller. It would also mean that the data processing does not happen for their own purpose.17
In the case previously discussed for understanding the role of controller, the EUCJ also implicitly held that ITSS will only qualify as a processor even though mobile app was developed by it and the data processing activity was managed by it as it acted only under the instructions/influence of NVSC.18
Inference on Consent Manager’s role
A Consent Manager can be understood as an agent possessing technical skills. Often times, Consent Managers are engaged to utilise the technical skills they possess that might be lacking in the data fiduciary. A Consent Manager acts as an agent of the data fiduciary when collecting the data/consent, but also uses independent discretion and technical skills to determine the “means” to collect data/consent. Data fiduciary being the “principal” is liable to the customers for the acts of Consent Managers.19
Applying these tests to the role performed by Company DE, it can be understood that this company collects and manages consent for benefit of Company AB for the purpose of selling books online. More insight into the role of Consent Manager can be gleaned from Section 6(7) DPDPA which states, “The data principal may give, manage, review or withdraw her consent to the data fiduciary through a Consent Manager.” This literally reads that the consent is given to the data fiduciary through an intermediate third party, the Consent Manager. In our illustration the Company DE does not determine the “purpose”. The purpose is determined by Company AB. The consent collection must never be understood disjunctive from the underlying purpose of processing data which is for Company AB‘s online book sale. Hence, Company DE as a Consent Manager acts under the instructions of Company AB though Company DE has the freedom or room of operation on the deployment of the consent mechanism.
Therefore, in view of the authors, a Consent Manager when collecting and managing consent for a defined purpose of a third-party data fiduciary will only act as a data processor and not a data fiduciary.
Consent Manager as a data fiduciary
It is possible that in some data processing contexts, the Consent Manager may take on the role of a data fiduciary/controller. If the means and purpose of processing data are determined by the Consent Manager, then they enter the shoes of a data fiduciary/controller. Say, a Consent Manager company will be a data fiduciary/controller when processing personal data of its own employees since the processing activity is to meet its own objectives/purposes. In the illustration shown above, Company DE has employees working for it. When processing the data of its own employees for disbursement of salaries, Company DE becomes the data fiduciary/controller. If it engages another company (Company GH) for the said purpose, then Company GH becomes the processor.
Conclusion
Before processing personal data for any activity, it is crucial to perform an assessment of the data processing activity to determine and qualify the roles of all the stakeholders in the flow. As law imposes most of the obligations on data fiduciaries, default in compliance of the DPDPA by data processors may be legally saddled on the data fiduciaries. Therefore, activity scoping and identifying the context, is the first important step in assessing all processes which also pave the way for role qualification of the stakeholders involved. When a data fiduciary engages the services of a third-party Consent Manager for managing consent of their customer, it must be remembered that the Consent Manager acts on behalf of the data fiduciary/controller and will only qualify as a data processor. A Consent Manager can also be a data fiduciary depending on the context of data processing activity.
*Privacy Legal Counsel at Philips, Amsterdam, The Netherlands. Author can be reached at: hemanthsudha@gmail.com.
**Advocate, practising at High Courts of Madras and Andhra Pradesh; Partner, M/s Nomos Solutions. Author can be reached at: pattabhi.pramodh@gmail.com.
1. DPDPA. ,. “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a data principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. . “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a data principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
2. DPDPA., S. The data principal may give, manage, review or withdraw her consent to the data fiduciary through a Consent Manager. 6(7). The data principal may give, manage, review or withdraw her consent to the data fiduciary through a Consent Manager.
3. DPDPA, S. 6(1). The consent given by the data principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
4. DPDPA, S. 2(j). “Data principal” means the individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf;
5. “Data fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
6. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27-4-2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), available at <https://gdpr-info.eu/art-4-gdpr/>.
7. European statutory body established by GDPR for consistent application of GDPR, cooperation between Member States and enforcement, available at <https://www.edpb.europa.eu/about-edpb/who-we-are/european-data-protection-board_en>.
8. Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (7-7-2021), p. 14, available at <https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf>.
9. Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (7-7-2021), para 34, available at <https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf>.
10. Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (7-7-2021), para 37 available at <https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf>.
11. Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos v. Valstybinė duomenų apsaugos inspekcija, Case C-683/21, judgment dated 5-12-2023 available at <https://curia.europa.eu/juris/document/document.jsf?text=&docid=280324&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=7438261>.
12. Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos v. Valstybinė duomenų apsaugos inspekcija, Case C-683/21, judgment dated 5-12-2023, para 30, available at <https://curia.europa.eu/juris/document/document.jsf?text=&docid=280324&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=7438261>.
13. Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos v. Valstybinė duomenų apsaugos inspekcija, Case C-683/21, judgment dated 5-12-2023, para 32, available at <https://curia.europa.eu/juris/document/document.jsf?text=&docid=280324&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=7438261>.
14. Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos v. Valstybinė duomenų apsaugos inspekcija, Case C-683/21, judgment dated 5-12-2023, paras 35, 36 and 38, available at <https://curia.europa.eu/juris/document/document.jsf?text=&docid=280324&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=7438261>.
15. Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (7-7-2021), p. 25, para 76, available at <https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf>.
16. Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (7-7-2021), p. 26, para 80, available at <https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf>.
17. Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR (7-7-2021), p. 26, para 81, available at <https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf>.
18. Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos v. Valstybinė duomenų apsaugos inspekcija, Case C-683/21, judgment dated 5-12-2023, para 38, available at <https://curia.europa.eu/juris/document/document.jsf?text=&docid=280324&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=7438261>.
19. Versha Engg. (P) Ltd. v. Vijay Traders, 1982 SCC OnLine Guj 68.