{"id":312352,"date":"2024-01-28T14:00:42","date_gmt":"2024-01-28T08:30:42","guid":{"rendered":"https:\/\/www.scconline.com\/blog\/?p=312352"},"modified":"2024-04-18T17:35:21","modified_gmt":"2024-04-18T12:05:21","slug":"who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios","status":"publish","type":"post","link":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/","title":{"rendered":"Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios"},"content":{"rendered":"<div style=\"text-align: justify; line-height: 150%;\">\n<p style=\"margin-bottom: 3%;\"><span style=\"color: #903; float: left; font-family: Georgia; font-size: 75px; line-height: 60px; padding-top: 4px; padding-right: 8px; padding-left: 3px;\">U<\/span>nder the Digital Personal Data Protection Act, 2023 (<span style=\"font-weight: bold;\">DPDP Act<\/span>), data fiduciaries, i.e., entities determining the purposes and means of processing personal data (<span style=\"font-style: italic;\">either alone or in conjunction with other persons<\/span>), are largely responsible and liable for compliances. Except nomenclature differences, data fiduciaries are functionally equivalent to \u2018data controllers\u2019 under the European Union\u2019s General Data Protection Regulation (<span style=\"font-weight: bold;\">GDPR<\/span>).<\/p>\n<p style=\"margin-bottom: 3%;\">While the GDPR (under article 26) recognizes \u2018joint controllers\u2019, requiring them to execute responsibility-sharing arrangements, the DPDP Act does not distinctly call out \u2018joint data fiduciaries\u2019 as such or impose specific requirements for such \u2018joint\u2019 arrangements. However, as a principles-based legislation, the definition of \u2018data fiduciaries\u2019 envisions the possibility of more than one entity controlling personal data processing. The GDPR holds data controllers <span style=\"font-style: italic;\">jointly<\/span> and <span style=\"font-style: italic;\">severally<\/span> liable, i.e., a data subject can institute a suit against any joint controller instead of instituting multiple lawsuits. While under the DPDP Act, there is no express provision for joint and several liability where multiple data fiduciaries are involved, each data fiduciary will be independently responsible for compliance with its provisions, to the extent applicable. The data fiduciary suffering a loss owing to another party may however seek contractual indemnities\/insulations from responsible parties.<\/p>\n<p style=\"margin-bottom: 3%;\">Whether a contracting entity is a joint data fiduciary, independent fiduciary or merely a data processor will be a question of fact in each case. The regulator will possibly pierce through the contract in a given situation, to scrutinise the actual roles undertaken by each party in attributing fault. The illustrations below highlight where such determination may be a tricky endeavour.<\/p>\n<h4 style=\"background-image: linear-gradient(to left, #FFFFFF, #79a4d2);\">Arrangement to Determine Customer Creditworthiness<\/h4>\n<p style=\"margin-bottom: 3%;\">An e-commerce platform engages an affiliate to generate creditworthiness data to cross-sell financial services to a customer through its financial arm. Such affiliate may determine a customer\u2019s creditworthiness through analytics of their borrowing history and cherry-pick which categories of data to rely on to arrive at such an outcome. The <span style=\"font-style: italic;\">purpose<\/span> of this exercise is determined by the e-commerce company, i.e., to facilitate the lending process. The <span style=\"font-style: italic;\">means<\/span> of this exercise would be determined by the affiliate. Depending on the level of control exercised by the e-commerce entity on the means (e.g., categories of personal data to base the decision on, the decision-making process, etc), the affiliate may be classified as a joint data fiduciary. If the affiliate only acts on behalf of the e-commerce platform, operating strictly within parameters laid down by the e-commerce platform, such affiliate may only be a data processor, shielded from any direct liability under the DPDP Act (except what is passed through contract).<\/p>\n<h4 style=\"background-image: linear-gradient(to left, #FFFFFF, #79a4d2);\">Clinical Trial Arrangements<\/h4>\n<p style=\"margin-bottom: 3%;\">Drug manufacturers (<span style=\"font-weight: bold;\">Sponsors<\/span>) typically outsource research functions to Contract Research Organisations (<span style=\"font-weight: bold;\">CROs<\/span>) with requisite expertise in clinical trial processes. While the manufacturer defines broad parameters of the study, the CRO controls the research process on behalf of the Sponsor. To complicate this further, the trial is conducted by a doctor appointed by an institution (i.e., a hospital), responsible for interfacing with the patient, obtaining their informed consent, etc. In such cases, each party may distinctively act as one of the joint data fiduciaries or even a mere data processor, depending on the extent to which they complement each other in determining the means and purposes of processing.<\/p>\n<h4 style=\"background-image: linear-gradient(to left, #FFFFFF, #79a4d2);\">Joint Data Fiduciary or Merely a Data Processor?<\/h4>\n<p style=\"margin-bottom: 3%;\">In complex data processing arrangements, where there is at least some control over the means of processing personal data, an entity\u2019s classification as a joint data fiduciary or a processor may be difficult. However, this question lies at the heart of liability attribution since a joint data fiduciary may be independently proceeded against for non-compliance with the law. To draw inspiration from the EU, the European Data Protection Board, EU\u2019s independent advisory body on the GDPR, distinguishes between <span style=\"font-style: italic; text-decoration: underline;\">essential<\/span> and <span style=\"font-style: italic; text-decoration: underline;\">non-essential<\/span> means. Essential means are linked closely to the purposes and scope of processing (e.g., which categories of personal data may be processed, for how long may personal data be retained, etc.). Non-essential means relate to practical aspects of implementation (e.g., choice of software or hardware used to process personal data, security measures undertaken, etc). However, in situations highlighted above, control exercised by each party over the essential means may overlap.<\/p>\n<p style=\"margin-bottom: 3%;\">As would be clear from the above, parties should carefully assume the roles and responsibilities for processing personal data. They should review data processing contracts \/ contractual provisions closely to ring-fence, and appropriately attribute liability to the relevant responsible party.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>by Supratim Chakraborty (Partner), Sumantra Bose (Principal Associate) and Siddharth Sonkar (Associate), Khaitan &amp; Co<br \/>\nCite as: 2024 SCC OnLine Blog Exp 11<\/p>\n","protected":false},"author":8808,"featured_media":312362,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[20271,47404],"tags":[64754,64758,64759,64756,64751,64752,64760,64762,41288,31140,64753,64757,64755,64761],"class_list":["post-312352","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-experts_corner","category-khaitan-co","tag-complex-processing-scenarios","tag-contract-research-organisations","tag-cros","tag-data-fiduciary","tag-digital-personal-data-protection-act","tag-dpdp-act","tag-drug-manufacturers","tag-european-data-protection-board","tag-gdpr","tag-general-data-protection-regulation","tag-identifying-data-fiduciar","tag-independent-fiduciary","tag-joint-controllers","tag-joint-data-fiduciary"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.4 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios | SCC Times<\/title>\n<meta name=\"description\" content=\"Under the Digital Personal Data Protection Act, 2023 (DPDP Act), data fiduciaries, i.e., entities determining the purposes and means of processing personal data\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios\" \/>\n<meta property=\"og:description\" content=\"Under the Digital Personal Data Protection Act, 2023 (DPDP Act), data fiduciaries, i.e., entities determining the purposes and means of processing personal data\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/\" \/>\n<meta property=\"og:site_name\" content=\"SCC Times\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/scc.online\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-28T08:30:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-18T12:05:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/01\/data-privacy.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"886\" \/>\n\t<meta property=\"og:image:height\" content=\"590\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Bhumika Indulia\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Bhumika Indulia\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/\"},\"author\":{\"name\":\"Bhumika Indulia\",\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/#\\\/schema\\\/person\\\/919ec47cc1b871b362af05740398033a\"},\"headline\":\"Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios\",\"datePublished\":\"2024-01-28T08:30:42+00:00\",\"dateModified\":\"2024-04-18T12:05:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/\"},\"wordCount\":752,\"commentCount\":1,\"image\":{\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/data-privacy-1.webp\",\"keywords\":[\"Complex Processing Scenarios\",\"Contract Research Organisations\",\"CROs\",\"data fiduciary\",\"Digital Personal Data Protection Act\",\"DPDP Act\",\"Drug manufacturers\",\"European Data Protection Board\",\"GDPR\",\"General Data Protection Regulation\",\"Identifying Data Fiduciar\",\"independent fiduciary\",\"joint controllers\",\"Joint Data Fiduciary\"],\"articleSection\":[\"Experts Corner\",\"Khaitan &amp; Co\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/\",\"url\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/\",\"name\":\"Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios | SCC Times\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/data-privacy-1.webp\",\"datePublished\":\"2024-01-28T08:30:42+00:00\",\"dateModified\":\"2024-04-18T12:05:21+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/#\\\/schema\\\/person\\\/919ec47cc1b871b362af05740398033a\"},\"description\":\"Under the Digital Personal Data Protection Act, 2023 (DPDP Act), data fiduciaries, i.e., entities determining the purposes and means of processing personal data\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/data-privacy-1.webp\",\"contentUrl\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/wp-content\\\/uploads\\\/2024\\\/01\\\/data-privacy-1.webp\",\"width\":886,\"height\":590,\"caption\":\"Complex Processing Scenarios\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/2024\\\/01\\\/28\\\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/\",\"name\":\"SCC Times\",\"description\":\"Bringing you the Best Analytical Legal News\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/#\\\/schema\\\/person\\\/919ec47cc1b871b362af05740398033a\",\"name\":\"Bhumika Indulia\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/Me-150x150.jpg\",\"url\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/Me-150x150.jpg\",\"contentUrl\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/Me-150x150.jpg\",\"caption\":\"Bhumika Indulia\"},\"url\":\"https:\\\/\\\/www.scconline.com\\\/blog\\\/post\\\/author\\\/editor_1\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios | SCC Times","description":"Under the Digital Personal Data Protection Act, 2023 (DPDP Act), data fiduciaries, i.e., entities determining the purposes and means of processing personal data","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/","og_locale":"en_US","og_type":"article","og_title":"Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios","og_description":"Under the Digital Personal Data Protection Act, 2023 (DPDP Act), data fiduciaries, i.e., entities determining the purposes and means of processing personal data","og_url":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/","og_site_name":"SCC Times","article_publisher":"https:\/\/www.facebook.com\/scc.online\/","article_published_time":"2024-01-28T08:30:42+00:00","article_modified_time":"2024-04-18T12:05:21+00:00","og_image":[{"width":886,"height":590,"url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/01\/data-privacy.jpg","type":"image\/jpeg"}],"author":"Bhumika Indulia","twitter_card":"summary_large_image","twitter_title":"Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios","twitter_misc":{"Written by":"Bhumika Indulia","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/#article","isPartOf":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/"},"author":{"name":"Bhumika Indulia","@id":"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/919ec47cc1b871b362af05740398033a"},"headline":"Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios","datePublished":"2024-01-28T08:30:42+00:00","dateModified":"2024-04-18T12:05:21+00:00","mainEntityOfPage":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/"},"wordCount":752,"commentCount":1,"image":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/#primaryimage"},"thumbnailUrl":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/01\/data-privacy-1.webp","keywords":["Complex Processing Scenarios","Contract Research Organisations","CROs","data fiduciary","Digital Personal Data Protection Act","DPDP Act","Drug manufacturers","European Data Protection Board","GDPR","General Data Protection Regulation","Identifying Data Fiduciar","independent fiduciary","joint controllers","Joint Data Fiduciary"],"articleSection":["Experts Corner","Khaitan &amp; Co"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/","url":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/","name":"Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios | SCC Times","isPartOf":{"@id":"https:\/\/www.scconline.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/#primaryimage"},"image":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/#primaryimage"},"thumbnailUrl":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/01\/data-privacy-1.webp","datePublished":"2024-01-28T08:30:42+00:00","dateModified":"2024-04-18T12:05:21+00:00","author":{"@id":"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/919ec47cc1b871b362af05740398033a"},"description":"Under the Digital Personal Data Protection Act, 2023 (DPDP Act), data fiduciaries, i.e., entities determining the purposes and means of processing personal data","breadcrumb":{"@id":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/#primaryimage","url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/01\/data-privacy-1.webp","contentUrl":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/01\/data-privacy-1.webp","width":886,"height":590,"caption":"Complex Processing Scenarios"},{"@type":"BreadcrumbList","@id":"https:\/\/www.scconline.com\/blog\/post\/2024\/01\/28\/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.scconline.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Who is in Control: Identifying Data Fiduciar(ies) in Complex Processing Scenarios"}]},{"@type":"WebSite","@id":"https:\/\/www.scconline.com\/blog\/#website","url":"https:\/\/www.scconline.com\/blog\/","name":"SCC Times","description":"Bringing you the Best Analytical Legal News","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.scconline.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.scconline.com\/blog\/#\/schema\/person\/919ec47cc1b871b362af05740398033a","name":"Bhumika Indulia","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2021\/04\/Me-150x150.jpg","url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2021\/04\/Me-150x150.jpg","contentUrl":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2021\/04\/Me-150x150.jpg","caption":"Bhumika Indulia"},"url":"https:\/\/www.scconline.com\/blog\/post\/author\/editor_1\/"}]}},"jetpack_featured_media_url":"https:\/\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/01\/data-privacy-1.webp","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":299820,"url":"https:\/\/www.scconline.com\/blog\/post\/2023\/08\/22\/indias-digital-personal-data-protection-act-2023-impact-on-hospitality-sector\/","url_meta":{"origin":312352,"position":0},"title":"India&#8217;s Digital Personal Data Protection Act, 2023 \u2014 Impact on Hospitality Sector","author":"Bhumika Indulia","date":"August 22, 2023","format":false,"excerpt":"by Supratim Chakraborty\u2020 and Himeli Chatterjee\u2020\u2020 Cite as: 2023 SCC OnLine Blog Exp 68","rel":"","context":"In &quot;Experts Corner&quot;","block_context":{"text":"Experts Corner","link":"https:\/\/www.scconline.com\/blog\/post\/category\/experts_corner\/"},"img":{"alt_text":"india digital personal data protection act 2023","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/08\/india-digital-personal-data-protection-act-2023.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/08\/india-digital-personal-data-protection-act-2023.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/08\/india-digital-personal-data-protection-act-2023.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/08\/india-digital-personal-data-protection-act-2023.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":361360,"url":"https:\/\/www.scconline.com\/blog\/post\/2025\/09\/24\/joint-fiduciaries-under-the-dpdpa-the-invisible-risk-in-indias-financial-data-ecosystems\/","url_meta":{"origin":312352,"position":1},"title":"Joint Fiduciaries under the DPDPA: The Invisible Risk in India&#8217;s Financial Data Ecosystems","author":"Editor","date":"September 24, 2025","format":false,"excerpt":"by Shobit Goel*","rel":"","context":"In &quot;Op Eds&quot;","block_context":{"text":"Op Eds","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/legal-analysis\/"},"img":{"alt_text":"Joint Fiduciaries","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/09\/Joint-Fiduciaries.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/09\/Joint-Fiduciaries.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/09\/Joint-Fiduciaries.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/09\/Joint-Fiduciaries.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":282107,"url":"https:\/\/www.scconline.com\/blog\/post\/2023\/01\/21\/the-digital-personal-data-protection-bill-2022\/","url_meta":{"origin":312352,"position":2},"title":"The Digital Personal Data Protection Bill, 2022","author":"Bhumika Indulia","date":"January 21, 2023","format":false,"excerpt":"by Shiv Mehrotra\u2020","rel":"","context":"In &quot;Op Eds&quot;","block_context":{"text":"Op Eds","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/legal-analysis\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/01\/MicrosoftTeams-image-149.jpg?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":299221,"url":"https:\/\/www.scconline.com\/blog\/post\/2023\/08\/12\/digital-personal-data-protection-bill-2023-receives-presidents-assent\/","url_meta":{"origin":312352,"position":3},"title":"Digital Personal Data Protection Bill, 2023 receives President&#8217;s assent","author":"Bhumika Indulia","date":"August 12, 2023","format":false,"excerpt":"The object of the Act is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.","rel":"","context":"In &quot;Legislation Updates&quot;","block_context":{"text":"Legislation Updates","link":"https:\/\/www.scconline.com\/blog\/post\/category\/legislationupdates\/"},"img":{"alt_text":"digital personal data protection act 2023","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/08\/digital-personal-data-protection-act-2023.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/08\/digital-personal-data-protection-act-2023.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/08\/digital-personal-data-protection-act-2023.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2023\/08\/digital-personal-data-protection-act-2023.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":334827,"url":"https:\/\/www.scconline.com\/blog\/post\/2024\/11\/11\/digital-personal-data-protection-act-2023-employers-guide\/","url_meta":{"origin":312352,"position":4},"title":"Digital Personal Data Protection Act, 2023: A Ready Reckoner for Employers","author":"Bhumika Indulia","date":"November 11, 2024","format":false,"excerpt":"by Avik Biswas*, Supratim Chakraborty**, Sumantra Bose*** and Ivana Chatterjee****","rel":"","context":"In &quot;Experts Corner&quot;","block_context":{"text":"Experts Corner","link":"https:\/\/www.scconline.com\/blog\/post\/category\/experts_corner\/"},"img":{"alt_text":"DPDP Act employers guide","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/11\/DPDP-Act-employers-guide.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/11\/DPDP-Act-employers-guide.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/11\/DPDP-Act-employers-guide.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2024\/11\/DPDP-Act-employers-guide.webp?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":371058,"url":"https:\/\/www.scconline.com\/blog\/post\/2025\/12\/26\/digital-personal-data-protection-rules-2025-key-highlights\/","url_meta":{"origin":312352,"position":5},"title":"Digital Personal Data Protection (DPDP) Rules, 2025: Key Highlights of the Newly Notified Framework","author":"Editor","date":"December 26, 2025","format":false,"excerpt":"Ashish Deep Verma*","rel":"","context":"In &quot;Op Eds&quot;","block_context":{"text":"Op Eds","link":"https:\/\/www.scconline.com\/blog\/post\/category\/op-ed\/legal-analysis\/"},"img":{"alt_text":"Digital Personal Data Protection Rules 2025","src":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/12\/Digital-Personal-Data-Protection-Rules-2025.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/12\/Digital-Personal-Data-Protection-Rules-2025.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/12\/Digital-Personal-Data-Protection-Rules-2025.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.scconline.com\/blog\/wp-content\/uploads\/2025\/12\/Digital-Personal-Data-Protection-Rules-2025.webp?resize=700%2C400&ssl=1 2x"},"classes":[]}],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts\/312352","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/users\/8808"}],"replies":[{"embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/comments?post=312352"}],"version-history":[{"count":0,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/posts\/312352\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/media\/312362"}],"wp:attachment":[{"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/media?parent=312352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/categories?post=312352"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.scconline.com\/blog\/wp-json\/wp\/v2\/tags?post=312352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}