From 'Subject' to 'Principal': A Guide to DPDPA's Core Terminology

The Digital Personal Data Protection Act, 2023 (DPDPA) introduces a new lexicon for data protection in India, deliberately departing from GDPR terminology. The replacement of 'Data Subject' with 'Data Principal' and 'Data Controller' with 'Data Fiduciary' is not cosmetic. The Act adopts these terms without referencing 'trust law' as an explicit foundation; the terminology shift is documentable in the text of the Act itself, and the significance lies in what the words legally require. A 'Data Fiduciary' is defined in the definitions clause of the DPDPA 2023 as any person who alone or in conjunction with others determines the purpose and means of processing personal data — readers should verify the precise section number against the official enrolled Act as published in the Gazette of India. The Act assigns that entity a structured set of obligations — including duties related to accuracy, security, and grievance redressal — under Sections 8 through 11. These specific statutory obligations, rather than any overarching philosophical framework, define what it means to hold the position of Data Fiduciary under Indian law.

The DPDPA defines its core entities as follows:

• ✓Data Principal (Section 2(c)): "Any natural person whose personal data is processed," and where such person is a minor, includes the parent or lawful guardian of such minor.
• ✓Data Fiduciary (Section 2(e)): "Any natural person, corporate body or any other entity... who alone or in combination with others determines the purposes and means of processing of personal data."
• ✓Data Processor (Section 2(g)): "Any person... who processes personal data on behalf of a data fiduciary."

> Note on data classification: The DPDPA 2023 does not create categories such as "Sensitive Personal Data" or "Critical Personal Data." These categories appeared in earlier draft legislation (including the Personal Data Protection Bill 2019) but were not carried into the enacted DPDPA 2023. The DPDP Rules 2025, as notified, likewise do not reintroduce these categories. The Act treats personal data as a single category. Restrictions on cross-border transfer of personal data are addressed separately under Section 16, which empowers the Central Government to notify countries or territories to which a Data Fiduciary may transfer personal data.

Businesses should take the following operational steps to align with the DPDPA's terminology and underlying philosophy:

• ✓Update Documentation: Review and amend all public-facing documents (privacy policies, consent forms) to use DPDPA terms like 'Data Principal' and 'Data Fiduciary'.
• ✓Train Teams on Fiduciary Accountability: Educate legal, compliance, and product teams on the concept of the Data Fiduciary's accountability as established under the DPDPA. Note that the term 'fiduciary duty' as used here is an editorial characterisation to convey the spirit of the Act's obligations — it is not a term used in the DPDPA 2023 itself. The Act requires Data Fiduciaries to uphold Data Principal rights and comply with defined obligations throughout the data lifecycle.
• ✓Re-evaluate Legal Bases: Scrutinise all data processing activities that previously relied on 'legitimate interests' under GDPR. The DPDPA does not recognise 'legitimate interest' as a legal basis; processing must be grounded in consent or a specified legitimate use as defined under the Act.
• ✓Amend Vendor Contracts: Update contracts with Data Processors to clarify your role as 'Data Fiduciary' and the vendor's as 'Data Processor'. Under Section 8(2) of the DPDPA 2023, the Data Fiduciary remains accountable for ensuring that Data Processors process personal data only as instructed, and in compliance with the Act. Note that the DPDPA does not use the term 'Data Processing Agreement (DPA)'; this is a practical drafting convention, not an Act-defined requirement.
• ✓Review Cross-Border Transfer Obligations: Under Section 16 of the DPDPA 2023, the Central Government may restrict the transfer of personal data to certain countries or territories. The specific categories of data subject to such restrictions, and the list of permitted or restricted jurisdictions, have not yet been notified. Businesses should monitor official Gazette notifications and ensure their cloud, storage, and disaster recovery architecture can accommodate restrictions once notified.

Despite the Act's clarity on terminology, several areas remain uncertain:

• ✓Scope of Cross-Border Transfer Restrictions: The DPDPA 2023 (Section 16) permits the Central Government to restrict the transfer of personal data to certain countries or territories by notification. The specific countries or territories to which transfers may be restricted have not yet been notified, creating planning challenges for Data Fiduciaries with cross-border data flows.
• ✓DPB's Enforcement Posture: The actual enforcement priorities, procedural rules for complaints, and the speed of adjudication by the Data Protection Board are yet to be established. This impacts how businesses can effectively assess and mitigate risk.
• ✓Conflicts of Law: The DPDPA does not specify how a Data Fiduciary should resolve conflicts between its obligations to a Data Principal and other legal obligations, such as law enforcement assistance or anti-fraud monitoring.

Organizations should avoid these common mistakes stemming from a misinterpretation of DPDPA's unique framework:

• ✓Using GDPR Terminology: Continuing to use 'Data Subject' and 'Data Controller' in policies. This signals a fundamental misunderstanding of the DPDPA's trust-based model, which uses the terms 'Data Principal' and 'Data Fiduciary' as defined in the DPDPA Act 2023. Readers should verify the precise sub-section numbers for these definitions against the enrolled Act text in the Gazette of India, as numbering in secondary commentary has been known to vary from the enrolled text.

• ✓Assuming a 'Legitimate Interests' Basis: Importing the GDPR concept of 'legitimate interests' to justify processing. The DPDPA Act 2023 does not recognise 'legitimate interests' as a processing basis. Lawful processing must rest on consent (Section 6) or one of the specified legitimate uses enumerated in Section 7.

• ✓Claiming Data 'Ownership': Describing the organisation as the 'owner' of personal data. The DPDPA Act 2023 does not use the language of data ownership; instead, it frames the relationship through a fiduciary model in which the Data Fiduciary bears defined obligations towards the Data Principal (Section 8), and the Data Principal holds specific rights (Chapter V).

• ✓Misunderstanding Processor Accountability: Assuming Data Processors operate entirely outside the Act's reach. Under Section 8(2) of the DPDPA Act 2023, the Data Fiduciary is accountable for ensuring that any Data Processor it engages processes personal data only in accordance with a valid contract. The Act also imposes obligations directly on Data Processors; the jurisdiction of the Data Protection Board in relation to Data Processor breaches is governed by the relevant provisions of the DPDPA Act 2023 and should be cited to the specific sections of the enrolled Act text rather than asserted generally. A Processor's obligations are therefore distinct from, but not simply subordinate to, those of the Fiduciary.