Processor Obligations Overview

Under the DPDP Act, Data Fiduciaries remain accountable for personal data even when processed by third parties. Proper vendor due diligence and ongoing monitoring are essential to demonstrate this accountability.

Fiduciary Responsibility

You cannot outsource accountability. When a processor breaches personal data or fails to comply with DPDP requirements, the Data Fiduciary faces the regulatory consequences. Due diligence is your protection.

DPDP Processor Requirements

  • Process personal data only on behalf of and as instructed by the Data Fiduciary
  • Implement reasonable security safeguards
  • Assist Fiduciary in fulfilling obligations (rights requests, breach notification)
  • Delete or return data upon termination

Due Diligence Process

Pre-Engagement Assessment

Before engaging a processor, assess:

Area What to Assess
Security Posture Certifications (ISO 27001, SOC 2), security policies, technical controls, incident history
Privacy Capability Privacy policies, DPDP awareness, data handling practices, privacy officer
Subprocessors Use of subprocessors, subprocessor locations, subprocessor management
Data Location Where data will be processed/stored, cross-border transfers
Breach Response Incident response capability, notification commitment, historical breaches
Financial Stability Business viability, insurance coverage

Risk-Based Approach

Calibrate due diligence to risk level:

  • High Risk: Large volumes of sensitive data, critical processing. Full assessment, on-site review, detailed questionnaire.
  • Medium Risk: Moderate data volumes, standard processing. Standard questionnaire, certification review, contract negotiation.
  • Low Risk: Limited data, minimal processing. Basic questionnaire, standard contract terms.

Assessment Questionnaire Topics

  • Data processing scope and purpose
  • Security certifications and attestations
  • Access control and authentication
  • Encryption practices
  • Employee security awareness
  • Subprocessor usage and management
  • Data location and transfers
  • Breach notification capability
  • Data retention and deletion
  • Audit rights and cooperation

Essential Contract Clauses

Every processor agreement should include:

Processing Instructions

  • Clear description of processing permitted
  • Prohibition on processing beyond instructions
  • Process for updating instructions

Sample clause: "Processor shall process Personal Data only in accordance with Fiduciary's documented instructions as set forth in Schedule A, and shall not process Personal Data for any purpose other than the purposes specified therein."

Security Requirements

  • Specific security measures required
  • Minimum standards (encryption, access control)
  • Compliance with security certifications

Sample clause: "Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, including the measures specified in Schedule B."

Subprocessor Controls

  • Prior written authorisation required
  • List of approved subprocessors
  • Notification of subprocessor changes
  • Flow-down of obligations to subprocessors

Sample clause: "Processor shall not engage any Subprocessor without Fiduciary's prior written authorisation. Where authorisation is granted, Processor shall ensure that each Subprocessor is bound by obligations no less protective than those in this Agreement."

Breach Notification

  • Immediate notification to Fiduciary
  • Specific timeline (e.g., within 24 hours)
  • Information to be provided
  • Cooperation in response

Sample clause: "Processor shall notify Fiduciary without undue delay and in any event within 24 hours after becoming aware of any Personal Data Breach, providing sufficient information to enable Fiduciary to meet its notification obligations under applicable law."

Assistance Obligations

  • Assistance with data subject rights requests
  • Assistance with DPIA
  • Cooperation with regulatory inquiries

Sample clause: "Processor shall provide reasonable assistance to Fiduciary to enable Fiduciary to respond to requests from Data Principals exercising their rights under the DPDP Act, including by implementing appropriate technical and organisational measures."

Audit Rights

  • Right to audit processor compliance
  • Access to relevant records
  • Reasonable notice period
  • Confidentiality of audit

Sample clause: "Processor shall make available to Fiduciary all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, conducted by Fiduciary or an auditor appointed by Fiduciary, upon reasonable notice."

Data Return/Deletion

  • Return or deletion upon termination
  • Certification of deletion
  • Retention only as required by law

Sample clause: "Upon termination of this Agreement, Processor shall, at Fiduciary's election, return or delete all Personal Data and certify in writing that it has done so, unless applicable law requires retention of such data."

Ongoing Monitoring

Due diligence is not a one-time exercise:

Periodic Review

  • Annual: Full reassessment of high-risk processors
  • Biennial: Review of medium-risk processors
  • Triennial: Review of low-risk processors
  • Triggered: Reassessment after incidents, material changes, or contract renewal

Monitoring Activities

  • Review updated certifications and attestations
  • Request updated security questionnaires
  • Review subprocessor changes
  • Track incidents and near-misses
  • Monitor performance against SLAs
  • Conduct periodic audits (sample-based)

Documentation

  • Maintain processor register with all processors
  • Document due diligence performed and outcomes
  • Track review dates and next review due
  • Log issues and remediation

Subprocessor Management

Authorisation Process

  • Require prior written approval for new subprocessors
  • Assess subprocessor against same criteria as processor
  • Document approval decision and rationale

Subprocessor List Management

  • Maintain list of approved subprocessors
  • Receive notification of proposed changes
  • Right to object to new subprocessors
  • Regular review of subprocessor list

Flow-Down Requirements

  • Processor must impose equivalent obligations on subprocessors
  • Processor remains responsible for subprocessor compliance
  • Right to audit subprocessors (through processor or directly)

Evidence for Audits

Maintain evidence of processor management:

Documentation Evidence

  • Processor register (complete list)
  • Signed processor agreements
  • Due diligence questionnaires (completed)
  • Risk assessments
  • Approval records

Monitoring Evidence

  • Periodic review records
  • Certification/attestation copies
  • Audit reports
  • Issue/remediation tracking
  • Subprocessor change notifications

Operational Evidence

  • Breach notification records (if any)
  • Rights request handling with processors
  • Contract amendment records
  • Termination/offboarding records
DPDP India Vendor Management Compliance