DPDP Act: Scope, Roles and Key Definitions under DPDP for Employers

This topic focuses on the concept of the Data Principal, defined as the individual to whom the personal data relates. It explains that in a corporate setting, Data Principals include not only external customers and website users but also employees, job applicants, interns, contractors, vendor staff and visitors whose personal...

This topic focuses on the concept of the Data Principal, defined as the individual to whom the personal data relates. It explains that in a corporate setting, Data Principals include not only external customers and website users but also employees, job applicants, interns, contractors, vendor staff and visitors whose personal data the organisation collects. Through examples, the topic shows how the same individual can be a Data Principal in some contexts and part of the organisation in others, such as an employee interacting with HR systems or a manager accessing team performance data. It emphasises that employees are Data Principals in relation to their own data and therefore have enforceable rights under the Act. The topic encourages learners to see data from the perspective of the individual concerned, which supports both legal compliance and ethical decision-making.

Show more

This topic clarifies the two central organisational roles under the DPDP Act. It explains that a Data Fiduciary is the organisation that decides the purposes and means of processing personal data, for example an employer deciding how to run its HR systems, or a company designing how it will collect...

This topic clarifies the two central organisational roles under the DPDP Act. It explains that a Data Fiduciary is the organisation that decides the purposes and means of processing personal data, for example an employer deciding how to run its HR systems, or a company designing how it will collect and use customer data. A Data Processor is described as a third party that processes personal data on behalf of the Data Fiduciary under a contract, such as payroll providers, cloud hosting partners, background verification agencies or marketing automation vendors. Using scenarios, the topic shows that an organisation can be a Data Fiduciary in some contexts and a Processor in others. It highlights that under the Act, almost all key obligations and penalties attach to the Data Fiduciary, which must ensure that its Processors also comply through contracts and oversight. Learners come away understanding that even when work is outsourced, accountability to the law cannot be outsourced.

Show more

This topic introduces the idea of Significant Data Fiduciaries (SDFs), organisations that the government may notify based on factors such as the volume and sensitivity of personal data processed, risk to the rights of Data Principals, impact on national interests or public order and similar criteria. It explains that SDFs...

This topic introduces the idea of Significant Data Fiduciaries (SDFs), organisations that the government may notify based on factors such as the volume and sensitivity of personal data processed, risk to the rights of Data Principals, impact on national interests or public order and similar criteria. It explains that SDFs must meet additional obligations, such as appointing a Data Protection Officer, conducting Data Protection Impact Assessments, undergoing periodic audits and maintaining more detailed records. Even if learners’ own employer is not an SDF, the topic stresses that many of the same good practices will still be adopted as part of a strong privacy programme. Through examples, learners see how large consumer platforms, major financial institutions or large employers could be classified as SDFs. Employees are encouraged to take extra care when dealing with high-volume or sensitive datasets, as mistakes in such environments can have broader consequences.

Show more

This topic categorises the kinds of personal data that employees routinely see and use. It explains basic identifiers such as name, employee ID, address, phone number and email, and then explores more sensitive categories commonly encountered in HR records, payroll, benefits and background checks, such as financial details, health information,...

This topic categorises the kinds of personal data that employees routinely see and use. It explains basic identifiers such as name, employee ID, address, phone number and email, and then explores more sensitive categories commonly encountered in HR records, payroll, benefits and background checks, such as financial details, health information, family details, government IDs and biometric data. The topic also covers data collected from digital interactions, such as IP addresses, device identifiers, login logs and usage analytics from workplace tools and customer platforms. It clarifies that while the DPDP Act does not formally distinguish ‘sensitive’ personal data in the same way as some foreign laws, certain types of information still require extra caution because of higher potential harm to individuals. Practical examples demonstrate how combining seemingly harmless data points can still reveal sensitive insights about a person. Learners are encouraged to treat all personal data with care and to escalate questions when unsure about handling particular categories.

Show more

This topic focuses on special categories of Data Principals who are given additional protection under the DPDP Act. It explains that children’s data generally requires verifiable consent from a parent or lawful guardian and is subject to restrictions on tracking, targeted advertising or activities that may be harmful to the...

This topic focuses on special categories of Data Principals who are given additional protection under the DPDP Act. It explains that children’s data generally requires verifiable consent from a parent or lawful guardian and is subject to restrictions on tracking, targeted advertising or activities that may be harmful to the child’s well-being. The topic also touches on situations where personal data of persons with disabilities is processed, including the need for guardians or authorised representatives to act on their behalf in certain circumstances. Practical examples are used, such as internship programmes for minors, employee children’s benefit schemes, or customer interactions involving minors. Learners are encouraged to be extra cautious when they suspect that the data relates to a child or a vulnerable individual and to follow internal procedures or seek guidance from HR, Legal or the privacy team before proceeding.

Show more