IndiaHow is 'significant data fiduciary' determined?
A 'significant data fiduciary' in India is determined by the Data Protection Authority based on factors like volume and sensitivity of personal data processed, turnover, risk of harm, and use of emerging technologies.
What the Law Says
The Digital Personal Data Protection Act, 2023 (DPDP Act) empowers the Data Protection Board of India to notify certain data fiduciaries as 'significant' based on objective, risk-based criteria.
Under Section 16 of the DPDP Act, the Central Government — on the advice of the Data Protection Board — may notify any data fiduciary or class of data fiduciaries as a 'significant data fiduciary' if they process personal data that meets one or more specified thresholds.
These thresholds include processing personal data of a large number of individuals (e.g., exceeding 10 million users), having high annual turnover (e.g., ₹500 crore or more), handling sensitive personal data at scale, or deploying emerging technologies (like AI or facial recognition) that pose elevated risks to individuals’ rights.
Once notified, significant data fiduciaries must comply with additional obligations — such as appointing a Data Protection Officer, conducting Data Protection Impact Assessments (DPIAs), and maintaining detailed records of processing activities.
Statutory TextThe Central Government may, on the recommendation of the Board, notify any data fiduciary or class of data fiduciaries as a significant data fiduciary having regard to the volume and sensitivity of personal data processed, the turnover of the data fiduciary, the risk of harm, and the use of emerging technologies.
— Digital Personal Data Protection Act, 2023, s. 16 — Significant data fiduciary
Sources
Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.