The concept of “Super Data Fiduciary”

Posted on February 19, 2025 by Vijayashankar Na

While discussing DPDPA 2023, we have often discussed the role of a “Data Processor” who is actually determining the means of processing under a proprietary software and tagged him as a “Joint Data Fiduciary”.

Yesterday I had an interesting discussion with the ETCISO leadership forum for Hospitality Sector in which the issue of some of the industry players like OYO and others who are not single property owners but have multiple own properties and several more franchisee outlets who are independent property owners themselves. In view of the umbrella branding the brand owner becomes the main customer contact. This also exists in the Make My Trip or Agoda kind of E Commerce services where also the customer relationship is on the brand owner and the property owner becomes a secondary contract for the data principal.

In such instances the Brand owner becomes the first contact for the data principal and the sharing of personal data is with the brand owner under his reputation, his privacy policy or Privacy Notice. However the service is delivered by the associate and data is again shared with the vendor who is also a Data Fiduciary.

In such cases the relationship can be structured as a “Data Fiduciary” and “Joint Data Fiduciary” or ” Data Fiduciary” and “Data Processor”.

The new thought which now comes forth is that if the Brand owner declares himself as an “Aggregator” and declares his “Purpose” as establishing the relationship with the property owner who is the service provider, he can limit his role in Data Protection law as only a marketing agent. If this is not properly structured, the Brand owner becomes a “Super Data Fiduciary” of many other “Data Fiduciaries”. The Data Fiduciaries process data for their own purposes under their own policies while the Brand owner has the vicarious liability on all the activities of the property owners.

Similar issues arise in the case of a hospital using the services of doctors on a consultancy contract where the doctor individually is a data fiduciary and the hospital is an aggregator of their services.

Interesting possibilities arise in this context and DGPSI is making the necessary adjustments to factor such cases.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.