DPDP Compliance for Aggregators

August 9, 2024

Anahad Narain

Founder's Office

Summary

  • In an Aggregator model one business onboards another business to offer products or services to end consumers. The aggregator is usually a B2B2C company.
  • The DPDP Act distinguishes between Data Fiduciaries (entities determining the means and purpose of data processing) and Data Processors (entities processing data on behalf of a fiduciary). 
  • An aggregator business can act as either a Data Fiduciary or Processor, depending on its control over data processing activities. Compliance obligations primarily rest on Data Fiduciaries.
  • Aggregators must navigate complex roles, shared responsibilities, and data control issues. 
  • Aggregators must ensure clear agreements with partners, manage data breaches, and maintain transparency with end users.
  • Best practices include conducting regular data audits, engaging with partners, maintaining detailed documentation, monitoring regulatory changes, leveraging technological solutions, and preparing for data breaches. 

What is an Aggregator?

Aggregators act as intermediaries between businesses and customers and help with discovery, payments or other middle solutions. An Aggregator is usually a B2B2C company. In a Business-to-Business-to-Consumer (B2B2C) model: one business onboards another business to offer products or services to end consumers. B2B2C has two businesses: a primary business (such as a manufacturer or service provider) that collaborates with an intermediary business (like a retailer or service facilitator) to reach a broader audience and enhance consumer experience.

B1 is the primary business, B2 is the intermediary business and C is the Customer

Examples -

  • Razorpay: provides payment gateway services to businesses, enabling them to accept online payments from customers. Businesses integrate Razorpay into their websites or apps, facilitating smooth and secure transactions for their end consumers.
  • Google Play Store: offers a platform for app developers to reach millions of users. Developers create apps, and Google handles the distribution, sales, and customer service, providing a vast marketplace for app developers and a convenient shopping experience for consumers.
  • Leegality: partners with banks and other businesses to provide digital document signing services. While the businesses manage their customer interactions, Leegality handles the backend digital signing process, ensuring secure and efficient document management for end consumers.
  • Zomato: partners with resturaunts to offer food delivery services. Zomato (intermediary business) provides the logistics and delivery infrastructure, while the eateries (primary business) supply the products. Consumers place orders through Zomato’s platform and receive their food delivered quickly through Zomato's delivery professionals.
  • MakeMyTrip: MakeMyTrip collaborates with various travel service providers, including airlines, hotels, and car rental companies. MakeMyTrip (intermediary business) provides a platform for these travel service providers (primary businesses) to list their offerings. Consumers use MakeMyTrip to book flights, hotels, and rental cars, enjoying a comprehensive travel planning experience.

In each of these examples, an intermediary business (Razorpay, Leegality, Zomato) provides a service to a primary business (Bank, App developer), which uses this service to offer its product or service to an end consumer. Typically, the customer interfaces with both the intermediary and primary business in the same journey.

What is the DPDP Act?

The Digital Personal Data Protection Act (DPDP Act) is India’s first law governing the processing of personal data to ensure the protection of individuals' privacy. It establishes the rights of Data Principals (individuals to whom the data pertains) and the obligations of Data Fiduciaries (entities that determine the purpose and means of processing personal data).

The DPDP Act emphasizes obtaining informed consent, ensuring data minimization, maintaining transparency, implementing robust data security measures, and holding entities accountable for their data practices. The DPDP Act prescribes significant penalties for violations, which can range from ₹50 Crore to ₹250 Crore per instance of non-compliance. 

How is the DPDP Act relevant for Aggregators?

The two businesses in an Aggregator flow will have widely varying data protection obligations under the DPDP Act. This is because the DPDP Act differentiates between Data Fiduciaries and Data Processors:

  • Data Fiduciaries are the entities that determine the means and purpose of processing your personal data. 
  • Data Processors are entities that process personal data on behalf of a fiduciary without deciding the means and purpose of processing. 
Personal data flows from the users (principals) to businesses (fiduciaries and processors)

So a bank, insurer, telemarketer, ecommerce website and even a retailer is a data fiduciary if it is collecting your personal data for onboarding, promotional communication or account management, etc. But an intermediary business that is acting on behalf of the fiduciary such as a payment gateway or a delivery service is only a data processor as it does not make the choice of how and why to process the personal data.

This distinction is crucial because unlike the General Data Protection Regulation (GDPR), the DPDP Act imposes almost all data protection obligations on the data fiduciary and very little to no obligations on the data processors. In fact, the data fiduciary is responsible for ensuring its vendors or data processors acting on its behalf remain compliant with the law. 

For any business part of an Aggregator flow it is crucial to accurately demarcate your role as fiduciary/processor for each personal data you process. If you are the fiduciary, the compliance burden rests on you to manage consents, provide data rights and grievance redressal, ensure data minimization, transparency, security and so on. The fiduciary is also solely liable to pay the hefty fines under the DPDP Act in case of violations. If you are a processor your liability is greatly reduced.

Roles and responsibilities of Aggregators

When an aggregator is engaged by a primary business, the compliance responsibility is shared between the two businesses depending on who decides the means and purpose of processing personal data. In some cases, one business (primary business) is the Data Fiduciary and the other (intermediary business) is the processor. In other cases, both businesses could be Data Fiduciaries in the same flow. The determination of whether a business is a fiduciary or processor is based on the factual control over data processing activities, not merely by contractual terms.

Data fiduciaries have the highest liability under the DPDP Act compared to data processors who act on the instructions of the fiduciary

Let us consider the example of Airbnb. It is a B2B2C flow that involves homeowners (primary businesses) listing their properties on Airbnb's platform (intermediary business), which then facilitates bookings and interactions with end consumers (guests). 

Airbnb as a Data Processor

When homeowners use Airbnb’s platform to manage their rental listings and communicate with guests, Airbnb processes data on their behalf without deciding the means and purpose of processing:

  • Booking Management: Homeowners collect personal data from guests for booking and stay arrangements. Airbnb processes this data to facilitate bookings and manage transactions, acting under the instructions of the homeowners.
  • Guest Communication: Homeowners decide the information to be shared with guests (e.g., check-in instructions, house rules). 

Airbnb simply facilitates this communication through its platform, acting as a Data Processor attracting no data protection obligations under the DPDP Act.

Airbnb as a Data Fiduciary

However, when Airbnb collects personal data from users (guests) for the purpose of account creation, marketing, and improving the user experience, it decides the means and purpose of processing this data:

  • Marketing Communications: Airbnb collects user emails and preferences to send promotional offers and updates. Here, Airbnb decides how and why the data is used for marketing purposes.
  • Booking Personalization: Airbnb collects and analyzes user data to offer personalized recommendations and tailored search results. This data processing is done at Airbnb's discretion, making it the data fiduciary.

In these flows Airbnb will have to fulfill all data protection obligations under the DPDP Act applicable to Data Fiduciaries.

(Left) Airbnb mails for booking management are to facilitate communication between the homeowner and (Right) Airbnb mail marketing mail promoting properties for future bookings

The compliance challenge for Aggregators

As highlighted, a single business can be both a data fiduciary and a data processor in different aggregator contexts, posing significant challenges in managing compliance obligations:

  1. Multiple Roles and Dynamic Data use:

A single business can simultaneously act as a data fiduciary and a data processor in different scenarios, creating confusion in managing compliance. Evolving business models and data strategies can shift roles from data fiduciaries to processors and vice versa, necessitating continuous assessment and adjustment. For example, Dunzo may start as a processor handling delivery logistics but can transition to a fiduciary role if it begins using customer data for personalized marketing. Similarly, PayU acts as a fiduciary when using transaction data to develop fraud detection algorithms but acts as a processor when handling payments for an e-commerce site.

The same business may be a processor or fiduciary in different contexts and personal data flows
  1. Shared Responsibilities:

Collaboration between primary and intermediary businesses requires clear agreements and a mutual understanding of data responsibilities. For instance, Airbnb and homeowners must coordinate to ensure data collected during bookings is processed in compliance with data protection laws, necessitating clear delineation of responsibilities.

  1. Data Control and Decision-Making:

Determining who controls and makes decisions about data processing can be difficult, especially in complex data flows. Leegality, for instance, must differentiate when it is merely processing data for banks and when it is making decisions about data use for its own analytics services.

  1. Data Breach Management:

Preparing for and managing data breaches requires robust plans and coordination between all involved parties. Google Play Store must have a comprehensive breach response plan that includes notifying affected app developers and users while complying with regulatory requirements.

  1. Transparency and Consent Management:

Ensuring transparent communication and obtaining explicit consent from data principals can be challenging, particularly in multi-tiered data processing structures. Data processing must be based on clear, informed, and specific consent from users. Users must have the option to withdraw consent, exercise data rights and the fiduciary needs to maintain verifiable records of each consent to legally process any personal data.

Best practices for Aggregators

Defining your exact data protection responsibilities in any given aggregator flow involves analysing the specifics of data control and decision-making with every piece of personal data that you process. Here are practical steps your business can take to achieve maximum clarity in assessing your DPDP obligations accurately:

Defining your exact data protection responsibilities involves analysing the specifics of data control and decision-making with every piece of personal data that you process. Here are practical steps your business can take to achieve maximum clarity in assessing your DPDP obligations accurately:

  1. Map Data Collection and Processing Purposes:
  • Thoroughly map all personal data you collect, aligning it with the specific purposes for which it is used. Identify instances where your business is determining the purpose of data processing and where you are acting solely on the instructions of another organization.
  • When your business decides the purpose of processing, you assume the legal obligations of a Data Fiduciary under the DPDP Act. Use our compliance checklist to ensure you meet all necessary requirements.
  • In scenarios where you process data on behalf of another entity, your obligations are primarily contractual: arising from agreements you have in place with the fiduciary organization.
  1. Manage Consent Collection Based on Your Role:
  • As a Data Fiduciary, ensure you collect your own valid consents from individuals for all data processing activities. When acting as a Data Processor, rely on your fiduciary partner to secure the necessary consents for your processing activities.
  • In certain cases, such as in marketplaces or agencies, you may need to collect consents on behalf of your fiduciary partner. In these situations, collect interoperable consents to ensure that consents are valid and usable across different organizations you collaborate with.
  • Leverage the Leegality Consent Manager to streamline the collection of interoperable and compliant consents, ensuring seamless data processing in your B2B2C operations.
A consent management solution can solve for all your consent compliances under the DPDP Act
  1. Maintain Clear Contractual Terms:
  • As a Data Processor, your obligations stem directly from the contracts you have with Data Fiduciaries. These obligations can vary depending on the policies of the businesses you’re partnering with.
  • To ensure clarity and consistency, adopt standard contractual clauses across all your agreements with Data Fiduciaries. This approach will help streamline your compliance efforts, providing a clear and unified framework to follow.
  • Avoid incorporating special or differing requirements in different contracts, as this can lead to operational confusion and complicate the definition of standard operating procedures (SOPs).
  • Similarly, identify your obligations as a fiduciary and make sure you pass the requisite instructions down to your processors so that you can ensure compliance with your contractual obligations. 
  1. Establish a Data Deletion Mechanism:
  • Implement clear procedures to ensure the prompt deletion of personal data when consent is withdrawn or once the specified purpose has been fulfilled.
  • This data deletion protocol should extend to all third-party vendors and data processors involved in your B2B2C operations.
  • Regularly audit and verify that all shared personal data is deleted from third-party systems in a timely manner, ensuring comprehensive compliance with the DPDP Act.
Personal data must be deleted upon withdrawal of consent or fulfilment of purpose

For a comprehensive, step-by-step guide on ensuring your business complies with the Digital Personal Data Protection Act, be sure to check out our compliance checklist.

By taking these practical steps, B2B2C businesses can effectively manage their dual roles as data fiduciaries and processors, ensuring compliance with the DPDP Act throughout the aggregator flow. 

Next steps

Take the first step towards seamless DPDP compliance by evaluating your data protection strategies today. Start by reading our essential DPDP Compliance Checklist to ensure you miss nothing. Conduct a thorough audit of your data processing activities and establish clear agreements with your partners. Stay informed about regulatory updates and invest in technological solutions to streamline your compliance efforts. For expert guidance and tailored solutions to meet your aggregator data protection goals, leave your details in the form below.

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.