Layer 1 · DPOs · Compliance — implementation
DPDP Eight Core Obligations for Data Fiduciaries
Every DPDP fiduciary obligation with its section reference and a BFSI-specific note.
| § | Obligation | What It Requires | BFSI-Specific Note |
|---|---|---|---|
| §5 | Lawful Processing | Personal data processed only for a specific, lawful purpose with consent or on a legitimate ground listed in the Act | RBI/SEBI/IRDAI mandated processing (KYC, record retention) constitutes a lawful ground — no separate DPDP consent needed |
| §6 | Consent | Consent must be free, specific, informed, unconditional, and unambiguous; separate consent for each purpose; withdrawal must be as easy as giving | Banks cannot bundle DPDP consent with account opening T&Cs; must separate marketing consent from contractual processing |
| §7 | Legitimate Uses (Deemed Consent) | Processing for employment, safety, legal obligation, state functions, research, or other specified grounds does not require explicit consent | Fraud detection, AML screening, credit risk assessment may qualify — legal assessment needed per use case |
Unlock all 8 rows — Pro
Sign in to unlock — every free trial includes full Pro access to the deep-dive catalogues.
Sign in to unlock