DPDPA 2023 · Section 8

Section 8 DPDPA 2023: General Obligations of a Data Fiduciary in India

Section 8 of the Digital Personal Data Protection Act, 2023 sets out the general obligations that every Data Fiduciary in India must discharge when processing personal data — including responsibility for processors, data accuracy, security safeguards, breach notification, erasure, grievance redressal and demonstrable accountability. It applies uniformly to wedding photographers, schools, event companies, hotels, hospitals, retailers, HR teams, ad agencies and media houses — anyone who determines the purpose and means of processing digital personal data.

Key facts

Statute	Digital Personal Data Protection Act, 2023
Section	Section 8 (read with Sections 6, 9 and 10)
Effective	Phased rollout 2025–2026 via DPDP Rules
Penalty ceiling	Up to ₹250 crore (Schedule 1)
Applies to	All Data Fiduciaries handling digital personal data in India
Regulator	Data Protection Board of India (DPBI)

What Section 8 says

Section 8 turns Section 6 consent into continuing duties binding every Data Fiduciary. Sub-sections (1)-(3) make the Fiduciary responsible even when processing is outsourced, and require accuracy where data drives a decision or is shared onward. Sub-sections (4)-(5) mandate reasonable technical and organisational safeguards. Sub-section (6) requires breach notification to the Data Protection Board and to every affected Data Principal. Sub-section (7) compels erasure once purpose is served or consent is withdrawn, unless law requires retention. Sub-sections (8)-(10) require a published contact point, an accessible grievance mechanism, and demonstrable accountability. Schedule 1 penalties reach ₹250 crore.

"A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor… shall protect personal data in its possession or under its control… by taking reasonable security safeguards to prevent personal data breach… in the event of a personal data breach, give the Board and each affected Data Principal intimation of such breach… erase personal data… as soon as it is reasonable to assume that the specified purpose is no longer being served." — DPDPA 2023, Section 8(1)–(7).

What it means in practice

A Data Fiduciary remains legally responsible even when processing is outsourced to a vendor or Data Processor.
Personal data used for decisions affecting the Data Principal — or shared with another Fiduciary — must be complete, accurate and consistent.
Reasonable technical and organisational security safeguards (encryption, access control, logging) are mandatory.
Any personal data breach must be reported to the Data Protection Board and every affected Data Principal without undue delay.
Personal data must be erased once the purpose is met or consent is withdrawn, unless a law requires retention.
Every Data Fiduciary must publish a contact point and operate a readily available grievance redressal mechanism.

Who Section 8 applies to

Wedding and event photographers and photo studios
Event management and marathon-organising companies
Schools, coaching institutes and edtech platforms (read with Section 9)
Corporates and HR teams processing employee data
Hospitals, diagnostic chains and healthcare providers
Hotels, resorts and hospitality groups
Retail and e-commerce brands operating loyalty programmes
Media houses, publishers and broadcasters
Advertising, PR and creative agencies
Banks, NBFCs and fintech platforms

Common violations

Wedding photographer reusing guest photos for portfolio without consent

A wedding studio uploads identifiable guest images to its Instagram showreel or website portfolio without fresh, specific consent for that secondary use, breaching purpose-limitation under Section 8(3).

School failing to secure a student database breach

A school stores parent contacts, fees and student photos on an unencrypted shared drive; ransomware exposes the data and the school notifies neither the Board nor parents, violating Section 8(5) and 8(6).

Hotel chain retaining guest ID scans indefinitely

A hospitality group keeps Aadhaar and passport scans of past guests for years after checkout with no defined retention schedule, breaching Section 8(7).

Marathon organiser publishing bib photos without opt-out

An event company uploads thousands of finish-line photos tagged with bib numbers and names with no takedown mechanism, violating Section 8(4) and 8(10).

Ad agency using inaccurate audience data for targeting

A creative agency relies on outdated profiles from a third party to run a campaign that misrepresents individuals, breaching the accuracy duty under Section 8(3).

Healthcare chain with no published grievance officer

A diagnostics chain handles lakhs of patient reports but lists no DPO or grievance contact on its website, breaching Section 8(9) read with 8(10).

Penalty for breach

Breach of Section 8(5) — failure to take reasonable security safeguards — attracts up to ₹250 crore under Schedule 1. Failure to notify a personal data breach under Section 8(6) attracts up to ₹200 crore. Other Section 8 obligations attract up to ₹50 crore per instance, imposed by the Data Protection Board of India after inquiry.

Use the DPDPA Penalty Calculator to estimate your exact exposure.

Frequently asked questions

Does Section 8 apply to a small wedding photography studio?

Yes. The DPDPA does not exempt small businesses. Any photographer or studio that collects identifiable images, guest lists, contact numbers or payment details of Indian individuals is a Data Fiduciary and must comply with all of Section 8.

What must a school do under Section 8 if a parent withdraws consent?

Under Section 8(7) the school must stop processing and erase the child's and parent's data unless retention is legally required. Schools are also covered by Section 9 for children, so the bar is higher.

How fast must a hotel report a data breach?

Section 8(6) requires intimation to the Board and every affected Data Principal without undue delay. Draft Rules indicate notification as soon as the Fiduciary becomes aware, with a detailed report typically within 72 hours.

Is a corporate HR team a Data Fiduciary under Section 8?

Yes. HR determines the purpose and means of processing employee data and is therefore a Data Fiduciary. It must keep records accurate, secure HRMS systems, and publish a grievance contact.

What is the maximum penalty for breaching Section 8?

Schedule 1 prescribes up to ₹250 crore for failure to take reasonable security safeguards under Section 8(5), and up to ₹200 crore for failure to notify a breach under Section 8(6).

Does an ad agency have to publish a Data Protection Officer?

Every Data Fiduciary must publish business contact information of a person able to answer questions about processing under Section 8(9). Only Significant Data Fiduciaries under Section 10 must appoint a formal DPO based in India.

What does accountability under Section 8(10) mean for a hospital chain?

The hospital must demonstrate, on demand, that it has implemented technical and organisational measures, runs a working grievance mechanism, retains data only as long as necessary, and can produce records of consent and processing.

Related sections

Not sure if your workflow complies with Section 8?

Free 48-hour DPDPAReady audit — we map your exact workflow against this section and quantify exposure.

Get your free audit →

VERIFIED • DPDPAReady Editorial Desk • 20 JUN 2026

Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.