Authored By: Arti Sharma
Sri Sathya Sai Law College For Women Bhopal
ISSUE & RISK
Clause
Issue / Defect Identified
Risk Category
DPDPA Provision Violated / Missing
Suggested Improvement
Clause 1.2
The definition of “Processing” is overly vague and open-ended (“whatever the processor does”)
Legal
Lack of clarity in processing activities under DPDPA
Provide a precise and exhaustive definition covering collection, storage, use, sharing, and deletion
Clause 2.1
The scope of processing is undefined and dependent on “business needs”
Operational
Violates the purpose limitation principle
Clearly define specific purposes for which data may be processed
Clause 2.3
Allows the processor to use personal data for its own purposes without consent
Legal
Breach of consent requirement under DPDPA
Restrict processing strictly to authorised purposes; require prior consent
Clause 3.3
“Reasonable time” for breach notification is ambiguous
Legal
Breach notification obligation not clearly defined
Introduce a fixed timeline (e.g., 72 hours)
Clause 4.1–4.2
Sub-processors can be appointed without approval
Legal
Accountability obligations missing
Require prior written consent and ensure contractual safeguards
Clause 5.1–5.2
Unrestricted cross-border data transfer
Legal
Non-compliance with transfer restrictions
Limit transfers subject to applicable government notifications
Clause 6.1
Liability capped at ₹50,000 irrespective of harm
Financial
Unreasonable limitation of liability
Introduce a proportionate and fair liability structure
Clause 7.3
No clear obligation to delete or return data
Legal
Storage limitation principle violated
Mandate deletion/return upon termination
REVISED CLAUSES (Professional Drafting Style)
Clause 1.2 – Definition of Processing
The existing definition is vague and capable of wide interpretation.
Revised Clause: “Processing” shall mean any operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure, transmission, or erasure, whether by automated means or otherwise.
This revision ensures clarity and aligns with recognised data protection standards.
Clause 2.3 – Use of Data
The current clause permits unauthorised use of personal data by the processor, which is legally untenable.
Revised Clause: The Data Processor shall process personal data strictly in accordance with the documented instructions of the Data Fiduciary and shall not use such data for any independent purpose, including research or product development, without prior written authorisation and a valid legal basis.
This removes ambiguity and safeguards consent requirements.
Clause 3.3 – Data Breach Notification
The phrase “reasonable time” introduces uncertainty and weakens accountability.
Revised Clause: The Data Processor shall notify the Data Fiduciary of any personal data breach without undue delay and, in any event, within seventy-two (72) hours of becoming aware of such breach, along with all relevant details.
This ensures timely compliance and accountability.
Clause 4 – Sub-processing
The absence of oversight over sub-processors creates significant compliance risk.
Revised Clause: The Data Processor shall not engage any sub-processor without the prior written consent of the Data Fiduciary. The Data Processor shall ensure that any approved sub-processor is bound by data protection obligations no less stringent than those set out in this Agreement.
This introduces necessary control and accountability.
Clause 7.3 – Post-Termination Data Handling
The current provision is overly broad and exposes data to misuse.
Revised Clause: Upon termination or expiry of this Agreement, the Data Processor shall, at the option of the Data Fiduciary, return or securely delete all personal data and certify such deletion in writing, unless retention is required under applicable law.
This aligns with storage limitation principles.
SUMMARY NOTE
The Data Processing Agreement, in its present form, reflects significant drafting deficiencies and fails to meet the requirements of the Digital Personal Data Protection Act, 2023. Several clauses are either vague or overly broad, particularly those relating to processing activities, scope of engagement, and breach notification. The absence of clearly defined purposes for data processing and the allowance for independent use of personal data by the Data Processor undermine the fundamental principle of consent.
Further, critical safeguards such as defined timelines for breach reporting, restrictions on sub-processing, and obligations relating to data deletion upon termination are either inadequately addressed or entirely absent. These gaps expose both the Data Fiduciary and the Data Principals to potential legal and operational risks. The liability clause, which imposes a nominal cap irrespective of the nature of harm, is commercially unreasonable and may not withstand scrutiny.
The revised clauses seek to address these concerns by introducing clarity, specificity, and alignment with established data protection principles. Key improvements include restricting processing to documented instructions, incorporating defined breach notification timelines, ensuring oversight over sub-processors, and mandating secure handling of data upon termination.
Overall, the revised agreement establishes a more balanced allocation of responsibilities and enhances compliance with applicable law, while also strengthening the protection afforded to Data Principals.
