← creativecyber.in/Regulatory Insights/DPDP Knowledge Hub/Resources & Checklists
PRACTITIONER FAQ

Mobile OEM + NBFC: Who Is the Data Fiduciary in Embedded Finance — and Can PII Flow Through an API?

12 min read|Compliance Officer · DPO · NBFC Legal · Product Manager|April 2026
Share this article
LinkedInXFacebookWhatsApp
PRACTITIONER FAQ · EPISODE 01 OF 10Consumer Durables · NBFC · Embedded Finance12 min read

Mobile OEM + NBFC: Who Is the Data Fiduciary in Embedded Finance — and Can PII Flow Through an API?

A smartphone brand acquires a customer, offers EMI via partnered NBFC, and passes PII through an API for faster onboarding. Four questions every implementation team needs answered before writing a line of code.

📱
THE SCENARIO

An Indian mobile OEM operates a consumer registration app where customers create accounts post-purchase. At registration, the OEM offers Buy Now Pay Later / EMI financing via a partnered NBFC. The OEM collects name, mobile, email, address, PAN, and device diagnostics during registration. The NBFC needs KYC data (name, PAN, address, income proxy) for credit underwriting. A shared API is proposed to pre-fill the NBFC's onboarding form with OEM-collected data to reduce customer re-entry friction.

Data FiduciaryData ProcessorConsent §6Purpose Limitation §7KYC MandateAPI PII Transfer
FIGURE 1 — Data Fiduciary Structure and API Transfer Conditions
DATA FIDUCIARY CHAIN — OEM + NBFC EMBEDDED FINANCECustomerData Principal§2(t) DPDP ActOEM (Smartphone Brand)Data Fiduciary #1Collects: Name, Mobile,Email, PAN, Address§2(i) — determines purposeNBFC (Lender)Data Fiduciary #2Collects: KYC, PAN,Income proxy, Address§2(i) — independent purposeData SharingAgreement (DSA)Required by DPDPregistersAPI (PII)needs consent3 Conditions for Lawful PII Transfer via API1Explicit, itemised consent at OEM onboarding naming the NBFC and data fields2Separate consent dialog shown at "Apply for EMI" step — affirmative checkbox3Data Sharing Agreement (DSA) executed between OEM and NBFC🚫 Pre-filling NBFC form without consent = §7 violation✓ RBI KYC mandate = §7(b) legal obligation for NBFC only
Q 1.1

Who is the Data Fiduciary — the OEM, the NBFC, or both?

Both are independent Data Fiduciaries under §2(i) of the DPDP Act 2023. A Data Fiduciary is any person who "alone or in conjunction with others, determines the purpose and means of processing personal data." The OEM determines that it will collect device registration data and optionally financial data to offer EMI — that is a unilateral purpose-and-means decision, making it a Fiduciary. The NBFC independently determines that it needs KYC and credit data to underwrite a loan — it is also a Fiduciary for that purpose.

The key test is not "who collected first" but "who decided why and how." Since both entities independently decide the purpose of their respective processing, they are sequential Fiduciaries — not a Fiduciary-Processor relationship.

⚠️ Common MistakeThe NBFC cannot treat itself as a Data Processor merely because the OEM passed it the data. A Processor acts only on the Fiduciary's instructions and does not determine purpose. The NBFC absolutely determines purpose (credit underwriting, RBI-mandated KYC) — making it a Fiduciary in its own right.
DPDP Act §2(i) — Data FiduciaryDPDP Act §2(k) — Data ProcessorDPDP Rules 2025 §3 — Consent notice
Q 1.2

Can the OEM pass PII to the NBFC via API for faster onboarding — and under what conditions?

● CONDITIONALLY PERMITTED

The OEM may pass PII to the NBFC only if all three of the following are satisfied:

1. Explicit, itemised consent at OEM onboarding. Under §6, the consent request must name the NBFC (or category of financial partners), list the specific data fields to be shared, and state the purpose (credit underwriting). A generic "we may share data with partners" clause is legally insufficient.

2. A separate, distinct consent at the EMI application step. If the customer consented to "device registration and warranty," that consent does not extend to financial data sharing. A distinct consent dialog must appear at or before the moment the customer clicks "Apply for EMI."

3. A Data Sharing Agreement (DSA) between OEM and NBFC documenting: categories of data shared, purpose, retention limits, the OEM's warranties of lawful collection, and the NBFC's obligations as a receiving Fiduciary.

🔧 Implementation PatternAt the EMI offer screen, show a distinct consent dialog: "To process your loan application, [OEM] will share your name, PAN, mobile number, and address with [NBFC] for credit assessment. [NBFC] will process this data as an independent Data Fiduciary under their Privacy Policy [link]." Require affirmative checkbox — not pre-ticked.
🚫 Prohibited PatternPre-filling the NBFC's loan application form using OEM-collected data without a distinct consent screen — even if technically seamless. This is processing beyond original purpose: §7 (purpose limitation) violation.
Q 1.3

The NBFC has mandatory RBI KYC obligations. Does this override the DPDP consent requirement?

No — but it creates a legal obligation basis that operates alongside (not instead of) the DPDP framework. Under §7(b), processing is lawful where it is "necessary for compliance with any law." RBI's KYC Master Direction mandates collection of name, address, PAN, and photograph from borrowers.

This means the NBFC does not need consent to collect and process KYC data it is legally mandated to collect directly from the data principal. However, the OEM still needs consent to transfer the data to the NBFC — because the OEM's original collection was for device registration, not NBFC KYC. The RBI obligation belongs to the NBFC, not to the OEM, and cannot be used by the OEM to justify its own data transfer.

💡 Practical SplitOEM's data transfer → requires consent. NBFC's processing of that transferred data for KYC → legal obligation basis. These are two separate processing activities with two separate lawful bases — document them separately in your ROPA.
Q 1.4

If a customer withdraws consent with the OEM, what happens to data already at the NBFC?

Under §6(4), consent withdrawal must be "as easy as giving consent" and the DPDP Act requires the Fiduciary to cease processing upon withdrawal. However, §7(b) creates an important carveout: if the NBFC has already initiated a credit assessment or loan disbursement, its continuing processing is legally mandated (RBI obligations, AML, audit requirements) and is no longer consent-dependent.

The OEM's obligation on withdrawal: stop all future data transfers to the NBFC. The NBFC's obligation: retain only for the period mandated by RBI/PMLA regulations; delete thereafter. Data already transmitted and being processed under a legal obligation basis cannot be deleted merely because OEM consent was withdrawn.

FIGURE 2 — Consent Withdrawal Split Obligations
CONSENT WITHDRAWAL — SPLIT OBLIGATIONSOEM ObligationOn withdrawal:✓ Stop all future API transfers✓ Delete OEM-held profile data✓ Acknowledge within §6(4) reasonable period✗ Cannot delete NBFC dataData already at NBFCCredit assessment initiated?→ RBI/PMLA legal obligation applies independently→ Not deletable by OEM consent withdrawalBasis: §7(b) legal obligationNBFC ObligationContinuing duty:✓ Retain per RBI/PMLA period✓ Delete after mandate expires✓ No marketing re-use✗ No consent cascade needed from OEM withdrawal

DPDP Compliance · BFSI Platform

Need to map your data-sharing architecture to DPDP requirements?

Talk to a specialist →
Regulatory References
DPDP Act 2023 §2(i)§2(k)§6§7§7(b)§8§12DPDP Rules 2025RBI KYC Master DirectionPMLA 2002
Share this article
LinkedInXFacebookWhatsApp

Get DPDP compliance insights in your inbox

Practical guides for CISOs, DPOs, and compliance teams — no spam, unsubscribe anytime.

Ready to implement what you've read?

The CreativeCyber DPDP Assurance Platform puts every framework, workflow, and control referenced in this article into a single audit-ready platform — built specifically for BFSI.

Book a Live Demo →