The Tour d’ Horizon of Data Law Implications of Digital Twins
2.3 DEVELOPMENT AND DEPLOYMENT
Once the DT is deployed and the application is in use, there is ongoing processing of the data which was fed into the DT. Depending upon the type of application, there may also be real-time data collection and processing. Such data may include feedback and user inputs, data from the operations environment, etc.
3 CONSIDERATIONS UNDER DATA LAWS
Regulatory framework governing data privacy and protection across various jurisdictions can place restrictions on the scope of data collection and processing. Some of the key legal nuances are discussed below.
3.1 STAKEHOLDERS Privacy laws across jurisdictions typically apply to three categories of stakeholders.
3.1.1 DATA CONTROLLER
Individuals or entities which determine the“ why” and“ how” of the collection, processing, storage and sharing of the data. Across most jurisdictions, the Data Controller is responsible for the highest level of legal compliance. In DT applications, depending on DT model and functionality, the DT developer and the entity which is deploying the applications could be considered Data Controllers.
3.1.2 DATA PROCESSOR
The entity which acts on behalf of the Data Controller to perform data processing tasks according to the controller’ s instructions. Data Processor does not have autonomy over the purpose or method of processing but simply executes tasks assigned by the Data Controller. Outsourcing or backend service providers, network / cloud platforms where DT is hosted, DT operators, etc. could be considered Data Processors.
Therefore, depending on the type of DT application, the role of each contributing stakeholder in the development and deployment of the application, the party would be designated as the Data Controller or Data Processor.
3.1.3 DATA SUBJECT
In most jurisdictions, Data Subject refers to a natural person and not a juristic person or an object. In the context of personal data( i. e. any information that relates to or can identify an individual), the individual to whom the data concerns is the Data Subject. The Data Controller and Processors are responsible to the Data Subject for personal data collected and processed. Personal data of Data Subjects would generally be processed in the creation of human or organ DTs. In such use cases, Data Subjects are granted various rights under multiple jurisdictions, including the right to withdraw consent for the processing of their data. Upon withdrawal of consent, the Data
78 May 2025