DPDP Act 2023 · Section 16 · Cross-Border Transfer
Cross-Border
Data Transfer
The DPDP Act takes a balanced approach to cross-border data transfers, permitting transfers except to countries specifically notified by the Central Government.
A negative-list model: transfers are permitted by default, and as of mid-2026 no restricted-country list has been notified.
DPDP Act 2023 · Section 16 + Rule 15 · Last reviewed June 2026
Direct Answer
Can personal data leave India under the DPDP Act?
Under Section 16 of the DPDP Act 2023, a data fiduciary may transfer personal data outside India to any country except those the Central Government specifically notifies as restricted — a “negative list” approach that is far more permissive than the GDPR’s adequacy-and-safeguards model. As of mid-2026 no restricted-country list has been notified, so cross-border transfers are broadly allowed, though sectoral localization rules (such as the RBI’s payment-data mandate) can be stricter and continue to prevail.
Section 16
Key Principles
Negative List Approach
Transfer is permitted to all countries EXCEPT those specifically notified by the Central Government
Government Notification
Central Government will notify countries/territories where transfer is restricted based on security considerations
Contractual Safeguards
Data Fiduciaries must ensure appropriate contractual arrangements with foreign processors
Continued Obligations
All DPDP Act obligations continue to apply even after data is transferred outside India
The Framework
Permitted Transfers & Restriction Factors
Permitted Transfers
Transfer of personal data outside India is permitted to all countries and territories EXCEPT:
- Countries notified by Central Government
- Territories restricted for security reasons
Restriction Factors
Your Obligations
Compliance Requirements
Two Models
DPDP vs GDPR: Cross-Border Transfer
For organizations operating in both jurisdictions, the transfer mechanisms differ fundamentally.
| Aspect | DPDP Act 2023 (India) | GDPR (EU) |
|---|---|---|
| Default rule | Permitted to all countries except those notified (blacklisted) by the Central Government | Prohibited unless an adequacy decision or appropriate safeguard applies (whitelist model) |
| Mechanism | Negative list — no transfer-specific instrument required for non-restricted countries | Adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs) |
| Sectoral overrides | Sectoral regulators (e.g. RBI) may impose stricter localization that prevails | Member-state and sectoral rules can add conditions |
| Ongoing obligations | All DPDP obligations continue to apply to data after transfer | Controller remains accountable; transfer impact assessment may be required |
See the full DPDP vs GDPR comparison for a clause-by-clause breakdown.
Frequently Asked Questions
Common questions on transferring personal data outside India under the DPDP Act.
Does the DPDP Act allow personal data to leave India?
Yes. Section 16 of the DPDP Act 2023 adopts a negative-list (blacklist) approach: a data fiduciary may transfer personal data to any country or territory except those the Central Government specifically notifies as restricted. As of mid-2026 no such restricted-country list has been notified, so transfers are broadly permitted, subject to sectoral rules.
How does DPDP cross-border transfer differ from the GDPR?
The models are inverted. The GDPR prohibits transfers unless an adequacy decision or a safeguard such as Standard Contractual Clauses applies (a whitelist). The DPDP Act permits transfers everywhere except to notified restricted countries (a blacklist). DPDP therefore imposes fewer transfer-specific formalities, but sectoral localization rules can be stricter.
Do sector-specific data localization rules still apply under DPDP?
Yes. The DPDP Act expressly preserves stricter requirements imposed under other laws. For example, the Reserve Bank of India mandates that payment system data be stored in India. Where a sectoral regulator imposes localization, that rule prevails over the Act’s more permissive transfer regime.
What safeguards should we put in place for cross-border transfers?
Even though DPDP does not mandate a specific transfer instrument for non-restricted countries, you should verify the destination is not restricted, put contractual data-protection obligations on foreign recipients and processors, ensure they can support data-principal rights and breach notification, and keep records of every transfer. These measures preserve accountability, which continues to rest with the data fiduciary.
Who is responsible for data after it is transferred abroad?
The data fiduciary remains fully accountable. All DPDP Act obligations — security safeguards, breach notification, and honouring data-principal rights — continue to apply to the personal data regardless of where it is processed. Transferring data to a processor or affiliate abroad does not transfer the legal responsibility.
Continue your DPDP research
- DPDP Act compliance hub — the full guide to the Act and Rules 2025.
- DPDP compliance consulting in India — transfer assessments and end-to-end implementation.
- DPDP penalty calculator — model your exposure under the Act.
- Tranquility Cybersecurity credentials & proof.
Written By Expert Auditors
Keep Exploring
Related Reading
DPDP Knowledge Hub
Rules 2025, penalties, SDF obligations and 14 deep-dive guides.
Read moreDPDP vs GDPR
Side-by-side comparison for companies subject to both regimes.
Read moreDPDP Rules 2025
The subordinate rules under the DPDP Act — timelines, obligations, SDF thresholds.
Read moreGDPR Compliance
The EU's data protection regulation for any company with EU users.
Read morePDPL Compliance (KSA & UAE)
Saudi Arabia's SDAIA-enforced privacy law and the UAE's federal PDPL.
Read moreISO 27701 (PIMS)
The privacy extension to ISO 27001 — one audit, two certificates.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours