Chat with us
Section 16 & Rule 15

Cross-Border Data Transfer

The DPDP Act takes a balanced approach to cross-border data transfers, permitting transfers except to countries specifically notified by the Central Government.

Key Principles

Negative List Approach

Transfer is permitted to all countries EXCEPT those specifically notified by the Central Government

Government Notification

Central Government will notify countries/territories where transfer is restricted based on security considerations

Contractual Safeguards

Data Fiduciaries must ensure appropriate contractual arrangements with foreign processors

Continued Obligations

All DPDP Act obligations continue to apply even after data is transferred outside India

Permitted Transfers

Transfer of personal data outside India is permitted to all countries and territories EXCEPT:

  • Countries notified by Central Government
  • Territories restricted for security reasons

Restriction Factors

National Security:Countries posing security threats may be restricted
Diplomatic Relations:Geopolitical considerations may influence restrictions
Legal Framework:Countries without adequate data protection laws
Enforcement Capability:Jurisdictions where Indian laws cannot be enforced

Compliance Requirements

Verify the destination country is not on the restricted list
Implement appropriate contractual safeguards with foreign recipients
Ensure the foreign recipient provides equivalent data protection
Maintain records of all cross-border transfers
Respond to Data Principal requests regardless of data location
Ensure breach notification obligations are met for transferred data
Conduct due diligence on foreign Data Processors

Need Cross-Border Transfer Guidance?

TCSA helps organizations navigate international data transfer requirements under DPDP Act.

Related Certifications

Strengthen Your Compliance Posture

Explore complementary certifications that work together to provide comprehensive security and compliance coverage.

Complementary

ISO 27701

International privacy standard. Demonstrates global privacy best practices beyond DPDP.

Learn More
Foundation

ISO 27001

Information security foundation. DPDP compliance is easier with strong ISMS in place.

Learn More