Cross-Border Data Transfers Under DPDP Act: Complete Compliance Guide for Indian Businesses

## TL;DR Summary The DPDP Act restricts personal data transfers to jurisdictions not approved by the Central Government. Until the approved list is published, businesses must rely on contractual safeguards and risk assessments. We've helped 30+ organizations evaluate their cross-border flows—this guide shares our framework for compliance. --- ## About the Author **Arpit Garg** *Founder & Chief Privacy Officer, Complynz* Arpit has advised 30+ organizations on cross-border data transfer compliance, including multinational companies with complex data flows and Indian startups using global SaaS tools. Connect on [LinkedIn](https://linkedin.com/in/arpitgarg). *This guide reflects our cross-border compliance experience. AI assisted with organization; all frameworks are from real client engagements.* --- ## What Does DPDP Act Say About Cross-Border Transfers? ### The Basic Rule Section 16 of the DPDP Act states that personal data may be transferred outside India, except to countries or territories specifically restricted by the Central Government. ### Current Status (February 2026) - **Approved Jurisdictions:** List not yet published - **Restricted Jurisdictions:** List not yet published - **Default Position:** Transfers permitted with appropriate safeguards ### What This Means Practically Until the government publishes jurisdiction lists, businesses should: 1. Assess transfer risks 2. Implement contractual safeguards 3. Document transfer justifications 4. Monitor for regulatory updates --- ## Mapping Your Cross-Border Data Flows ### Step 1: Identify All Transfers Most organizations underestimate their cross-border flows. Common transfer scenarios: | Scenario | Example | Data Transferred | |----------|---------|-----------------| | Cloud Infrastructure | AWS US-East region | All hosted data | | SaaS Tools | Salesforce, HubSpot | Customer data | | Marketing Platforms | Mailchimp, Klaviyo | Email, behavior | | Analytics | Google Analytics | User behavior | | Support Tools | Zendesk, Intercom | Support tickets | | AI Services | OpenAI, Anthropic | Query content | | Payment Processing | Stripe (US) | Transaction data | | HR Systems | Workday, BambooHR | Employee data | ### Step 2: Document Transfer Details For each cross-border flow, document: | Field | Information Needed | |-------|-------------------| | Data Categories | What types of personal data? | | Data Subjects | Whose data (customers, employees)? | | Volume | How many records? | | Destination Country | Where does data go? | | Recipient | Who receives the data? | | Purpose | Why is transfer necessary? | | Legal Basis | Consent, contract, legitimate interest? | | Safeguards | What protections are in place? | --- ## Transfer Assessment Framework ### Risk Factors to Evaluate **1. Destination Country** | Consideration | Questions to Ask | |---------------|------------------| | Legal Framework | Does the country have data protection law? | | Government Access | Is there surveillance risk? | | Judicial Recourse | Can data subjects seek remedies? | | Enforcement | Are privacy rights enforced? | **2. Data Sensitivity** | Data Type | Transfer Risk | |-----------|---------------| | Public information | Low | | Contact details | Low-Medium | | Behavioral data | Medium | | Financial data | High | | Health data | High | | Biometric data | Very High | | Children's data | Very High | **3. Transfer Volume** | Volume | Consideration | |--------|---------------| | 100,000 | Enhanced due diligence | --- ## Transfer Mechanisms and Safeguards ### 1. Standard Contractual Clauses Until India develops its own SCCs, consider: **Essential Clauses:** - Limitations on further transfers - Security obligations matching Indian requirements - Data subject rights support - Breach notification requirements - Audit rights - Termination and data return ### 2. Binding Corporate Rules For multinational groups: - Internal data protection policies - Binding on all group entities - Enforceable by data subjects - Regular compliance monitoring ### 3. Certification Mechanisms - ISO 27701 certification - SOC 2 reports - Industry-specific certifications ### 4. Technical Measures | Measure | Protection Offered | |---------|-------------------| | Encryption in transit | Prevents interception | | Encryption at rest | Protects stored data | | Pseudonymization | Reduces re-identification risk | | Data minimization | Reduces exposure | | Regional processing | Keeps data closer to source | --- ## Practical Scenarios and Solutions ### Scenario 1: Using US-Based SaaS (Salesforce, HubSpot) **Challenge:** Customer data transferred to US servers **Solution Framework:** 1. Review vendor DPA and security certifications 2. Negotiate data residency where available 3. Implement contractual safeguards 4. Document business necessity 5. Monitor for India region availability ### Scenario 2: Global Analytics (Google Analytics) **Challenge:** Website visitor data processed globally **Solution Framework:** 1. Consider Google Ana