Cross-Border Data Transfers Under DPDPA

As Indian businesses increasingly use international cloud services, overseas vendors, and global enterprise platforms, cross-border data transfer has become a practical compliance question under DPDPA.

What Is a Cross-Border Data Transfer?

A cross-border transfer occurs when personal data of Indian residents is transferred to, or accessed from, a location outside India. This includes:

• Storing data on international cloud servers (AWS us-east-1, Google Cloud Europe, etc.)
• Sharing customer data with an overseas parent company or affiliate
• Using a SaaS platform that stores data in servers outside India
• Sending candidate CVs to an overseas client
• Accessing Indian employee records from an overseas office

The DPDPA Framework for Cross-Border Transfers

Section 16 of DPDPA allows the Central Government to restrict the transfer of personal data to certain countries or territories. The mechanism works through a permitted destinations approach: the government will notify a list of countries to which transfers are permitted (or conversely, identify countries to which transfer is restricted).

Important: As of early 2026, the permitted destinations list has not yet been formally notified. This means the cross-border transfer restrictions are not yet in force. However, businesses should prepare for them.

What to Do Now (Before the List Is Notified)

• Map your international data flows — identify every vendor, tool, or process that transfers personal data outside India
• Review vendor agreements — check where data is stored and whether vendors offer Indian data residency options
• Check SaaS terms — many major SaaS platforms specify their data residency regions in their terms of service or data processing addenda
• Build awareness in procurement — when onboarding new tools, make cross-border data storage a standard evaluation question

Categories of International Transfer Risk

High risk:

• Sharing Indian customer data with overseas marketing agencies
• Using overseas analytics platforms that receive event-level personal data
• Cross-border HR data sharing with parent companies without documented legal basis

Medium risk:

• Using US-hosted SaaS tools for CRM, email, or project management
• Backing up databases to international cloud regions

Lower risk (but still worth mapping):

• International access by your own employees (e.g., logging in to your CRM from overseas while travelling)

Preparing Your Privacy Notice

Your Privacy Notice should disclose whether you transfer personal data outside India, which countries or regions, and for what purposes. Even before the permitted destinations list is notified, being transparent in your Privacy Notice is good practice and likely to be expected under final Rules.

Data Localisation Considerations

Some categories of data may be subject to stronger localisation requirements under Indian law even beyond DPDPA — for example, payment data under RBI regulations, or health data. Review the full regulatory landscape for your sector.

Questions to Ask Your Vendors

• Where is our data stored? In which country/region?
• Do you offer data residency options for India?
• Have you reviewed your obligations under DPDPA for India-origin data?
• What security standards apply to the India data you process?
• What is your breach notification process for India-origin data incidents?

Practical Next Steps

• Create a data flow map showing which tools receive personal data and where they store it
• Flag any tools storing data in jurisdictions with weaker privacy protections
• Begin evaluating India-region hosting options for critical personal data stores
• Update your Privacy Notice to disclose international data flows
• Monitor official notifications for the permitted destinations list when published