Cross-Border Data Transfers

Under the DPDP Act, personal data may be transferred to countries or territories outside India, except to countries that the Central Government restricts by notification. The government is expected to publish a list of restricted countries. Until such notification is issued, transfers are generally permitted subject to compliance with other provisions of the Act. Under the GDPR, transfers outside the EEA require an adequacy decision for the destination country or appropriate safeguards such as Standard Contractual Clauses, Binding Corporate Rules, or derogations for specific situations. The practical challenge for companies operating across jurisdictions is building a data transfer architecture that complies with both frameworks simultaneously.

Standard Contractual Clauses (SCCs) are pre-approved contractual terms issued by the European Commission that provide adequate safeguards for transferring personal data from the EEA to countries without an adequacy decision. If your Indian company receives personal data from the EU, whether as a processor or an independent controller, you will likely need SCCs in place. The current SCCs (adopted June 2021) are modular and cover controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller transfers. SCCs must be accompanied by a Transfer Impact Assessment (similar to a TRA) that evaluates whether the laws of the destination country provide effective protection. We draft and negotiate SCCs and the accompanying transfer documentation.

Data localisation refers to regulatory requirements that certain categories of data must be stored or processed within the territory of a specific country. In India, the RBI requires payment system data to be stored in India. The DPDP Act does not impose blanket localisation but empowers the government to restrict transfers to specific countries. Various sector-specific regulations impose localisation or mirroring requirements. If you operate in financial services, healthcare, or telecommunications, sector-specific localisation rules may apply. We advise on mapping your data flows against applicable localisation requirements and structuring your infrastructure accordingly.

Employee data is personal data and subject to the same data protection requirements as customer or user data. If you have employees in India and the EU, you need to comply with the DPDP Act for Indian employee data and the GDPR for EU employee data. Cross-border transfers of employee data, for instance from an Indian subsidiary to a parent company abroad for payroll or HR management, require appropriate transfer mechanisms. You also need compliant employee privacy notices, lawful bases for processing, and policies on monitoring, BYOD, and data retention. We advise on building unified HR data compliance frameworks for multi-country operations.