Section 16 of the DPDPA 2023 — Cross-border transfer requirements
Section 16 of the DPDPA 2023 governs the transfer of personal data outside India. The section requires that no data fiduciary shall transfer personal data to any country or international organisation outside India unless the transfer is made through one of the mechanisms specified by the Ministry of Electronics and Information Technology in rules made under the Act.
The DPDP Rules 2025 specify three mechanisms by which transfers may be made:
- An Adequacy Determination by India that the destination country or international organisation ensures an adequate level of data protection;
- A Standard Contractual Clause (SCC) approved by the Data Protection Board;
- A Binding Corporate Rule (BCR) — an internal transfer mechanism for groups of companies.
Transfers made outside these mechanisms breach Section 16. The consequence is enforcement action by the Data Protection Board, which can include financial penalties (capped at ₹250 Crores) and orders requiring the data fiduciary to cease the unlawful processing.
For organisations that also process data of EU residents, the transfer must simultaneously comply with the GDPR Chapter V framework — a parallel regime that operates independently of the DPDPA. The GDPR is more restrictive than DPDPA Section 16 in several respects: the list of "adequate" countries is narrower; the documentation requirements are more extensive; and transfers to US-based organisations operate under a more stringent SCCs plus supplementary measures framework.
India — to-world arrangements
When an organisation in India transfers personal data outside India, the organisation is the "exporting" data fiduciary. The export must be made through one of the Section 16 mechanisms. To date, India has issued Adequacy Determinations for only a handful of destinations — the list is limited and does not include major transfer destinations like the United States.
For most outbound transfers from India, organisations therefore rely on Standard Contractual Clauses approved by the DPB. The DPDP Rules 2025 specify the terms that must be included in DPB-approved SCCs. The Standard Contractual Clauses are not yet prescribed — the DPB has not yet published the approved form. Until such time, organisations are operating in an interim state: the rule requires SCC compliance but does not yet specify what compliant SCCs look like. In these circumstances, most organisations are adopting SCCs based on the GDPR SCC framework, adapted to DPDPA terminology and requirements.
Inbound — transfer arrangements involving India
When a data controller outside India transfers personal data to an Indian data processor or fiduciary, the receiving organisation is subject to the full compliance requirements of the DPDPA, including the use of Standard Contractual Clauses in the contract with the foreign controller.
For EU-based data controllers transferring to India, the transfer must simultaneously satisfy GDPR Chapter V. Where the EU controller transfers to an Indian data processor, a separate Data Processing Agreement (DPA) is also required. Inbound transfers from the EU are currently made under GDPR SCCs because India has not yet received an GDPR Adequacy Determination.
Jurisdictions and transfer mechanisms by route
The mechanism available for a cross-border transfer depends on the source and destination of the data, and on the regulatory requirements that apply in each jurisdiction. Below are the principal transfer routes.
GDPR Inbound + DPDPA Outbound
Indian data fiduciaries transferring data to EU organisations must document the transfer under both Section 16 DPDPA and GDPR Chapter V. GDPR SCCs are used as the mechanism. Supplementary technical and contractual measures may be required if a Data Transfer Impact Assessment identifies risks. Transfers to EU recipients generally present lower risk because EU member states have high data protection standards.
Established mechanism (GDPR SCC)Section 16 Transfer — No Adequacy Yet
India has not issued an Adequacy Determination for the United States. Transfers from India to US-based organisations therefore require a Section 16-compliant mechanism. Because the DPB has not yet published approved SCCs, many organisations are using a DPDPA-adapted version of GDPR SCCs pending publication of the DPB-approved form. Organisations are advised to document their transfer arrangement and be prepared to adapt it once DPB guidance is published.
Interim mechanism (awaiting DPB SCC approval)GDPR Chapter V — SCC + DPA
EU data controllers transferring personal data to India must use GDPR Standard Contractual Clauses and, in most cases, a separate Data Processing Agreement. India has not received an GDPR Adequacy Determination, so SCCs are the primary transfer mechanism. Supplementary safeguards and transfer impact assessments may be required. The Indian recipient is subject to DPDPA compliance obligations.
GDPR SCC + supplementary safeguards may be requiredNo US-India Adequacy Determination
US organisations do not have a legal requirement under Indian law to use any specific transfer mechanism. However, if the US organisation is subject to GDPR (e.g., it processes EU resident data) and transfers that data to India, the transfer must comply with GDPR Chapter V (using SCCs). For purely US-India flows with no EU involvement, there are no restrictions under DPDPA or GDPR.
No India-specific transfer restrictionGDPR — EU to Other Jurisdictions
GDPR applies to any organisation processing EU resident data, regardless of where the organisation is located. EU organisations have Adequacy Determinations for a limited list of destinations (Canada, Japan, South Korea, etc.). For all other destinations, GDPR SCCs are required. The list of adequate jurisdictions under GDPR is more restrictive than under DPDPA.
Depends on destination adequacyDPDPA — India to Singapore and UAE
India has not yet issued formal Adequacy Determinations for Singapore or UAE. However, transfers to these jurisdictions are often made under the assumption of adequate protection based on mutual regulatory relationships and shared APAC standards. Organisations transferring to Singapore or UAE should use a Section 16-compliant mechanism and document their transfer arrangement in writing.
Entity-specific requirementsRBI — Payment and Settlement Data
The RBI Payment and Settlement Systems Act 1985 and RBI Master Directions require that certain payment system data and settlement data be stored and processed within India. No outbound transfer of these categories is permitted. The RBI framework applies to banks, payment service providers and other entities participating in RBI-regulated payment systems. This requirement operates independently of and is more restrictive than DPDPA Section 16.
Localisation required — no outbound transferIRDAI — Insurance Data
The Insurance Regulatory and Development Authority of India has issued data governance guidelines for life insurers, general insurers and health insurers covering the storage and processing of policyholder data. Certain categories of policyholder and health claims data are subject to requirements that restrict processing outside India. The IRDAI framework must be mapped alongside DPDPA obligations for any insurance entity with cross border data flows.
Sector requirements applySEBI — Securities Market Data
SEBI circulars impose data storage and retention obligations on market intermediaries — brokers, depositories, asset management companies and investment advisers — including requirements for certain trading records and client data to be maintained within India. Capital market participants must integrate SEBI data governance obligations into their transfer compliance framework before moving any regulated data outside India.
Sector requirements applyTransfer mechanisms and required documentation
Below is a framework for each of the three Section 16 mechanisms and the documentation that each requires.
| Mechanism | When Available | Required Documentation | Typical Timeline |
|---|---|---|---|
| Adequacy Determination | India has issued an Adequacy Determination for the destination country or international organisation | Copy of the Adequacy Determination. Standard contracts with recipients. Data transfer register. | No approval required. Update transfer register when transfers commence. |
| Standard Contractual Clauses | Transfer to any destination. DPB-approved SCC form not yet published; organisations using GDPR-adapted SCCs pending DPB guidance. | Approved SCC (once DPB form is published). Data Transfer Impact Assessment. Supplementary transfer safeguards if risks identified. Data Principal notification where required. Transfer register. | Immediate for interim arrangements using GDPR SCCs. May require adaptation once DPB form is published. |
| Binding Corporate Rule | Intra-group transfers. Company has multiple entities in different jurisdictions. Group has documented internal policies. | Binding Corporate Rule document. Approval from DPB (application process not yet specified). Copies to all group entities. Transfer register. | 3-6 months for DPB approval (estimated based on BCR frameworks in other jurisdictions). |
The DPB has not yet published approved Standard Contractual Clauses. Many organisations are currently using a DPDPA-adapted version of the GDPR SCC (Regulation (EU) 2021/914) pending publication of the DPB-approved form. This is an interim measure. Organisations should monitor DPB guidance and be prepared to adapt their documentation once the approved SCC form is available.
RBI, IRDAI and SEBI data localisation rules
Several Indian financial regulators have issued requirements that restrict the cross-border transfer of certain categories of regulated data. These requirements operate independently of DPDPA Section 16 — they are not overridden by compliance with DPDPA transfer mechanisms.
RBI — Payment and Settlement Data
The RBI Payment and Settlement Systems Act 1985 and RBI Master Directions require that certain payment system data and settlement data be stored and processed within India. No outbound transfer of these categories is permitted. The RBI framework applies to banks, payment service providers and other entities participating in RBI-regulated payment systems. This requirement operates independently of and is more restrictive than DPDPA Section 16.
Localisation required — no outbound transferIRDAI — Insurance Data
The Insurance Regulatory and Development Authority of India has issued data governance guidelines for life insurers, general insurers and health insurers covering the storage and processing of policyholder data. Certain categories of policyholder and health claims data are subject to requirements that restrict processing outside India. The IRDAI framework must be mapped alongside DPDPA obligations for any insurance entity with cross border data flows.
Sector requirements applySEBI — Securities Market Data
SEBI circulars impose data storage and retention obligations on market intermediaries — brokers, depositories, asset management companies and investment advisers — including requirements for certain trading records and client data to be maintained within India. Capital market participants must integrate SEBI data governance obligations into their transfer compliance framework before moving any regulated data outside India.
Sector requirements applySpeak with our cross border transfer practice
If you are structuring a transfer arrangement involving India, reviewing your existing documentation against the DPDP Rules 2025, or seeking advice on a sector-specific localisation requirement, our team is available to assist. Write to us directly or use the form below.
Complete the form and we will respond within one working day. For urgent transfer matters write directly to [email protected].
We will review and respond within one working day. For urgent matters write directly to [email protected].