Personal data can flow across borders, but not without guardrails. Section 16 permits transfers to countries not restricted by the Central Government. Before you transfer, you must assess the destination and document your compliance basis.
The Negative List Approach
DPDPA takes a negative list approach to cross-border transfers. Data can flow to any country unless the Central Government has specifically restricted transfers to that country. This is different from GDPR adequacy decisions. Until restrictions are published, transfers are generally permitted.
Transfer Assessment Process
Even without a restricted list, prudent practice requires assessment before transfer. Where is the data going? What protections exist in that jurisdiction? Can you enforce contractual safeguards? This assessment demonstrates due diligence.
- Destination country identification
- Legal framework in destination
- Contractual protections in place
- Enforcement mechanisms available
- Risk assessment documentation
Contractual Safeguards
Regardless of destination country status, your contracts with overseas recipients should include DPDPA-aligned protections. Purpose limitations. Security requirements. Breach notification. Sub-processing controls. These contractual safeguards travel with the data.
Monitoring for Changes
The Central Government may restrict transfers to specific countries at any time. You must monitor for such announcements and be prepared to halt or reroute data flows if restrictions are imposed.
Essential Clauses
Transfer Inventory
Section 16List of all cross-border transfers and destinations
Destination Assessment
Section 16Analysis of each destination legal framework
Contractual Protections
Section 16DPDPA-aligned clauses in transfer agreements
Restriction Monitoring
Section 16Process for tracking government restrictions
Contingency Planning
Section 16Response plan if destination becomes restricted
Data Principal Notification
Section 5How transfers are disclosed in privacy notices
Implementation Steps
Inventory all data flows crossing Indian borders
Identify destination countries for each transfer
Research legal frameworks in each destination
Review existing contracts for DPDPA alignment
Update contracts to include required protections
Document assessment rationale for each transfer
Establish monitoring for government restriction announcements
Develop contingency plans for potential restrictions
Frequently Asked Questions
Need This Document Drafted?
Understanding the requirement is the first step. Having it implemented correctly is what protects your organization. Our team drafts DPDPA-compliant documents tailored to your specific operations.
Get in Touch