Cross-Border Data Transfers for GCCs Under the DPDPA
Navigating Section 16 restrictions, sector-specific localisation mandates, and the contractual architecture required for every outbound data flow from an Indian GCC.
Every GCC in India routes data across borders. Under the DPDPA, every one of those transfers must be defensible.
Global Capability Centres — from Google's Bengaluru campus to JPMorgan's Mumbai operations to Goldman Sachs's Hyderabad hub — exist to centralise operations across jurisdictions. By definition, they transfer personal data: employee records, customer data, analytics, HR records to parent entities in the US, UK, EU, and other markets. Section 16 of the DPDPA empowers the Central Government to restrict transfers to specific countries through notification. The absence of a published restricted-territory notification does not eliminate the obligation — it elevates the need for contemporaneous documentation, contractual safeguards, and transfer impact assessments.
Why Cross-Border Transfers Are the GCC's Most Exposed Compliance Surface
The DPDPA's cross-border framework is deceptively simple in structure but profoundly complex in implementation for GCC operations.
In AMLEGALS's reading, Section 16 operates as a permissive-with-exception model: data may be transferred outside India except to territories the Central Government may restrict by notification. This interpretation is the prevailing industry reading, though the final contours will be shaped by the transfer rules when notified. The practical challenge becomes apparent when mapped against GCC reality. A single GCC may transfer data to 15+ jurisdictions simultaneously — to the parent company in the US, shared service centres in the Philippines, cloud infrastructure in Ireland, and analytics teams in Singapore. Each transfer must be documented, justified, and defensible.
Layered on top of Section 16 are sector-specific localisation mandates. RBI's Directive on Storage of Payment System Data (2018) requires that payment data be stored exclusively in India. IRDAI mandates that policyholder data remain within Indian jurisdiction. SEBI has issued circulars on data handling for market intermediaries. A GCC operating across financial services must navigate this sectoral overlay alongside the DPDPA's horizontal framework.
The strategic risk is not just regulatory penalty. It is operational disruption. A restrictive notification under Section 16 could, overnight, require a GCC to re-architect data flows that have been operational for years. Organisations that have not mapped their cross-border transfers and built contractual resilience will face a compliance crisis with operational consequences.
Cross-Border Transfer Architecture for GCCs
Six structural elements every GCC must implement to achieve defensible cross-border data transfer compliance.
Transfer Flow Cartography
Map every outbound data transfer — destination country, data categories, processing purpose, recipient entity, and legal basis. This cartography must be maintained as a living document, updated with every new data flow.
Transfer Impact Assessment
Conduct a structured assessment of data protection adequacy in each recipient jurisdiction. Evaluate legal framework, enforcement track record, surveillance laws, and judicial remedies available to Indian Data Principals.
Contractual Safeguards
Implement Data Processing Agreements with every recipient entity — including parent companies. These must specify processing scope, retention limits, breach notification obligations, and audit rights. Standard contractual clauses from GDPR do not automatically satisfy DPDPA requirements.
Technical Transfer Controls
Implement encryption in transit and at rest for all cross-border transfers. Maintain access controls at the recipient end. Log all transfer events for audit trail purposes.
Sector-Specific Localisation
Identify data categories subject to sectoral localisation mandates. Ensure payment data (RBI), insurance data (IRDAI), and market data (SEBI) remain within Indian jurisdiction even where the DPDPA permits transfer.
Regulatory Monitoring
Establish a monitoring mechanism for Section 16 notifications. The Central Government may notify restricted territories at any time. The GCC must be able to respond operationally within days, not months.
The Negative List Question: What GCCs Must Prepare For
The absence of a notified negative list is not a compliance holiday. It is the window in which defensible architecture must be built.
The Central Government has not yet notified any country under Section 16. This creates a false sense of security among GCCs. The correct interpretation is that transfers are currently permissible, but must be documented with contemporaneous evidence of due diligence. When the negative list is eventually notified — and the legislative power exists specifically for this purpose — GCCs that have not mapped their transfers, assessed recipient jurisdictions, and built contractual flexibility will face an immediate compliance crisis. The strategic imperative is clear: build the architecture now, while the regulatory environment is permissive.
“The GCC that documents its cross-border transfers today builds its defence for the adjudication of tomorrow. The one that waits for the negative list will have neither the architecture nor the evidence.”
— AMLEGALS GCC Privacy Practice
Frequently Asked Questions
Key questions on gcc cross-border compliance under the DPDPA.
Currently, yes — provided the US has not been notified as a restricted territory under Section 16. However, the GCC must document the transfer with a lawful basis (consent under Section 6 or legitimate use under Section 7), implement contractual safeguards, and maintain transfer records for audit purposes.
No. GDPR SCCs are designed for EU adequacy requirements. The DPDPA has a fundamentally different transfer framework under Section 16. GCCs must implement DPDPA-specific contractual safeguards that address Indian statutory obligations, including breach notification to the Data Protection Board and rights of Indian Data Principals.
The GCC must immediately cease transfers of personal data to that jurisdiction or implement approved alternative mechanisms. This may require data localisation within India, re-routing data flows, or obtaining specific government approvals. GCCs should prepare contingency architectures in advance.
Yes. If personal data of Indian Data Principals is stored or processed on cloud infrastructure located outside India, it constitutes a cross-border transfer under the DPDPA. GCCs using AWS, Azure, or GCP must evaluate the data residency of their cloud deployments.
Architect Your GCC's Cross-Border Transfer Framework
Our counsel-led engagement maps every outbound data flow, assesses recipient jurisdictions, and builds contractual and operational architecture that withstands regulatory scrutiny.