GCC Privacy HubGCC Vendor Privacy Governance

Vendor & Processor Governance for GCCs Under the DPDPA

Section 8(2) makes liability non-delegable. Every vendor processing personal data on your behalf is your compliance exposure.

Under the DPDPA, your vendor's breach is your liability. Section 8(2) makes this non-negotiable.

GCCs operate within complex ecosystems of vendors, subcontractors, and service providers. A typical large GCC in Bengaluru or Hyderabad engages AWS or Azure for cloud infrastructure, Randstad or TeamLease for staffing, Sodexo for facility management, Blue Dart for logistics, and dozens of specialised IT service providers. Each one processes personal data on behalf of the GCC. Under Section 8(2), the Data Fiduciary (the GCC) retains full liability for the acts and omissions of every Data Processor it engages. Liability cannot be contractually delegated. The only defence is demonstrable governance.

Section 8(2)

Non-Delegable Liability

Rule 6

Security Safeguards

50-200+

Typical GCC Vendor Count

₹250 Cr

Maximum Penalty (Schedule)

Why Vendor Governance Is the GCC's Hidden Compliance Risk

Most GCCs have invested in their own compliance programmes. Few have extended that discipline to their vendor ecosystem.

A typical large GCC engages between 50 and 200 vendors that process personal data. These range from global cloud providers to local facility management companies. Each vendor represents an independent compliance surface. A data breach at your cafeteria vendor's biometric system is legally indistinguishable from a breach in your core IT infrastructure — the GCC is the Data Fiduciary and bears the regulatory consequence.

The DPDPA does not recognise the concept of "joint controllers" as GDPR does. The liability framework is binary: the Data Fiduciary is responsible, and the Data Processor acts on its behalf. This means the GCC cannot share liability with a vendor, cannot cap its exposure through contractual limitations, and cannot claim ignorance of a vendor's processing practices.

The practical challenge is enormous. GCCs must conduct privacy due diligence on every vendor, negotiate DPDPA-compliant Data Processing Agreements, implement ongoing monitoring, and retain audit rights. For GCCs with legacy vendor contracts — many of which pre-date the DPDPA — this requires a systematic renegotiation programme.

Vendor & Processor Governance for GCCs Under the DPDPA detail

Vendor Governance Framework for GCCs

Six structural controls for managing third-party data processing risk under the DPDPA.

Section 8(2) | Pre-Engagement

Vendor Privacy Due Diligence

Assess every vendor's data protection capabilities before engagement. Evaluate security infrastructure, privacy policies, incident response capabilities, and sub-processing arrangements. Risk-score vendors based on data sensitivity and processing volume.

Section 8(2) | Contractual

DPDPA Data Processing Agreement

Execute Data Processing Agreements that specify: processing scope, data categories, retention limits, security safeguards, breach notification timelines, audit rights, sub-processing restrictions, and termination data handling obligations.

Rule 6 | Technical

Security Safeguard Verification

Verify that vendors implement reasonable security safeguards as mandated by Rule 6. This includes encryption standards, access controls, logging mechanisms, and vulnerability management. Document verification evidence.

Section 8(2) | Operational

Ongoing Monitoring & Audit

Implement continuous monitoring of vendor compliance through periodic audits, security assessments, incident reports, and compliance certifications. The duty of care is ongoing, not a one-time exercise.

Section 8(2) read with DPA | Chain

Sub-Processor Controls

Vendors that further subcontract processing extend the accountability chain under Section 8(2). GCCs must mandate prior approval for sub-processing through DPA provisions, require equivalent contractual protections at each level, and maintain visibility into the complete processing chain.

Section 8(7) | Termination

Vendor Exit & Data Return

Define clear protocols for vendor exit: secure data return or deletion, certification of erasure, transition of services without data loss, and post-termination audit rights. Vendor lock-in must not compromise data protection.

The Vendor Liability Cascade: Why GCCs Cannot Outsource Compliance

Section 8(2) creates an accountability architecture where the Data Fiduciary bears the full weight of every vendor's failure.

The DPDPA's liability model under Section 8(2) is unambiguous in its direction: even where processing is carried out by a Data Processor on behalf of a Data Fiduciary, it is the obligation of the Data Fiduciary to ensure compliance. This operates as effectively non-delegable responsibility — the GCC retains accountability for the vendor's processing practices regardless of contractual allocation. While no Board adjudication has yet tested the precise boundaries of this standard, the legislative architecture leaves little room for a reasonable-care defence. This transforms vendor governance from a procurement function into a legal and regulatory compliance function that requires Board-level attention.

Vendor Data Processing Inventory

Complete register of all vendors processing personal data with scope and data categories

Privacy Due Diligence Assessments

Completed assessments for all data-processing vendors with risk scoring

DPDPA Data Processing Agreements

Executed DPAs with all vendors covering statutory requirements

Sub-Processor Register

Documented chain of sub-processing with contractual controls at each level

Annual Vendor Audit Programme

Scheduled and documented audit plan for high-risk vendors

Vendor Exit Protocols

Defined data return/deletion procedures for vendor transitions

“Your vendor's data breach becomes your regulatory proceeding. The Data Protection Board will not ask whether your vendor had a good privacy policy. It will ask what you did to verify it.”
— AMLEGALS GCC Privacy Practice

Frequently Asked Questions

Key questions on gcc vendor privacy governance under the DPDPA.

Commercial liability caps between the GCC and its vendor are a matter of private contract. However, regulatory liability under the DPDPA cannot be contracted away. The Data Protection Board will hold the Data Fiduciary (GCC) responsible regardless of contractual allocations between parties.

Yes. Cloud providers processing personal data on behalf of the GCC are Data Processors under the DPDPA. The GCC must ensure that the provider's terms satisfy DPDPA requirements for security safeguards, data residency, breach notification, and audit rights. Standard cloud provider terms may require supplementation.

Legacy contracts must be amended to include DPDPA-compliant provisions. This requires a systematic review programme — identify all vendors processing personal data, assess contractual gaps, and negotiate amendments or new DPAs. Priority should be given to vendors processing high-volume or sensitive data.

If the facility management company processes personal data — visitor logs, CCTV footage, biometric access data, employee transport information — on behalf of the GCC, it is a Data Processor. The scope of "personal data" under the DPDPA is broad, and facility vendors frequently process it.

Engagement

Architect Your GCC's Vendor Privacy Governance Programme

Our engagement maps your entire vendor ecosystem, builds DPDPA-compliant DPA frameworks, and establishes ongoing governance controls.

Vendor Data Processing Ecosystem Mapping

Privacy Due Diligence Assessment Framework

Model DPA Drafting (DPDPA-Compliant)

Sub-Processor Governance Protocol

Annual Vendor Audit Programme Design

Vendor Risk Scoring Methodology

Schedule Consultation Back to GCC Hub

Related DPDPA Resources

Data Processing Agreements Under DPDPA Vendor-Processor Governance SaaS Cloud DPDPA Compliance