The DPDPA applies to the processing of digital personal data within the territory of India and, under Section 3(a), to processing outside India where such processing is in connection with any activity related to offering of goods or services to data principals within the territory of India. Incorporation abroad provides no exemption. The Act applies to the activity, not the location of the processor.
Why foreign companies must address DPDPA compliance before entering the Indian market
India's Digital Personal Data Protection Act 2023 received Presidential assent on 11 August 2023. The DPDP Rules 2025 were notified by the Ministry of Electronics and Information Technology on 13 November 2025. Together, they form the operative framework for personal data protection in India - one of the world's largest consumer markets and a jurisdiction where data principal rights, consent obligations and breach notification requirements are now enforceable.
The Act's extra-territorial provision, contained in Section 3(a), makes clear that the DPDPA is not limited to entities with a registered presence in India. Any foreign company offering goods or services to individuals located in India - through a website, a mobile application, an e-commerce platform or any other digital channel - falls within the Act's scope. This includes companies that collect personal data from Indian users even without any intention of serving the Indian market, where the data collection itself is in connection with a service accessible to Indian residents.
For a foreign company entering India, the DPDPA compliance question is not whether the Act applies. For most digital businesses, it does. The question is what compliance requires in practice: what consent must be obtained, in what form, through what mechanism; what notice must be provided to data principals; what rights those data principals hold and how they must be honoured; what agreements must be in place with data processors operating in India; and how a personal data breach must be handled and notified to the Data Protection Board.
AMLEGALS advises foreign companies on each of these questions as part of a structured India market entry engagement, delivering the legal opinions, documentation and compliance frameworks that an India launch requires.
The Act applies if any of the following describe your India engagement
Your company is in scope if you -
- Offer goods or services to individuals located in India through any digital channel
- Collect or process personal data of individuals who are in India at the time of collection
- Profile the behaviour of individuals located in India
- Operate a website or application accessible to Indian users where personal data is collected
- Process personal data of Indian employees, contractors or outsourcing staff
- Use Indian outsourcing or technology service providers who process personal data on your behalf
- Transfer personal data that was collected in India to your servers or affiliates outside India
- Conduct clinical trials, research studies or surveys involving individuals located in India
The obligations this triggers -
- Consent that is free, specific, informed, unconditional and unambiguous before processing begins
- A privacy notice in the format prescribed by the DPDP Rules 2025 before or at the time of consent
- Honouring data principal rights - information, correction, erasure and grievance redressal
- Reasonable security safeguards appropriate to the volume and sensitivity of data processed
- Notification to the Data Protection Board and affected data principals on a personal data breach
- A written data processing agreement with each data processor operating on your behalf in India
- Verifiable parental consent before processing personal data of any individual under 18 years
- DPO appointment as Key Managerial Personnel if classified as a Significant Data Fiduciary
DPDPA obligations for foreign companies - mapped by the nature of India engagement
The DPDPA's obligations apply uniformly to every data fiduciary within its scope. What varies by entity type is the intensity of those obligations - principally the risk of classification as a Significant Data Fiduciary, which triggers materially enhanced requirements. The table below maps the most common foreign company scenarios to their primary obligations and SDF classification risk.
| Scenario | DPDPA Applies | Primary Obligations | SDF Risk |
|---|---|---|---|
| Foreign digital platform or SaaS with Indian users | Yes | Consent and notice in prescribed form, data principal rights management, breach notification, security safeguards, data processor agreements | High where user base is large |
| Foreign company with Indian subsidiary or branch | Yes | Full DPDPA compliance for the India entity as data fiduciary, DPO as KMP if SDF classification notified | Medium to high |
| EU or UK company with Indian outsourcing or BPO arrangements | Yes | Written data processing agreements with Indian processors covering security, sub-processor restrictions, deletion and breach notification. GDPR obligations also apply on the EU side. | Low to medium |
| Foreign employer processing personal data of Indian employees or contractors | Yes | Consent or legitimate use basis for employee data processing, HR data governance policies, transfer documentation for data flows outside India | Low |
| Foreign e-commerce platform with Indian customers | Yes | Consent, notice, rights infrastructure, restrictions on marketing to minors, breach notification to DPB and affected data principals | Medium to high |
| Foreign pharmaceutical or healthcare company with India clinical operations | Yes | Consent for sensitive health data, compliance with ICMR guidelines alongside DPDPA, cross-jurisdiction health data transfer documentation | High |
| Foreign fintech or payment services company in India | Yes | DPDPA obligations plus RBI data governance requirements including payment system data localisation - no transfer of payment data outside India without RBI compliance | High |
| Foreign B2B company with no direct Indian consumer contact | Review | May apply where Indian employees or contractors are involved. Requires a case-by-case applicability assessment before a definitive view can be given. | Low |
Foreign companies processing Indian data at scale are directly exposed to SDF classification
Under Section 10 of the DPDPA, the Central Government may notify any data fiduciary - including a foreign data fiduciary - as a Significant Data Fiduciary on the basis of the volume and sensitivity of personal data processed, the risk of harm to data principals, impact on national security or sovereignty, risk to electoral democracy, and the interests of children. SDF classification is not limited to Indian entities. Any foreign company processing large volumes of Indian personal data - a major social media platform, a global cloud service provider with Indian users, a large fintech operating in India - is directly within the classification criteria.
Classification as an SDF triggers four additional obligations beyond the standard DPDPA requirements: appointment of a Data Protection Officer drawn from key managerial personnel of the entity; engagement of an independent Data Auditor registered with the Data Protection Board; periodic Data Protection Impact Assessments; and such further transparency obligations as the Central Government may prescribe. Foreign companies should assess their SDF exposure as part of their India entry planning, not after classification has been notified.
A structured approach to DPDPA compliance for foreign companies entering India
AMLEGALS has advised foreign companies across a range of entry structures - digital platforms launching in India for the first time, European and US multinationals establishing Indian subsidiaries, technology companies with Indian outsourcing arrangements, and pharmaceutical companies with India clinical programmes. The compliance questions differ by sector and entry structure, but the work follows a consistent sequence. What follows is a practical description of how that work is structured.
Understanding What the DPDPA Requires of Your Specific Entry Structure
Before any documentation is prepared or any consent mechanism is designed, the threshold question must be answered with precision: does the DPDPA apply, on what basis, to which data flows, and with what intensity? We conduct a written applicability assessment covering the nature and categories of personal data that will be processed, the identity of the data principals involved, the legal basis for each processing activity, the SDF classification risk, and the interaction of DPDPA obligations with any applicable foreign regulatory framework - GDPR, UK GDPR, CCPA, PDPA or otherwise. This opinion forms the legal foundation for everything that follows and is the document on which an entry decision can be made with legal confidence.
Preparing the Documentation the DPDPA and DPDP Rules 2025 Require
The DPDP Rules 2025 prescribe specific requirements for the form and content of privacy notices, the mechanism for obtaining and recording consent, and the terms that data processing agreements with processors must contain. We draft each of these documents to the prescribed standard: the consent notice in the format required by Rule 3, the consent record in the form required for audit purposes, data processing agreements with each India-based vendor and processor, Records of Processing Activity for the India operations, and transfer documentation for personal data flows to the home jurisdiction or other foreign countries. Where the entry structure involves a GDPR or UK GDPR dimension, we draft combined instruments that satisfy both the DPDPA and the applicable European requirement in a single document.
Embedding Compliance into the India Launch
Documentation alone does not produce compliance. The consent notice must be served to data principals before or at the time of data collection through a mechanism that records the consent. The data processing agreements must be executed with each processor before processing commences. The data principal rights infrastructure - the mechanism through which an Indian resident can request information about their data, seek correction, request erasure or raise a grievance - must be operational before the first Indian user engages with the product or service. We work with your legal, product and technology teams to ensure that each of these elements is in place and functioning at the time of launch, not as a post-launch retrofit.
Pre-Launch Sign-Off and Continuous Regulatory Monitoring
We conduct a pre-launch DPDPA readiness review, confirm that each required element is in place, and provide a written legal opinion on compliance posture that your Board and external advisers can rely on. After launch, we provide ongoing advisory covering regulatory developments from the Data Protection Board and MeitY, annual compliance review against current regulatory requirements, breach response advisory on call, and specific guidance on new obligations as SDF classification criteria and restricted-destination notifications are published by the Central Government.
Transferring personal data between India and your home jurisdiction
Section 16 of the DPDPA provides that personal data may be transferred by a data fiduciary to any country or territory outside India, except to countries or territories notified by the Central Government as restricted destinations. As at April 2026, the Central Government has not notified any restricted destinations. All international transfers of personal data from India are accordingly currently permitted under the DPDPA, subject to the data fiduciary otherwise complying with the Act's requirements for consent, security safeguards and data processor agreements.
This negative-list approach is more permissive than the adequacy-first framework under the EU General Data Protection Regulation. A foreign company transferring personal data from India to its home jurisdiction does not require a transfer mechanism under the DPDPA as a matter of current law. It does, however, require a DPDPA-compliant data processing agreement with any Indian entity that processes the data as a processor - and it must comply with the data protection law of the receiving jurisdiction at the destination end of the transfer.
Restricted-destination notifications are expected as the regulatory framework develops. Organisations should structure their transfer documentation now so that any future notification can be addressed without operational disruption to India operations that rely on international data flows.
India to EU and UK
Currently permitted under Section 16 of the DPDPA. At the EU or UK end, the GDPR or UK GDPR apply. India has no adequacy decision from the European Commission or the UK ICO, so the Indian entity is a data exporter for GDPR purposes and the transfer requires Standard Contractual Clauses or Binding Corporate Rules at the EU or UK end. AMLEGALS prepares combined DPDPA and GDPR documentation for this corridor as a single instrument.
India to United States
Currently permitted under Section 16. No federal transfer mechanism is required in the US, but CCPA, CPRA and applicable state privacy laws impose obligations at the receiving end depending on the nature of the data and the states in which affected data principals are located. AMLEGALS advises on the India side documentation and the applicable US privacy law obligations at the destination.
India to Singapore and UAE
Currently permitted under Section 16. Singapore's Personal Data Protection Act and the UAE Federal Decree-Law No. 45 of 2021 apply at the respective receiving ends. For UAE entities in the DIFC or ADGM, the applicable free zone framework - each of which differs from the federal law - must be identified and addressed. AMLEGALS structures the complete transfer documentation for both corridors.
The RBI's Payment System Data Storage circular of 6 April 2018 requires all payment system data to be stored exclusively in India. This obligation operates independently of the DPDPA and is not displaced by Section 16's permissive transfer model. Fintech and payment companies entering India must address RBI localisation requirements as a separate compliance exercise alongside their DPDPA obligations.
Speak with our India market entry team
If you are assessing your DPDPA obligations in connection with an India entry, or reviewing an existing India programme against the DPDP Rules 2025, our team is available to advise. Write to us directly or complete the form below.
Complete the form and we will respond within one working day. For urgent matters write directly to [email protected].