Section 8(2) Data Processor Agreements: What Foreign Entities Must Mandate

Section 8(2) of the DPDPA creates an effectively non-delegable responsibility for Data Fiduciaries over their Data Processors. Unlike GDPR Article 28, which provides detailed processor contract requirements, the DPDPA delegates the specifics to the Rules. Rule 6 of the DPDP Rules, 2025 now operationalises this obligation with concrete contractual requirements. For foreign entities operating in India through outsourced IT services, cloud providers, payroll processors, or managed service providers, the gap between their existing global DPA and DPDPA's requirements represents an immediate compliance risk. This article maps the 11 essential clauses that must appear in every DPDPA-compliant processor agreement.

DPDPA Section 8(2) establishes that the Data Fiduciary retains responsibility for the actions of its Data Processor. This is not a contractual liability pass-through — it is a statutory responsibility that cannot be transferred through indemnity clauses, liability caps, or limitation-of-liability provisions. When a processor breaches personal data, the Fiduciary faces Board proceedings regardless of contractual allocation. This framework means that a foreign entity's India subsidiary cannot contractually insulate itself from processor failures. The subsidiary must demonstrate active governance: due diligence before engagement, ongoing monitoring during the contract, and documented oversight of processing activities.

A DPDPA-compliant processor contract must address: (1) Specific processing scope — what data, for what purpose, under what conditions. (2) Security safeguards — technical and organisational measures commensurate with the data sensitivity. (3) Sub-processor controls — prior written approval, flow-down obligations, sub-processor register. (4) Data Principal rights facilitation — processor's obligation to assist with access, correction, and erasure requests within SLAs. (5) Breach notification — processor must notify Fiduciary without delay, enabling compliance with Rule 7 timelines. (6) Deletion on termination — complete erasure or return of personal data upon contract conclusion. (7) Audit rights — Fiduciary's right to audit or appoint an independent auditor. (8) Processing records — maintenance of processing activity logs. (9) Confidentiality — binding on processor personnel. (10) Cross-border restrictions — processor cannot transfer data outside India without Fiduciary's instruction, subject to Section 16. (11) Cooperation with Board — processor must assist in Board proceedings and information requests.

Most multinational enterprises rely on standardised Data Processing Agreements drafted for GDPR compliance. These agreements fail DPDPA requirements in several critical areas. First, GDPR DPAs reference Standard Contractual Clauses (SCCs) for cross-border transfers — DPDPA has no SCC equivalent; it uses the negative list approach under Section 16. Second, GDPR DPAs specify a 72-hour breach notification period — DPDPA Rule 7 requires notification "without unreasonable delay" and mandates parallel CERT-In reporting. Third, GDPR DPAs may permit sub-processing with notification-only — DPDPA requires prior written approval. Fourth, GDPR DPAs often include mutual limitation-of-liability clauses — these have no effect on statutory Board proceedings under DPDPA. A foreign entity that relies solely on its global DPA for India operations has a documentation gap that becomes evident only during a Board inquiry.

The implementation path for foreign entities involves three workstreams. First, audit all existing India processor relationships — IT outsourcing (TCS, Infosys, Wipro, HCL), cloud providers (AWS India, Azure India), HR platforms (Workday, SAP SuccessFactors), CRM systems (Salesforce), and managed security providers. Second, develop a DPDPA-specific addendum template that supplements (not replaces) the global DPA. This addendum addresses the gaps identified above — DPDPA-specific scope, Indian breach notification chain, sub-processor approval mechanism, Board cooperation obligations, and Section 16 transfer conditions. Third, establish a processor governance calendar: annual audit rights exercise, quarterly sub-processor register review, breach simulation drills, and contract renewal checkpoints. Documentation of these governance activities becomes the primary evidence in Board proceedings.