Under India's DPDP Act 2023, cross-border transfers of personal data are generally permitted except to countries restricted by the government, and sector regulators may impose stricter localisation. In 2026, organisations should document every transfer and destination in their RoPA, apply contractual safeguards, and offer India data-residency options where required.
The DPDP approach to transfers
Rather than a strict whitelist, the DPDP Act takes a negative-list approach: transfers are permitted except to jurisdictions the government restricts. Sector regulators can still mandate localisation for specific data.
Documentation and safeguards
Record every cross-border transfer, its destination and purpose in your RoPA, and apply contractual and security safeguards with overseas processors.
Data residency for regulated sectors
BFSI, telecom and government often need India-resident hosting. Choose platforms that offer dedicated India data residency to satisfy both DPDP and sector rules.
FAQ
Yes, cross-border transfers are generally permitted under the DPDP Act 2023 except to government-restricted countries, though sector regulators may require data localisation for certain data.