Consider a US-based SaaS company that sells HR software to Indian businesses. It has no Indian entity, no Indian servers and no contract with any Indian employee. Its customers are the employers; the data it holds belongs to their staff. On the ordinary intuition about territorial law, India's data protection statute is somebody else's problem. That intuition is wrong. The Digital Personal Data Protection Act, 2023 reaches the company through its extraterritoriality provision, and the real questions are what role it occupies, what it answers for, and when.
Does the Act Reach a Company With No Presence in India?
Section 3 defines the Act's reach in two limbs. Section 3(a) is territorial, applying the Act to processing of digital personal data within India where the data is collected in digital form, or in non-digital form and digitised subsequently. Section 3(b) is not:
The Act also applies to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.
A US company offering HR software to Indian businesses whose employees sit in India falls squarely inside Section 3(b). The processing happens outside India; the offering of services runs to Data Principals inside it. That is the whole test. Location outside India is not a defence, and there is no carve-out for a foreign vendor who deals only with Indian corporate customers rather than with the individuals whose data it holds.
The data qualifies without argument. Personal data under Section 2(t) is any data about an individual identifiable by or in relation to it, which covers the standard HR payload: employee ID, name, email, phone, employment history, performance ratings, salary. Processing under Section 2(x) runs from collection, storage and retrieval through use and sharing to erasure. An HR platform performs most of that list before lunch. The Data Principal under Section 2(j) is the individual to whom the data relates, here the employee.
Fiduciary or Processor: The Classification That Decides Everything
A Data Fiduciary, under Section 2(i), determines the purpose and means of processing. A Data Processor, under Section 2(k), processes personal data on behalf of a Fiduciary. In the ordinary HR arrangement the Indian employer decides that employee data will be collected and why: payroll, performance management, statutory compliance. The employer is the Data Fiduciary, and the vendor executing those purposes through its software is the Data Processor. That is the likely classification, not an automatic one. A vendor that decides for itself what data to collect, how to use it or who may see it starts to look like a Fiduciary, or a joint Fiduciary, and the answer turns on conduct rather than on what the contract calls the parties.
Notice, Consent, and the Employment Exception
Section 5(1) requires that every consent request under Section 6 be accompanied or preceded by a notice informing the Data Principal of the personal data and the purpose of processing, the right to withdraw consent, the consequences of not consenting, the contact details of the person who answers questions about processing, and the addresses of the Data Fiduciary, Data Processor, Data Protection Officer and Consent Manager where there is one. Rule 3 of the DPDP Rules 2025 requires plain, itemised language distinguishing between different purposes.
Consent itself is governed by Section 6(2):
Consent shall be free, specific, informed, unambiguous and unconditional with a clear affirmative action.
Each adjective does work: separate consent for separate purposes, not bundled with other terms, and opt-in, so pre-ticked boxes and silence do not qualify. Section 6(6) adds that consent may be withdrawn at any time, and that withdrawal must be as simple as giving consent was. A platform that buries the withdrawal path three screens deep after a one-click acceptance has not met that standard.
The employment ground under Section 7(e)
Section 7 permits processing without consent for a list of "certain legitimate uses". For HR software the operative entry is Section 7(e), processing necessary for the purposes of employment: payroll, performance appraisal, leave and attendance, compliance with employment laws, workplace safety, benefits administration.
The ground is narrower than it looks. Processing must be necessary rather than merely convenient, limited to the data those purposes require, and proportionate to the employment relationship. More to the point, Section 7(e) disapplies consent and nothing else. Notice under Section 5, security under Section 8(5), retention limits, the rights in Sections 11 to 14 and breach reporting under Section 8(6) all continue to bite. A vendor that markets Section 7(e) to its Indian customers as a compliance shortcut is selling something the section does not contain.
Section 6(9), read with Rule 4, adds Consent Managers: independent entities registered with the Board that manage consent for Data Principals, keep consent records for at least seven years, act without conflicts of interest, and run interoperable platforms spanning multiple Fiduciaries. Registration requires a minimum net worth of Rs 2 crore. As of July 2026 none has been registered.
What the Fiduciary Owes, and Why Contract Cannot Shift It
Section 8(1) is the hinge of the architecture:
A Data Fiduciary shall be responsible for complying with the provisions of this Act and shall be liable for the processing of personal data by a Data Processor on its behalf.
This is non-delegable. Engaging a processor does not move the statutory exposure; the Indian employer answers to the Board for what its US vendor does. Section 8(2) permits engagement of a processor only under a valid contract, and while the Act does not prescribe that contract's terms, the requirement is real.
The rest of Section 8 is cumulative: reasonable steps to keep data accurate and not misleading (8(3)); no retention beyond what the purpose requires or another law specifies (8(4)); reasonable security safeguards, extending expressly to processing carried out by a processor on the Fiduciary's behalf (8(5)); a grievance mechanism (8(8)); and published contact details for questions about processing (8(10)). Rule 6 puts content into the security standard: encryption in transit and at rest, access controls, regular audits, breach detection, secure deletion and activity logging.
Section 10 adds a tier for Fiduciaries designated Significant, a status resting on the volume and sensitivity of data processed, risk to Data Principals' rights, impact on national security or public order, and threats to electoral democracy. An SDF must appoint a Data Protection Officer based in India, conduct annual Data Protection Impact Assessments and undergo annual independent audits. A vendor holding employee data for many large Indian employers has an obvious interest in whether this catches it, and cannot yet know: the Central Government has not notified the designation criteria.
The processor's position: exposure without direct obligation
The DPDPA differs structurally from the GDPR here. It imposes no independent statutory obligations on processors, making Fiduciaries answerable for their processors' conduct instead, so vicarious liability runs to the Fiduciary even where the processor acted negligently. That does not make the foreign vendor safe. Its exposure simply arrives through the contract rather than the statute, and neither side can allocate the statutory liability away: a Data Processing Agreement stating that the Indian client is solely responsible for DPDPA compliance changes nothing, because the client still answers to the Board and the vendor still answers to the client. What the agreement can do is fix scope and purpose, set security obligations, require immediate breach notification to the Fiduciary, bar sub-processors without prior written authorisation while pushing equivalent obligations down the chain, require assistance with Data Principal rights, preserve audit rights, require certified deletion on termination, and carry indemnities.
Moving Employee Data to the United States
Section 16(1) provides that the Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. Read on its own terms, this is a power to restrict named destinations, not a permission regime requiring clearance before export. The provision is additionally described as establishing a two-tier framework under which the Government may notify countries offering adequate protection, with transfers elsewhere depending on notified conditions or on safeguards such as Standard Contractual Clauses. The two readings sit uneasily together and the point is not resolved here. Both agree on the operative fact: as of July 2026 no notification of any kind has issued in respect of the United States, and no adequacy determination exists for any country. Transfers rest on contractual and technical safeguards, not on any official finding.
Section 16(2) preserves any Indian law imposing a higher degree of protection or restriction on transfers, which keeps sectoral regimes alive alongside the Act. RBI localisation requirements for certain financial data, SEBI restrictions on securities-related data and MeitY notifications on critical data can each bind an Indian employer in ways the DPDPA does not. A vendor cannot assess its own position without asking what sector its customer sits in.
On the safeguards themselves, SCCs between employer and vendor should secure Data Principals' rights as defined under the Act, provide for breach notification, allow audit, and require deletion on termination; a group vendor may instead develop Binding Corporate Rules approved by the Board. Technical measures include TLS 1.2 or higher in transit, encryption at rest with keys held by the Indian Fiduciary, role-based limits on which US personnel reach Indian data, and access logging. Rule 15 requires a documented Data Protection Impact Assessment before transfer to a non-adequate country.
Employee Rights and the 90-Day Clock
Sections 11 to 14 give Data Principals a working set of rights: confirmation of whether data is being processed and access to it, so an employee can ask for everything the employer holds through the platform, performance ratings and salary included (Section 11); correction of inaccurate or incomplete data, and erasure where the data is no longer necessary for the purpose, consent is withdrawn, processing violated the Act, or erasure is needed to comply with a legal obligation (Section 12); complaint to the Fiduciary or the Board (Section 13); and nomination of another person to exercise rights on death or incapacity (Section 14). Under the Rules, a Fiduciary must respond within 90 days.
None of this is self-executing. If the employer's only interface to employee records is the vendor's software, then access, correction, erasure, withdrawal, grievance and nomination have to exist as features, or the employer cannot discharge a duty it has no means of discharging.
Breach: Without Delay, Then 72 Hours
Section 8(6) requires a Fiduciary, on becoming aware of a personal data breach, to intimate the Board and each affected Data Principal without delay, in the manner and within the time prescribed. Rule 7 splits the duty in two.
To affected Data Principals, under Rule 7(1), notice must go without delay, in concise, clear and plain language, through the user account or a registered channel, describing the breach's nature, extent and timing, the consequences relevant to that individual, the mitigation in progress, the safety measures she may take herself, and a contact who can respond.
To the Board, under Rule 7(2), an initial description must go without delay covering nature, extent, timing, location and likely impact, followed within 72 hours of becoming aware, or such longer period as the Board allows on written request, by detailed information: the facts leading to the breach, mitigation measures, findings on who caused it, remedial steps, and a report on the intimations given to Data Principals.
The 72-hour figure is what reshapes engineering. It is not a deadline a quarterly review can satisfy; it presupposes detection in hours. For the vendor the duty is contractual and immediate: tell the Indian client at once, then supply the forensic material, because the client is the one filing with the Board.
Penalties, the Board, and the Constitutional Backdrop
| Violation | Penalty cap |
|---|---|
| Breach of security safeguards (Section 8(5)) | Rs 250 crore |
| Failure to notify a breach (Section 8(6)) | Rs 200 crore |
| Breach of children's data obligations (Section 9) | Rs 200 crore |
| Breach by a Significant Data Fiduciary (Section 10) | Rs 150 crore |
| Breach of Data Principal duties (Section 15) | Rs 10,000 |
| Breach of other provisions | Rs 50 crore |
The distribution is informative: the heaviest caps attach to security failure and to concealment, not to paperwork. The Act fixes rupee amounts where the GDPR takes a percentage of global turnover (up to 4%) and the CCPA charges per violation, which is more predictable than a turnover-linked cap and, for a smaller organisation, potentially more severe.
The Data Protection Board of India, established under Section 18, is the enforcement authority: a Chairperson and four Members appointed by the Central Government, operating as a digital-first office. It investigates complaints, issues directions, imposes penalties, approves Consent Manager registrations and designates Significant Data Fiduciaries, weighing in any penalty the severity of the violation, the volume and sensitivity of data involved, repetition, cooperation and mitigating conduct. It has so far imposed no penalty and published no guidance on breach formats or penalty calculation, leaving the statutory text and the Rules as the only guides.
Behind the statute sits Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1, decided 24 August 2017 by a unanimous nine-judge bench holding that privacy is a fundamental right under Articles 14, 19 and 21, overruling M.P. Sharma v. Satish Chandra (1954) and Kharak Singh v. State of U.P., and setting a three-pronged test for any encroachment: legality, necessity and proportionality. That foundation has not insulated the Act. As of June 2026 the Supreme Court is hearing petitions challenging Section 44(3), said to dilute the Right to Information Act; the Section 17 state exemptions, said to fail the Puttaswamy proportionality test; the Board's independence; and the removal of the Section 43A IT Act damages remedy. No final judgment had issued as of July 2026, and the Court has directed that compliance obligations continue pending the outcome. Waiting for the litigation is not a compliance strategy.
When Does Any of This Actually Bite?
The Act received assent on 11 August 2023 but did not commence then. Commencement depended on rules, and the Digital Personal Data Protection Rules, 2025 were notified by MeitY on 13 November 2025, starting a phased rollout.
| Phase | Date | Provisions effective |
|---|---|---|
| Phase 1 | 13 November 2025 | Sections 1 and 2, Sections 18 to 26, Rules 1, 2 and 17 to 21: Board establishment, definitions, Board powers, digital office |
| Phase 2 | 13 November 2026 | Section 6(9) and Rule 4: Consent Manager framework and registration |
| Phase 3 | 13 May 2027 | Sections 3 to 17 and 27 to 34, Rules 3, 5 to 16 and 22 to 23: applicability, notice, consent, obligations, rights, breach notification, cross-border transfer, penalties, enforcement |
The sequencing governs any assessment of urgency. The substantive obligations, including Section 3 applicability itself and the entire penalty regime, take effect on 13 May 2027, roughly ten months from the date of writing, with no announced grace period beyond it. Until then the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 continue to apply. The two are not interchangeable: the SPDI Rules reach only sensitive personal data, demand no explicit consent, impose no breach notification timeline and have no dedicated enforcement authority, where the DPDPA does the opposite on each count.
Practical Takeaways
- Extraterritoriality is settled; role is not. Section 3(b) catches a foreign vendor offering services to Indian Data Principals. The first real question is whether it determines purposes and means (Fiduciary) or executes instructions (Processor). Decide it on how the product actually works.
- The contract is the vendor's whole exposure, and it cannot rewrite the statute. Section 8(1) keeps the Indian client liable to the Board whatever the DPA says. Build a standard template covering scope, security, breach notification, sub-processor authorisation, rights facilitation, audit access, deletion and indemnity.
- Section 7(e) removes consent, not compliance. Employment-purpose processing still requires notice, security, retention limits, rights fulfilment and breach reporting, and must be necessary rather than merely useful.
- Engineer for 72 hours and 90 days. Breach detection has to run continuously, with rehearsed escalation. Rights requests need product surfaces (access, correction, erasure, withdrawal, grievance, nomination) and a backend that closes within 90 days.
- Transfers to the US rest on contract, not adequacy. No country has been notified as adequate. Execute SCCs, hold keys with the Indian Fiduciary where feasible, restrict US-side access by role, run the Rule 15 DPIA, and check whether the client's sector (RBI, SEBI) imposes localisation the Act does not.
- Prepare for SDF status without assuming it. The designation criteria are unnotified. A vendor aggregating employee data across multiple large employers should still line up an India-based DPO, a DPIA process and an independent auditor.
- Work back from 13 May 2027. Gap assessment, DPA drafting, security work, breach playbook, notice and consent mechanisms, rights functionality, Consent Manager integration (registration opens November 2026) and transfer safeguards all have to land before enforcement starts, with penalties applying from the first day.
Key Authorities
- Digital Personal Data Protection Act, 2023 (No. 22 of 2023), Section 3: territorial application, and extraterritorial reach over processing outside India connected with offering goods or services to Data Principals in India. Source
- DPDP Act 2023, Sections 2 and 5 to 7: the defining terms (personal data 2(t), Data Principal 2(j), Data Fiduciary 2(i), Data Processor 2(k), processing 2(x)); notice content; consent that is free, specific, informed, unambiguous and unconditional; and the legitimate uses, including Section 7(e) for the purposes of employment.
- DPDP Act 2023, Section 8: non-delegable responsibility for processor conduct (8(1)), the valid-contract requirement (8(2)), accuracy (8(3)), retention limits (8(4)), security safeguards (8(5)), breach notification (8(6)), grievance redressal (8(8)).
- DPDP Act 2023, Sections 10 to 16 and the Schedule: Significant Data Fiduciary obligations (India-based DPO, annual DPIA, annual audit); Data Principal rights of access, correction, erasure, grievance and nomination; the Section 16(1) power to restrict transfers to notified countries, with sectoral restrictions preserved by 16(2); and penalty caps from Rs 10,000 to Rs 250 crore. Source
- Digital Personal Data Protection Rules, 2025 (notified 13 November 2025): Rule 1 (phased commencement), Rule 3 (notice), Rule 4 (Consent Managers), Rule 6 (security standards), Rule 7 (breach notification), Rule 15 (cross-border transfers). Source
- Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors., (2017) 10 SCC 1; AIR 2017 SC 4161; W.P. (Civil) No. 494 of 2012 (Supreme Court, 24 August 2017): privacy is a fundamental right under Articles 14, 19 and 21, subject to a three-pronged test of legality, necessity and proportionality; M.P. Sharma and Kharak Singh overruled. Source
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: the regime that continues to apply until 13 May 2027.
- Data Security Council of India, "Privacy Across Borders: Guidance on Cross-Border Data Transfers for Indian Organisations" (2024): the source of the SCC and technical safeguard practice described above. Guidance, not law. Source
- Pending Supreme Court petitions on the validity of the DPDPA (reported 3 June 2026): Section 44(3) and the RTI Act, the Section 17 state exemptions, Board independence, and the removal of the Section 43A IT Act damages remedy. No final judgment as at July 2026. Source
This piece proceeds on a hypothetical vendor rather than any particular product, and several questions it raises are open rather than answered: no adequacy determination exists for any country, the SDF criteria are unnotified, no Consent Manager has been registered, the Board has published no guidance and imposed no penalty, and the constitutional challenge remains undecided.
This analysis reflects the law as at July 2026. It is published for general information and does not constitute legal advice.