Cross-Border Data Transfer Under DPDP

India's blacklist model explained: transfers allowed by default, except to government-restricted countries
shape1
shape2
shape3
shape4
shape5
shape6
shape7
shape8

DPDP Cross-Border Data Transfer: How the Blacklist Model Works

If your business uses foreign cloud platforms, overseas SaaS tools, offshore teams, or international clients, personal data is crossing India's border every day. The good news: the DPDP Act, 2023 takes a notably practical approach to cross-border data transfers.

The Act uses a blacklist, or negative-list, model: transfers of personal data outside India are allowed by default, except to countries the government specifically restricts. You do not need to wait for a country to be approved before sending data there; you only need to make sure it is not on the restricted list.

This is the opposite of GDPR's whitelist approach, where transfers are blocked unless the destination has an adequacy decision or approved safeguards. But permissive does not mean unregulated: you remain fully responsible for the data wherever it goes, and sectoral rules like RBI payment data localisation still apply on top of DPDP.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Blacklist vs Whitelist: DPDP vs GDPR on Transfers

AspectDPDP (India)GDPR (EU)
ModelBlacklist / negative listWhitelist / adequacy
Default positionTransfers allowed unless the country is restrictedTransfers blocked unless the country is approved
What you must checkIs the destination on the government-restricted list?Adequacy decision or approved safeguards in place?
Sectoral overlaysYes, e.g. RBI payment data localisation still appliesYes, member-state and sector rules

This is one more reason why GDPR compliance does not automatically equal DPDP compliance. The logic of the two regimes runs in opposite directions, and your transfer documentation needs to reflect the Indian model.

Sectoral Overlaps: DPDP Is Not the Only Rulebook

The DPDP Act's permissive transfer model does not switch off existing sector regulations. The clearest example is the RBI's payment data localisation requirement: payment system data must be stored in India regardless of what DPDP allows. If you are in payments, fintech, or handle payment data through your platform, both rulebooks apply at once.

In practice, the stricter rule always wins. A fintech company cannot point to DPDP's blacklist model to justify storing payment data abroad, and an e-commerce company cannot ignore DPDP's security and consent duties just because its cloud region is permitted. High-volume financial businesses should also check their exposure as a potential Significant Data Fiduciary, which brings extra obligations of its own.

What Transferring Businesses Must Do

  • Map every cross-border flow: know which systems, vendors, and cloud regions your data travels through, our DPDP data mapping guide covers how
  • Check destination countries against the government-restricted list, and re-check as it can change
  • Verify sectoral rules: RBI payment data localisation and similar regulations sit on top of DPDP
  • Contract with foreign processors: vendor contracts are mandatory, and you stay legally responsible for what vendors do with your data, wherever they are
  • Keep security safeguards consistent: encryption, access controls, and logging must protect data abroad just as they do in India
  • Document everything: your transfer decisions and vendor checks are what you will show the Data Protection Board if asked

Transfer Reviews Take Time. The Deadlines Won't Wait.

Consent rules become mandatory on 13 November 2026 and full enforcement begins on 13 May 2027. Compliance setup typically takes 2-6 months, cross-border flows included.

Review My Data Transfers Free

Want the Complete DPDP Picture?

Cross-border transfers are one piece of the puzzle. Get the full law, deadlines, penalties, and compliance checklist on our main DPDP guide.

Learn Everything About DPDP Compliance

DPDP Cross-Border Transfers: Frequently Asked Questions

Can I transfer personal data outside India under the DPDP Act?

Yes, in most cases. DPDP uses a blacklist model: transfers are allowed by default except to countries the government specifically restricts. You just need to confirm the destination is not on the restricted list, and stay compliant with everything else the Act requires.

Do You Know Where Your Data Travels?

Our free DPDP audit maps your data flows, including cross-border transfers, and shows you exactly where the gaps are.

Book Your Free DPDP Audit

No cost. No obligation. Get your compliance gap report.

Adri IT Software Solutions Pvt Ltd, an IT company based in Vadodara, helping businesses across Gujarat & India become DPDP-compliant before the deadline. Prefer to talk first? Let's Talk.

Disclaimer: This page is for general information only and is not legal advice. The content is based on the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 as published by the Government of India, explained here in simplified language. For the official text, please refer to the Ministry of Electronics and Information Technology (MeitY). Laws and deadlines may change. For a personalised assessment of your business, book a free DPDP audit with our team.