Skip to Content
CKonnect
  • Home
  • CourseKonnect
    • e-learning
    • Udemy
    • learning (Old LMS)
  • Career
    • Life @CKonnect
    • All Jobs
  • Knowledge Base
    • PrivacyReads
    • Community
    • Newsletters
    • Priv ToolKit
  • Stay Tuned
    • ComplyKonnect
    • E-PrivJournals
    • Priv-Books
  • Connects
    • 1:1
  • Contact Us
CKonnect
    • Home
    • CourseKonnect
      • e-learning
      • Udemy
      • learning (Old LMS)
    • Career
      • Life @CKonnect
      • All Jobs
    • Knowledge Base
      • PrivacyReads
      • Community
      • Newsletters
      • Priv ToolKit
    • Stay Tuned
      • ComplyKonnect
      • E-PrivJournals
      • Priv-Books
    • Connects
      • 1:1
  • Contact Us

Cross-Border Transfers

  • All Blogs
  • Digital Personal Data Act, 2023
  • Cross-Border Transfers
  • 17 July 2026 by
    Cross-Border Transfers
    CKonnect

    A.    Transfer mode Permitted by Default

    Legal backing Section 16(1) of the DPDP Act and Rule 15 of the DPDP Rules, 2025

    • The Rule: Organization are generally allowed to transfer personal data to any country. The government does not need to "approve" the country first.
    • The Restriction: The Central Government has the power to notify (list) specific countries where transfers are restricted. If a country is not on this "restricted list," can send data there.

    B.     Conditions for transfers

    Even though transfers are allowed, Organisation must follow these specific conditions found in the Rules.

    • Foreign State Access Check Reference: Rule 15 of the Rules

      • The Central Government can issue a "general or special order" regarding transfers.
      • If organization send data to a country where the Foreign State (their government) or an agency under its control can access that data, you must meet specific requirements set by the Indian Government.
      • Practical Meaning: Organisation must check if the foreign government (like the US or China) has laws allowing them to spy on or access the data you send there.
    • Significant Data Fiduciary (SDF) Localization Reference: Rule 13(4) of the Rules

      • If Organisation are a Significant Data Fiduciary (SDF), the government can list specific types of sensitive personal data that must stay in India.
      • The "Traffic Data" Rule: For this specific data, organisation generally cannot transfer the data or the "traffic data pertaining to its flow" (the logs and metadata) outside India.

     

    C.     Any exceptions (government processing)

    Some activities are exempt from these strict transfer rules.

    ·        The "Outsourcing" Exception Reference: Section 17(1)(d) of the DPDP Act

    o   If organization are in India processing data for a client outside India (outsourcing), and the data belongs to people outside India, the transfer restrictions (Section 16) do not apply.

    o   Example: An Indian BPO handling data for US customers can send that data back to the US freely.

    ·        Research and Statistics Exception Reference: Section 17(2)(b) of the DPDP Act; Rule 16 of the Rules 2025

    o   The Act does not apply to processing necessary for research, archiving, or statistical purposes.

    o   Condition: The data must not be used to make any specific decision about a Data Principal.

     

    D.    Risk considerations for organizations

    These are the risks created by the specific language in the Rules.

    • Risk of Sudden Orders Reference: Rule 15 of the Rules

      • The Government can issue a "general or special order" at any time. This means a country that is "safe" today could have new requirements tomorrow if the political situation changes.
    • The "Traffic Data" Trap for SDFs Reference: Rule 13(4) of the Rules

      • For SDFs, the ban extends to "traffic data".
      • Technical Risk: Many cloud services route "traffic data" (like server logs) globally for security monitoring. SDFs might violate this rule if they use standard global cloud settings for restricted data.
      • Note- Traffic data is not defined under DPDP act as well as DPDP Rules, 2025.

    By Naukhaiz Aftab

    in Digital Personal Data Act, 2023
    Share this post
    Our blogs
    • Where Privacy Meets Tech
    • Templates That Work: Built for Real Privacy Teams
    • The Privacy Perspective: Insights from the Real World
    • CKonnect Stories
    • e-learning from CourseKonnect
    • Privacy Team Pulse
    • Our blog
    • Digital Personal Data Act, 2023
    Consent Manager Report
    Follow us

    Privacy Notice ​​Refund Policy

     Terms & Conditions

        ​    connect@ckonnect.co.in

    How can we help?

    konnect with us

    Website Logo

    Respecting your privacy is our priority.

    Allow the use of cookies from this website on this browser?

    We use cookies to provide improved experience on this website. You can learn more about our cookies and how we use them in our Cookie Policy.

    Allow all cookiesOnly allow essential cookies