Section 16: Processing of Personal Data Outside India

Chapter: Special Provisions

Direct Answer

Section 16 of India's DPDP Act 2023 (Processing of Personal Data Outside India) cross-border transfer permitted only to countries notified by the Central Government, subject to conditions. It applies to organisations with offshore hosting or subprocessors. Organisations should document controls, maintain audit evidence, and review this obligation before full enforcement expected from May 2027.

Overview

Cross-border transfer permitted only to countries notified by the Central Government, subject to conditions.

Key Points of Section 16

• Transfer outside India only to notified countries
• Central Government may restrict transfers
• Conditions may attach to permitted transfers

Who This Applies To

Organisations with offshore hosting or subprocessors

Compliance Action Steps

1. Maintain country whitelist register
2. Map all cross-border flows
3. Update vendor DPAs for transfer restrictions

Practical Examples

1. A SaaS vendor hosting Indian user data on US servers maps transfers against the Section 16 notified-country list before onboarding enterprise clients.
2. A government-notified startup exemption may reduce certain obligations — Section 17 requires documenting the exact notification and remaining duties.
3. A university research project using anonymised datasets may qualify for research exemptions with Board-approved safeguards.

Statutory Text

Processing of personal data outside India. 16(1): Central Government may, by notification, restrict transfer for processing to countries or territories so notified. 16(2): Does not restrict any Indian law providing higher transfer protection or restriction for any data, Fiduciary or class.

Source: Digital Personal Data Protection Act, 2023 (No. 22 of 2023), Gazette of India, Extraordinary, Part II—Sec. 1, 11 Aug 2023. Operative excerpts for reference; official Gazette text prevails.

Legal Provisions and Compliance Guidance

Section 16 — Processing of Personal Data Outside India (Chapter: Special Provisions)

Statutory overview

Cross-border transfer permitted only to countries notified by the Central Government, subject to conditions.

Plain-English requirements

1. Transfer outside India only to notified countries

2. Central Government may restrict transfers

3. Conditions may attach to permitted transfers

Operational implications for Indian organisations

Data fiduciaries and processors should translate Section 16 into concrete controls: update privacy notices, train staff, adjust product flows, and maintain evidence that demonstrates compliance during audits or Board inquiries. Map this section to your Record of Processing Activities (RoPA) and link each control to an owner, review date, and evidence repository. Product managers should embed privacy-by-design checkpoints in sprint reviews; security teams should align SOC monitoring with obligations that carry penalty exposure; and legal teams should track DPBI guidance that interprets ambiguous phrases in the statute.

Relationship to DPDP Rules 2025

The DPDP Rules 2025 notified in January 2025 provide operational detail for many Chapter obligations — including timelines, formats, and registration requirements. Monitor Central Government notifications and DPBI guidance for sector-specific interpretations that refine how Section 16 is enforced. Rule updates may introduce new forms, registration portals, or technical standards that supersede informal industry practice — subscribe to official Gazette notifications rather than relying solely on vendor marketing materials.

Sector-specific considerations

Cross-border SaaS hosting and offshore analytics require Section 16 country-whitelist compliance. Startup exemptions under Section 17 are not automatic — monitor Central Government notifications.

Implementation playbook

1. Map cross-border data flows against notified countries.
2. Evaluate exemption notifications.
3. Document remaining non-exempt obligations.
4. Update vendor DPAs for transfer restrictions.

Related provisions

Section 16 should be read alongside Section 15, Section 17. Indian compliance programmes typically map these sections together in privacy impact assessments, vendor due diligence questionnaires, and board reporting packs. Cross-referencing prevents siloed fixes — for example, improving consent under Section 6 without updating notice under Section 5 leaves residual regulatory risk.

Documentation and evidence

Maintain version-controlled policies, system logs, consent records, training attendance, and DPIA outputs that reference Section 16. During a Data Protection Board inquiry, documented good-faith compliance efforts can influence remedial directions and penalty outcomes. Evidence should be tamper-evident where possible — immutable consent logs, WORM storage for audit trails, and timestamped policy approvals strengthen your position.

Audit and Board inquiry preparedness for Section 16

When the Data Protection Board opens an inquiry, investigators typically request: (a) your privacy notice and consent records tied to processing of personal data outside india; (b) RoPA entries referencing Section 16; (c) training records for staff handling relevant workflows; (d) technical evidence such as access logs, encryption configurations, or deletion confirmations; and (e) correspondence with Data Principals on related rights requests. Proactively assemble a section-specific evidence bundle quarterly. Transfer outside India only to notified countries; Central Government may restrict transfers. Platforms like Complynz automate control mapping and evidence collection so legal teams can respond to DPBI requests within days rather than weeks.

Enforcement timeline

The Act passed in August 2023. DPDP Rules were notified in November 2025. Consent Manager registration opens November 2026. Full operational enforcement is expected from May 2027 — organisations should complete gap remediation before that date. Early movers gain competitive advantage with enterprise buyers and government tenders that increasingly require demonstrable DPDP readiness.

Related DPDP Rules 2025

• Rule 16: Cross-border transfer of personal data — Conditions for transfer to countries notified by Central Government.

Frequently Asked Questions

What does DPDP Act Section 16 require?

Section 16 (Processing of Personal Data Outside India) requires that cross-border transfer permitted only to countries notified by the Central Government, subject to conditions. It applies to organisations with offshore hosting or subprocessors.

Who must comply with Section 16 of the DPDP Act?

Organisations with offshore hosting or subprocessors

What is the compliance deadline for DPDP Section 16?

DPDP Rules 2025 introduced a phased 18-month implementation window. While some provisions are being rolled out from 2025–2026, full enforcement with DPBI penalty powers is expected from May 2027. Organisations should implement Section 16 controls before that date.

How do I implement DPDP Section 16 in my organisation?

Start with a gap assessment mapping Section 16 requirements to your current privacy programme, product flows, and vendor contracts. Assign an internal owner, implement missing controls, document evidence in a central repository, and schedule quarterly reviews. Automated GRC platforms reduce manual effort and help maintain continuous compliance as rules evolve.

Does Section 16 apply to startups and small businesses in India?

Yes, unless a specific exemption notification applies to your organisation class. Section 16 (Processing of Personal Data Outside India) applies to organisations with offshore hosting or subprocessors. Startups may receive targeted exemptions under Section 17, but core obligations around consent, security, and rights typically remain. Budget-constrained teams should prioritise high-penalty sections first.

How does Section 16 relate to GDPR or other global privacy laws?

Section 16 is India's standalone requirement under the DPDP Act 2023. Organisations already GDPR-compliant must still map DPDP-specific obligations — consent standards, DPBI enforcement, penalty caps, and Rules 2025 timelines differ from EU law. Apply the higher protection standard where laws overlap and maintain separate India-specific documentation.

Suggested Next Step

Vendor Risk Management — Track subprocessors and cross-border transfer compliance in one register.

Back to Complete DPDP Guide