Candour Legal – Best Lawyers in Ahmedabad | Law firm in Ahmedabad
For three decades, multinationals have run their data-intensive operations out of Bengaluru, Hyderabad, Pune, and Gurugram, treating the Indian Global Capability Centre as a seamless extension of head office. The notification of the Digital Personal Data Protection Rules 2025 on 13 November 2025 changed the legal character of that arrangement. Data crossing into India now acquires obligations that did not exist before, and the DPDP Act applies to a GCC in a way that is far more nuanced than either “we are exempt” or “we must comply with everything.” The truth sits in between, and getting it wrong is expensive.
Key Takeaways
- The DPDP Act 2023 is fully operational; the DPDP Rules 2025 were notified on 13 November 2025, starting an 18-month compliance clock that ends on 12 May 2027.
- A GCC’s data splits into two streams. The “outsourcing exemption” switches off most substantive duties for foreign data processed under contract with the overseas parent — but the full framework applies to the GCC’s Indian employee, vendor, and customer data.
- Even under the exemption, two duties survive: reasonable security safeguards and valid processor contracts.
- India uses a “negative list” for cross-border transfers — data may flow to any country unless the Central Government restricts it, with sectoral overlays from the RBI, SEBI, and IRDAI.
- A GCC handling large volumes of Indian personal data may be designated a Significant Data Fiduciary, triggering DPO appointment, annual DPIAs, and audits.
- Penalties run up to ₹250 crore per instance.
The exemption everyone quotes, and the half they forget
The provision that matters most to GCCs is the outsourcing exemption. Where an entity in India processes the personal data of data principals located outside India, under a contract with an entity outside India, most of the substantive DPDP obligations do not apply. For a GCC reconciling a foreign bank’s transactions or adjudicating an overseas insurer’s claims, this is significant relief: the consent and notice machinery, and the data-principal rights of access and erasure, largely fall away for that foreign data.
The error is to read the exemption as a blanket shield over the entire GCC. It is not. The exemption is tied to a specific kind of processing — foreign data principals, foreign contracting party. The moment a GCC processes the personal data of its own Indian employees, its Indian vendors, or Indian customers, it is acting as a Data Fiduciary under Indian law, and the full weight of the framework applies to that processing.
Two data streams, two compliance worlds
The practical consequence is that every GCC runs two parallel compliance regimes inside one entity. The foreign data stream — work done for and on behalf of the overseas parent — attracts minimal substantive obligations under the exemption. The India-facing data stream — HR records, payroll, Indian vendor contacts, any India-resident customer data — attracts the complete set: itemised notice, valid and withdrawable consent, the rights of access, correction and erasure, breach notification to the Data Protection Board and to affected principals within 72 hours, and purpose-based retention with secure deletion.
This is why the first serious step for any GCC is a data-mapping exercise. Until a centre knows precisely which processing activities fall into which stream, it cannot know which obligations bite. A GCC that assumes the exemption covers everything will find its Indian employee data wholly non-compliant; a GCC that assumes the full framework applies to everything will spend on consent infrastructure it does not need for its foreign workload.
The two duties that never switch off
Even within the exempt foreign stream, two obligations persist. The first is the duty to implement reasonable security safeguards. A breach of foreign data held in India still exposes the GCC, and the security obligation is one of the provisions that took effect early rather than at the end of the 18-month runway. The second is processor governance: a data processor may act only under a valid contract with the data fiduciary. For a GCC, this means the intercompany agreement with the parent is not a formality — it is the instrument that defines the lawful basis of the entire foreign-data operation, and it must flow down DPDP-aligned obligations to any sub-processors the GCC engages.
Cross-border transfers: the negative-list approach
India has not adopted the adequacy-whitelist model familiar from European law. Under Rule 15, a Data Fiduciary may transfer personal data outside India except where the Central Government restricts transfer to a particular country or territory. Transfers are permitted by default, subject to the core obligations, unless a destination is placed on a “negative list.” For GCCs that move data back to a parent and onward to global cloud infrastructure, this is comparatively liberal — but it is also provisional. The Government may add conditions or restrictions by notification at any time, and sectoral regulators impose their own overlays: the RBI’s payment-data localisation norms, SEBI’s expectations for market data, and IRDAI’s rules for insurance data continue to apply on top of the DPDP baseline.
The strategic implication for a GCC is to build routing flexibility now. A centre that hard-wires its data flows to a single jurisdiction risks sudden non-compliance if that jurisdiction is later restricted. Accountability also does not travel with the data: even when personal data leaves India, the Indian entity determining the purpose and means of processing retains responsibility for it.
When a GCC becomes a Significant Data Fiduciary
The Central Government may designate a Data Fiduciary as a Significant Data Fiduciary based on the volume and sensitivity of personal data processed, risk to data principals, and other factors. A large GCC processing substantial Indian personal data is a realistic candidate. Designation brings heavier duties: appointing a Data Protection Officer based in India, conducting annual Data Protection Impact Assessments and independent audits, and observing additional due-diligence obligations including, where notified, algorithmic accountability for systems that process personal data. GCCs running analytics, AI, or large-scale customer operations should plan as though designation is possible rather than assume it is not.
The clock, and what it means in practice
The institutional machinery commenced immediately on notification: the Data Protection Board of India is constituted and the foundational definitions are in force. The Consent Manager framework is expected to be operationalised in the middle of 2026, and the period around November 2026 is widely read as the end of the initial soft-enforcement phase, after which the Board is expected to move from guidance toward active supervision. The substantive obligations — consent, notice, data-principal rights, breach reporting, and the cross-border provisions of Section 16 — become fully operational at the close of the 18-month window on 12 May 2027.
Eighteen months is a short runway for work of this kind. Data mapping, consent architecture for the India-facing stream, breach-response playbooks capable of meeting the 72-hour reporting window, automated retention and deletion, and the renegotiation of intercompany and vendor contracts are resource-intensive projects that cannot be assembled in the final quarter before the deadline. The centres that treat the present window as preparation time, rather than a grace period to be spent, will be the ones not scrambling in 2027.
Looking ahead
The DPDP framework rewards GCCs that treat data governance as architecture rather than paperwork. The immediate priorities are a defensible data map that separates the foreign and India-facing streams, intercompany contracts that carry DPDP-aligned obligations down to every sub-processor, and a cross-border strategy with enough routing flexibility to survive a future negative-list notification. Centres that build for data sovereignty now will find compliance becomes a competitive signal to global clients, not merely a regulatory cost.
Where Candour Legal fits
Candour Legal advises Global Capability Centres across the full DPDP lifecycle — data-stream mapping, drafting and renegotiating intercompany and processor agreements, building consent and notice frameworks for the India-facing stream, breach-response protocols, cross-border transfer strategy, and Significant Data Fiduciary readiness. With the 12 May 2027 deadline fixed and the soft-enforcement phase already closing, the value of starting early is simply that the work can be done properly rather than under pressure.
Frequently Asked Questions
Does the DPDP Act apply to a GCC in India?
Partly. Under the outsourcing exemption, a GCC processing personal data of foreign data principals under a contract with its overseas parent is relieved of most substantive DPDP obligations for that data. But the full framework applies to the GCC’s processing of Indian personal data — its own employees, Indian vendors, and any India-resident customers — where the GCC acts as a Data Fiduciary.
What is the DPDP outsourcing exemption?
It is the carve-out under which an Indian entity processing the personal data of people outside India, pursuant to a contract with an entity outside India, is exempt from most substantive DPDP duties such as consent, notice, and data-principal rights. Two obligations still apply: implementing reasonable security safeguards, and processing only under a valid processor contract.
When must a GCC be DPDP compliant?
The DPDP Rules 2025 were notified on 13 November 2025, beginning an 18-month phased rollout. Institutional provisions are already in force; the substantive obligations including consent, data-principal rights, breach reporting, and cross-border transfers under Section 16 become fully operational on 12 May 2027.
Can a GCC transfer personal data outside India?
Yes. India follows a negative-list model: under Rule 15, transfers are permitted to any country unless the Central Government restricts a specific destination. Core DPDP obligations continue to apply, and sectoral regulators such as the RBI, SEBI, and IRDAI impose additional localisation and data-handling requirements on top of the DPDP baseline.
Could a GCC be classified as a Significant Data Fiduciary?
Yes. The Central Government may designate a Data Fiduciary as significant based on the volume and sensitivity of personal data and the risk involved. A large GCC processing substantial Indian personal data may be designated, which triggers enhanced duties: a India-based Data Protection Officer, annual Data Protection Impact Assessments, independent audits, and additional due-diligence obligations.
By Candour Legal Team. This article is for general information and does not constitute legal advice.
