Skip to main content

Q1 - If an Indian user’s data is processed abroad (e.g., on AWS servers in the U.S.), is the foreign company also bound by DPDPA?

Answer
  • Yes. DPDPA applies to any entity, Indian or foreign, that processes personal data of individuals within India, if the processing is related to offering goods, services, or profiling individuals in India.
  • A foreign company without a legal presence in India may still be bound if it handles Indian data.
Example

If ABC Cloud Inc. (U.S.) stores customer records of XYZ Bank on its U.S. servers, it must comply with DPDPA obligations as part of its contract with XYZ.
The Indian bank remains the Data Fiduciary, while ABC Cloud acts as a Data Processor, both accountable under the Act.