Skip to main content

Q3 - Do SDFs have to appoint their Data Protection Officer (DPO) in India, even if they are a multinational company headquartered elsewhere?

Answer

Yes. Under Section 10(2)(a)(ii) of the Digital Personal Data Protection Act, 2023 (DPDPA), every Significant Data Fiduciary (SDF) is legally required to appoint a Data Protection Officer (DPO) who is based in India, regardless of where the company’s global headquarters or parent entity is located.

Section 10(2)(a)
Every Significant Data Fiduciary shall appoint a Data Protection Officer who shall:

  1. Represent the SDF under the provisions of this Act;
  2. Be based in India;
  3. Report to the Board of Directors or equivalent governing body; and
  4. Serve as the point of contact for grievance redressal under this Act.

This makes it clear that the physical location of the DPO — not just the organization — must be within India, ensuring local accountability and ease of regulatory coordination with the Data Protection Board of India.

2. Purpose Behind the “Based in India” Requirement

The DPDPA mandates local presence for DPOs to:

  • Ensure direct communication with Indian regulators and Data Principals.
  • Enable timely compliance with inquiries, investigations, and enforcement actions by the Data Protection Board of India.
  • Provide an on-ground grievance redressal mechanism for Indian users.
  • Avoid situations where accountability is shifted to overseas offices or foreign jurisdictions.

This requirement is similar to global frameworks like the EU’s GDPR, which requires representatives within the EU for foreign controllers and processors.

3. Implications for Multinational Companies

For multinational companies operating in India:

  • The India DPO acts as the local compliance and liaison officer for the organization’s Indian operations.
  • The DPO may coordinate with a global privacy or compliance head, but must have the authority and autonomy to act on behalf of the company before Indian authorities.
  • If multiple Indian entities exist within the same corporate group, a group-level DPO may be appointed in India, provided they have oversight and accountability across those entities.

Failing to appoint a locally based DPO can lead to non-compliance and potential penalties under Section 33(1) of the DPDPA.

Example

A U.S.-headquartered technology company operates a major data-processing subsidiary in Bengaluru that handles millions of Indian users’ data. The Central Government notifies it as a Significant Data Fiduciary. Even though the global Chief Privacy Officer sits in New York, the company must appoint a Data Protection Officer physically based in India who can represent the organization before the Data Protection Board of India and handle local grievances.

Referenced Provisions:

  • Section 10(2)(a)(ii) – Mandatory appointment of a DPO based in India.
  • Section 10(2)(a)(iv) – DPO as the grievance redressal contact point.
  • Section 33(1) – Penalties for non-compliance.
  • Section 27–28 – Inquiry and enforcement powers of the Data Protection Board.