GDPR Compliance When Outsourcing IT to India: A European Buyer Guide

What Does GDPR Article 28 Require from Your Indian Vendor?

Article 28 mandates specific provisions in every contract between a data controller and a data processor. PwC (2024) found that 41% of outsourcing contracts reviewed during audits were missing at least one Article 28 requirement. Here are the non-negotiable clauses.

Mandatory Contract Clauses

Your Data Processing Agreement (DPA) must include: the subject matter and duration of processing, the nature and purpose of processing, the types of personal data processed, the categories of data subjects, the controller's obligations and rights, and technical and organisational security measures.

Additionally, the processor must: process data only on documented instructions from the controller, ensure personnel are under confidentiality obligations, implement appropriate security measures per Article 32, assist with data subject rights requests, delete or return all data at contract end, and submit to audits and inspections.

Sub-Processor Requirements

Your Indian vendor likely uses sub-processors: cloud providers, monitoring tools, or subcontracted specialists. Article 28(2) requires the vendor to obtain your written authorisation before engaging any sub-processor. You can grant general authorisation (the vendor informs you of changes, and you can object) or specific authorisation (you approve each sub-processor individually).

Maintain a register of all sub-processors handling EU personal data. Review it quarterly. Ensure each sub-processor is bound by the same data protection obligations as your primary vendor.

How Does India's DPDPA Align with GDPR?

India's Digital Personal Data Protection Act (DPDPA), enacted in August 2023, represents the country's first comprehensive data protection law. NASSCOM (2024) analysis shows that DPDPA aligns with GDPR on several core principles but diverges on others.

Where DPDPA and GDPR Align

Both frameworks require: lawful basis for processing (consent is primary under DPDPA), purpose limitation, data minimisation, accuracy obligations, and breach notification. DPDPA requires breach notification to India's Data Protection Board within 72 hours, matching GDPR's timeline. Both impose significant penalties for non-compliance.

Where DPDPA and GDPR Diverge

DPDPA does not include a right to data portability. It lacks GDPR's legitimate interest basis for processing. DPDPA's scope is narrower, covering only digital personal data, not paper records. Cross-border transfer rules under DPDPA are still being finalised. The Indian government retains authority to restrict data transfers to specific countries via a blacklist approach rather than GDPR's adequacy-based whitelist.

[UNIQUE INSIGHT] The DPDPA's alignment with GDPR is a positive signal, but it doesn't grant India adequacy status. European buyers should treat DPDPA compliance as a baseline, not a substitute for SCCs and Transfer Impact Assessments. Vendors who claim "DPDPA-compliant, therefore GDPR-ready" are oversimplifying. Challenge this claim in every vendor evaluation.

What Security Measures Should Your Indian Vendor Implement?

GDPR Article 32 requires processors to implement "appropriate technical and organisational measures" for data security. ENISA (2024) guidelines specify minimum measures for cross-border processing scenarios.

Technical measures include: encryption of personal data in transit (TLS 1.2+) and at rest (AES-256), access controls with role-based permissions, multi-factor authentication for all systems handling EU data, network segmentation isolating EU data processing environments, DLP (Data Loss Prevention) tools on endpoints, and audit logging with tamper-proof storage.

Organisational measures include: annual GDPR training for all staff with access to EU data, background checks for personnel in data processing roles, incident response plans with 72-hour notification capability, regular penetration testing (at least annually), and ISO 27001 or SOC 2 Type II certification.

For a broader view of security risks in outsourcing, read our guide on IT outsourcing risks.

How Should You Conduct a Transfer Impact Assessment?

A Transfer Impact Assessment (TIA) evaluates whether the destination country's legal framework provides adequate data protection. The EDPB (2021) recommends a six-step process for TIAs, which remains the standard in 2026.

Step one: map your data transfers to identify what personal data goes to India, why, and through which vendor systems. Step two: identify the transfer mechanism (typically SCCs). Step three: assess Indian law for any provisions that could override SCC protections, particularly government surveillance powers. Step four: identify supplementary measures to address gaps. Step five: implement those measures. Step six: re-evaluate at regular intervals.

India's Information Technology Act (2000) grants government agencies broad surveillance powers under Section 69. Your TIA must address this. Supplementary measures like end-to-end encryption (where the Indian vendor cannot access data in clear text) or pseudonymisation can mitigate this risk. Document your assessment thoroughly, as regulators may request it during audits.

What Compliance Checklist Should You Follow?

Before signing any outsourcing contract involving EU personal data, verify these items. PwC (2024) recommends a minimum compliance checklist covering legal, technical, and operational dimensions.

Legal requirements: executed SCCs (Module 2 or 3), completed Transfer Impact Assessment, Data Processing Agreement meeting all Article 28 requirements, sub-processor authorisation mechanism, and breach notification clause (72 hours).

Technical requirements: encryption in transit and at rest, access controls and MFA, network segmentation, DLP tools, audit logging, and annual penetration testing.

Operational requirements: GDPR training records for vendor staff, incident response plan, data subject rights procedures, documentation of processing activities (Article 30), and annual compliance audits.

Build this checklist into your vendor selection process. Vendors who can't demonstrate compliance before contract signing are unlikely to achieve it after.

outsourcing pitfalls including compliance gaps

Frequently Asked Questions

Does India have a GDPR adequacy decision?

No. As of 2026, India does not hold an EU adequacy decision. This means transfers of EU personal data to India require additional safeguards, typically Standard Contractual Clauses (SCCs) combined with a Transfer Impact Assessment. India's DPDPA shows alignment with GDPR principles but hasn't triggered an adequacy evaluation yet.

What are Standard Contractual Clauses for India outsourcing?

SCCs are pre-approved contract templates from the European Commission that legalise data transfers to non-adequate countries. Over 80% of EU companies outsourcing to India use SCCs (IAPP, 2024). Module 2 covers controller-to-processor transfers. Module 3 covers processor-to-sub-processor transfers.

Who is responsible for GDPR compliance in an outsourcing arrangement?

The data controller, meaning your organisation, bears primary responsibility. GDPR holds controllers accountable for their processors' actions. If your Indian vendor breaches GDPR, your organisation faces the regulatory fine. This is why vendor selection, contractual safeguards, and ongoing audits are essential.

Can India's DPDPA replace GDPR compliance requirements?

No. DPDPA compliance is a positive signal but doesn't substitute for GDPR obligations. The two frameworks align on consent and breach notification but diverge on data portability, legitimate interest, and cross-border transfer mechanisms. European buyers must implement SCCs and conduct Transfer Impact Assessments regardless of the vendor's DPDPA compliance status.

For hands-on delivery in India, see NIS2 compliance India.