Section 3(b) of the Digital Personal Data Protection Act, 2023 follows the data, not the flag. If you offer goods or services to people in India and process their personal data, you are a Data Fiduciary under Indian law — wherever your servers, your staff and your headquarters sit. We make that obligation simple, sized and defensible.
Section 3(b) does not ask where you are incorporated. It asks whether your processing is connected to offering goods or services to people in India. These are the patterns we most often confirm as caught.
Your product is sold from London or San Francisco, but Indian companies and users log in, upload data and pay you. Their personal data is processed under your control — you are a Data Fiduciary in India.
You list, market and fulfil to Indian addresses. Names, contact details, payment and behavioural data of Indian buyers sit squarely inside Section 3(b).
Free or paid, your mobile app collects identifiers, location and usage from Indian users and feeds analytics or advertising. Profiling Indian Data Principals is a trigger, not an edge case.
Your group HR, payroll or GCC platform holds the personal data of people employed in India. Employer processing is in scope, and intersects the Indian labour codes.
Even as a Data Processor, your contracts must carry DPDPA obligations. Foreign vendors to Indian Data Fiduciaries are pulled in through the contract chain.
Ingesting Indian personal data to train, fine-tune or run inference creates DPDPA exposure at the input and the output. Technology diligence is now legal diligence.
We do not hand a foreign board a 200-page memo. We deliver a sized, sequenced stack — each layer producing a document the Board, an auditor or an acquirer can rely on.
We determine, on the facts, whether your processing is caught by Section 3(b), and whether you are a Data Fiduciary, a Data Processor, or both across different product lines. The role decides the obligations.
Itemised consent notices, in clear language, with the right lawful basis mapped to each purpose. Where consent is not the basis, we document the specific legitimate use the DPDPA permits.
We assess whether volume, sensitivity and risk make you a Significant Data Fiduciary — which triggers an India-based Data Protection Officer, DPIA and independent audit duties.
Each data flow mapped against the DPDPA transfer position and any sectoral localisation overlay (RBI, IRDAI, sector rules), so your global architecture is defensible.
A pre-built breach runbook, notification templates for the Board and Data Principals, and a defence-grade evidence trail so a single incident does not become a ₹250 crore exposure.
An accountable India presence, grievance redressal handling, and continuous tracking of DPDP Rules and Board practice — so compliance stays current without an India office.
A data-flow map that is technically wrong produces a legal opinion that is dangerous. A consent design that ignores the commercial product is theatre. We read every foreign-entity engagement under all three lenses at once.
Short, direct, on the record.
Yes, it can. Section 3(b) of the Digital Personal Data Protection Act, 2023 gives the law extraterritorial reach. The DPDPA applies to the processing of digital personal data outside India if that processing is in connection with any activity related to the offering of goods or services to Data Principals (individuals) located within the territory of India. A company headquartered in the United States, the European Union, the United Kingdom, Singapore or anywhere else can therefore be a Data Fiduciary under Indian law even without a single employee, server or subsidiary in India.
The trigger is offering goods or services to individuals in India and processing their personal data in that connection. A SaaS platform with Indian subscribers, an e-commerce site that ships to India, a mobile app with Indian users, a global HR or payroll system holding the data of India-based staff, or an analytics product that profiles Indian users will generally fall within Section 3(b). Merely having data incidentally pass through India is treated differently from actively targeting the Indian market.
The maximum financial penalty under DPDPA 2023 is ₹250 crore (approximately USD 30 million) per instance of certain breaches, imposed by the Data Protection Board of India. The ceiling is the same for foreign and Indian entities. Penalty quantum turns on the gravity of the violation, the number of Data Principals affected, the duration, and whether the entity had a documented, operational compliance programme.
A foreign company classified as a Significant Data Fiduciary must appoint a Data Protection Officer who is based in India and is responsible to the board. Even where SDF classification does not apply, foreign Data Fiduciaries are well advised to designate an India-based point of contact and an accountable person, because the Data Protection Board, grievance redressal obligations and Data Principal rights all assume a contactable presence within India.
GDPR compliance is a strong head start but it is not DPDPA compliance. The DPDPA is consent-centric with a narrower set of non-consent grounds (“legitimate uses”), has different rules for children’s data (verifiable parental consent below 18), introduces the Consent Manager construct, mandates breach notification to the Board and affected principals, and is enforced by the Data Protection Board of India under Indian procedure. The gap is in the detail of consent notices, the lawful basis mapping, children’s data, and India-specific governance — which is exactly where AMLEGALS focuses a foreign-entity engagement.
Generally yes. The DPDPA follows a “blacklist” model rather than a localisation-by-default model: personal data may be transferred outside India except to countries or territories that the Central Government may specifically restrict by notification. Sector regulators (for example, the RBI for payment data) may impose stricter localisation. AMLEGALS maps each data flow against both the DPDPA position and any sectoral overlay before signing off a transfer architecture.
Where your existing GDPR programme already covers you, and the specific gaps India opens up. The definitive side-by-side for global privacy teams.
The India-based DPO a Significant Data Fiduciary must appoint — delivered as an accountable, retained function without you opening an India office.
The Section 33 penalty matrix and how the Board moves from complaint to order — and how a documented programme becomes your defence.
We start with a fixed-scope applicability assessment: a clear yes or no on Section 3(b), your role, your SDF status, and the sized stack to close the gap. No office in India required.