πŸ“– Part 3 of 5

Contractual Safeguards & Standard Contractual Clauses

⏱️ 45 minutes read πŸ“š Drafting & Compliance 🎯 Essential for Practice

Contractual Safeguards Under DPDPA

Unlike GDPR which mandates SCCs or BCRs for transfers to non-adequate countries, DPDPA does not require contractual safeguards as a statutory obligation. However, prudent practice demands robust contracts for cross-border transfers.

Why Contracts Matter Despite No Mandate

  • Compliance Evidence: Demonstrates due diligence to Data Protection Board
  • Liability Management: Allocates responsibility for breaches
  • GDPR Alignment: If receiving EU data, GDPR SCCs required anyway
  • Client Expectations: Multinational clients expect contract protections
  • Future-Proofing: Rules may mandate contracts later

Data Processing Agreement (DPA) Essentials

Every cross-border transfer should be governed by a comprehensive DPA with these elements:

Clause Category Key Provisions DPDPA Alignment
Scope & Purpose Data categories, processing activities, purposes Section 8(3) - purpose limitation
Security Obligations Technical measures, ISO certifications, encryption Section 8(5) - reasonable security
Sub-Processing Prior approval, same obligations flow-down Section 8(2) - Data Processor obligations
Breach Notification 72-hour notice, cooperation in reporting Section 8(6) - breach notification
Data Subject Rights Assistance in responding to requests Sections 11-14 rights framework
Deletion/Return Obligations on contract termination Section 8(7) - erasure obligations
Audit Rights Right to inspect, audit reports Best practice; Rule 8 audit

Standard Contractual Clauses: Global Models

EU SCCs (2021)

For transfers involving EU data to India, the EU's 2021 SCCs apply in four modules:

  • Module 1: Controller to Controller
  • Module 2: Controller to Processor (most common)
  • Module 3: Processor to Processor
  • Module 4: Processor to Controller
⚠️ Post-Schrems II Requirements

EU SCCs alone are insufficient. Must also:

  • Conduct Transfer Impact Assessment (TIA)
  • Implement supplementary measures if needed
  • Assess destination country law impact
  • Document assessment and measures

India-Specific SCC Framework (Expected)

DPDP Rules may eventually prescribe India-specific SCCs. Until then, practitioners should:

  • Adapt EU SCCs for DPDPA compliance references
  • Include Indian law governing clause
  • Add DPB complaint submission clauses
  • Incorporate Section 8 obligations explicitly
πŸ’‘ Sample India-Adapted SCC Clause

Clause X: Compliance with Indian Law

"The Data Importer agrees to process Personal Data in compliance with the Digital Personal Data Protection Act, 2023 as if it were a Data Processor under Section 8 thereof, including but not limited to obligations of purpose limitation (Section 8(3)), security safeguards (Section 8(5)), and breach notification (Section 8(6))."

Binding Corporate Rules (BCRs)

For multinational corporate groups, BCRs provide unified data protection standards across jurisdictions:

BCR Elements

  • Scope: Group entities covered
  • Processing Principles: Lawfulness, purpose limitation, data minimization
  • Data Subject Rights: Procedures for exercising rights
  • Security Standards: Uniform security requirements
  • Complaints Mechanism: Internal resolution procedures
  • Training: Staff awareness obligations
  • Audit: Compliance monitoring

BCR Approval Under DPDPA

DPDPA doesn't have a BCR approval mechanism (unlike GDPR Article 47). However, maintaining BCRs provides:

  • Evidence of organizational commitment to compliance
  • Consistent standards for cross-border flows within group
  • Defense against allegations of inadequate safeguards

Negotiation Strategies

When You Represent the Exporter (Indian Entity)

  • Ensure robust indemnification for recipient breaches
  • Require recipient to maintain DPDPA-equivalent standards
  • Include audit rights and certification requirements
  • Mandate immediate breach notification
  • Require sub-processor approval process

When You Represent the Importer (Foreign Entity)

  • Clarify DPDPA applicability to foreign processors
  • Limit liability for Indian regulatory penalties
  • Define reasonable cooperation obligations
  • Ensure security standards are achievable
  • Address government access disclosure conflicts

Addressing CLOUD Act Conflicts

When contracting with US entities, address potential CLOUD Act conflicts:

πŸ“œ Sample CLOUD Act Clause

"Where the Data Importer receives a legal demand for disclosure of Personal Data from any government authority, it shall:

  • (a) Immediately notify the Data Exporter unless prohibited by law;
  • (b) Challenge the demand where reasonable legal grounds exist;
  • (c) Seek protective order limiting disclosure;
  • (d) Provide only the minimum data required by law."

Key Takeaways

🎯 Essential Points:

  • DPDPA doesn't mandate SCCs but contracts remain essential
  • Comprehensive DPAs should cover security, sub-processing, breach notification, rights assistance
  • EU SCCs apply for transfers involving EU dataβ€”must include TIA
  • Adapt EU SCCs for Indian law references pending India-specific templates
  • BCRs valuable for multinational groups though no approval mechanism
  • Address CLOUD Act conflicts in US entity contracts
  • Negotiation strategy differs based on client position (exporter vs importer)