Last review date: 20 December 2024

☒  applies to organizations located in the jurisdiction

☒  applies to organizations located outside of the jurisdiction offering goods or services to data subjects in the jurisdiction

The DPDP Act extends to the whole of India and also has extra-territorial applicability. The DPDP Act applies to the processing of digital personal data outside India, if the processing pertains to any activity related to the offering of goods and services to data subjects (referred to as data principals) within the territory of India. Therefore, the DPDP Act applies to entities located in jurisdictions outside India so long as the processing is in connection with the services offered in India.

Separately, the IT Act extends to the whole of India and also has extra-territorial applicability in certain cases. As per Section 75, the provisions of the IT Act extend to any offense or contravention committed outside India by any person, irrespective of their nationality, if the act or conduct constituting the offense or contravention involves a computer or computer system located in India. Therefore, in the context of data protection, the provisions of the IT Act and Privacy Rules would apply if the collection or processing of personal information or sensitive personal information involves a computer or computer system located in India.