CROSS-BORDER DATA TRANSFER AGREEMENT

This Cross-Border Data Transfer Agreement ("Agreement") is entered into as of [Insert Date] ("Effective Date") by and between:

• [Data Exporter Name], a company incorporated under the laws of India, having its registered office at [Insert Address], hereinafter referred to as the "Data Exporter"; and
• [Data Importer Name], a company incorporated under the laws of [Insert Country], having its registered office at [Insert Address], hereinafter referred to as the "Data Importer."

RECITALS

WHEREAS:

1. The Data Exporter intends to transfer certain personal data to the Data Importer located outside India for the purposes of [Insert Purpose];
2. The Parties acknowledge the requirements of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), including its provisions on cross-border data transfers, and are committed to ensuring compliance with applicable laws;
3. This Agreement sets forth the terms and conditions under which personal data will be lawfully transferred and processed.

TERMS AND CONDITIONS

1. DEFINITIONS

1.1 "Personal Data": Any data about an individual transferred under this Agreement, as defined under the DPDP Act.

1.2 "Processing": Any operation performed on Personal Data, as defined under the DPDP Act.

1.3 "Notified Countries": Countries notified by the Central Government under Section 16(1) of the DPDP Act, where transfer of personal data may be restricted or prohibited.

1.4 "Applicable Laws": The laws of India, including the DPDP Act, and relevant regulations governing cross-border data transfers.

2. SCOPE AND PURPOSE

2.1 Categories of Personal Data to be transferred: [Insert categories].

2.2 Purpose of transfer: [Insert purpose].

3. OBLIGATIONS OF THE DATA IMPORTER

3.1 Compliance: Process Personal Data in accordance with the DPDP Act and this Agreement.

3.2 Data Security: Implement technical and organizational measures, including:

• Encryption during transfer and storage;
• Access control mechanisms;
• Regular security audits.

3.3 Further Transfers: Prohibited without written consent from the Data Exporter.

3.4 Breach Notification: Notify the Data Exporter of data breaches within [Insert Timeframe, e.g., 24 hours].

3.5 Sub-Processors: Obtain prior written consent for any sub-processors and ensure their compliance.

3.6 Grievance Redressal Mechanism: Establish a mechanism to address data subject complaints promptly.

4. OBLIGATIONS OF THE DATA EXPORTER

4.1 Ensure legal basis for transferring Personal Data.

4.2 Provide lawful instructions for data processing.

4.3 Audit the Data Importer's compliance with reasonable notice.

5. CROSS-BORDER DATA TRANSFER REQUIREMENTS

5.1 Compliance: Ensure compliance with Sections 16 and 17 of the DPDP Act.

5.2 Safeguards: Implement Standard Contractual Clauses (SCCs) and conduct risk assessments.

5.3 Localization: Comply with any localization requirements for specific data categories.

6. DATA SUBJECT RIGHTS

6.1 Facilitate data subject rights, including access, correction, and deletion of Personal Data.

6.2 Assist the Data Exporter in addressing data subject requests.

6.3 Maintain records of consent and provide withdrawal mechanisms.

7. INDEMNITY AND LIABILITY

7.1 Data Importer indemnifies the Data Exporter for non-compliance damages.

7.2 Liability limitations exclude cases of gross negligence or willful misconduct.

7.3 Liability Cap: [Insert Amount].

8. TERM AND TERMINATION

8.1 Effective from the date of execution and remains in effect until terminated with [Insert Notice Period].

8.2 Upon termination, the Data Importer must return or securely delete all Personal Data.

9. GOVERNING LAW AND DISPUTE RESOLUTION

9.1 Governed by Indian laws, including the DPDP Act, 2023.

9.2 Disputes resolved via arbitration in [Insert Location] under the Arbitration and Conciliation Act, 1996.

10. MISCELLANEOUS

10.1 Amendments only through written agreement.

10.2 Entire agreement governing cross-border data transfers.

10.3 Notices sent to addresses provided above.