The year 2026 marks a decisive shift in how businesses should draft and negotiate commercial contracts. With new obligations under India's Digital Personal Data Protection Act and tighter cross-border compliance expectations, data clauses now sit at the center of dispute risk allocation.
What's changed in the regulatory landscape
The most significant development is the convergence of data protection obligations with contract law. Where previously a data processing addendum (DPA) was a boilerplate afterthought, it has become the fulcrum of negotiation in many commercial relationships — particularly in SaaS, fintech, and professional services sectors.
India's DPDP Act, fully in force since January 2026, mandates explicit obligations on "Data Fiduciaries" (the term used for data controllers) when engaging "Data Processors" (third-party vendors). These must now be reflected in every services contract where personal data is processed — or both parties face significant penalties.
A contract that fails to address data processing obligations is not merely incomplete — in many jurisdictions, it is now unlawful. Retroactive compliance is both costly and legally fraught.
Key contractual clauses that need updating
1. Data processing terms
Every services contract involving personal data now needs a clearly delineated data processing section or annexed DPA. This must specify:
- The categories of data being processed
- The purposes for which data is processed
- The duration of processing and data retention policy
- Obligations on the processor to assist with data subject requests
- Security measures in place
2. Sub-processing rights
Contracts must now expressly address whether your vendor can engage sub-processors, and if so, under what conditions. A blanket permission is insufficient in most jurisdictions — specific notification requirements and equivalent obligations must flow down.
3. Breach notification timelines
The DPDP Act imposes 72-hour breach notification obligations on Data Fiduciaries. Your contracts with vendors must require them to notify you promptly enough to enable compliance — industry standard is now 24–48 hours for vendor-to-fiduciary notification.
Cross-border data transfer clauses
India's DPDP Act creates a framework for cross-border transfers via government-approved lists of permitted jurisdictions, as well as standard contractual clauses (SCCs) for other countries. Any contract involving transfer of Indian personal data to overseas vendors must now address this expressly — or risk being void as against public policy.
Similarly, the EU's GDPR continues to require EU SCCs or equivalent transfer mechanisms for data leaving the EEA. With post-Brexit UK divergence accelerating, multi-jurisdictional contracts require particular care.
Practical recommendations for general counsel
- Audit your contract portfolio — identify all agreements where personal data flows to third parties and flag those lacking adequate data processing terms.
- Standardise your DPA template — create a baseline DPA that meets DPDP, GDPR, and other relevant regime requirements, reducing negotiation time while ensuring compliance.
- Update indemnity provisions — regulatory fines under DPDP can reach ₹250 crore. Your indemnity clauses should expressly cover regulatory penalties arising from a counterparty's non-compliance.
- Train commercial teams — data obligations are no longer solely the domain of the legal team. Sales, procurement, and operations need to understand when to escalate for legal review.
The window for reactive compliance is closing. Businesses that treat data obligations as a boilerplate issue are now exposed to regulatory action, contractual indemnity claims, and avoidable litigation.
RDS Legal Co advises clients from Pune across India, including proceedings before courts and tribunals where contract and data disputes are contested. We also coordinate with UK partner firms for cross-border mandates requiring aligned drafting and enforcement strategy.
.webp)
.jpg)
.webp)