
Ananya is the HR Manager of a mid-sized manufacturing firm in Pune. Three hundred employees. Payroll processed through a popular SaaS platform. Everything automated, everything on time.
One afternoon, a data privacy consultant visits for a routine review. She asks Ananya a simple question: “Where does your payroll platform store the data?”
Ananya checks the platform’s help documentation. Then its terms of service. Then calls their support line.
The answer comes back: servers in Singapore.
The salary details, bank account numbers, PAN numbers, and attendance records of all three hundred employees — sitting on servers outside India. No one in the organisation knew. No one had reviewed the contract for a data storage clause. No one had asked.
Why geography matters under DPDP
The Puttaswamy judgment acknowledges that data protection challenges are not limited to data localisation but have become extra-territorial — cross-border transfers of personal data raise complex regulatory questions that different jurisdictions are grappling with simultaneously.
The DPDP Act, 2023 addresses this directly. Section 16(1) empowers the Central Government to restrict the transfer of personal data by a Data Fiduciary for processing to such countries or territories outside India as may be notified. When those notifications are issued — and they will be, particularly for sensitive personal data categories — Ananya’s payroll platform will be non-compliant from that moment unless the firm has reviewed its architecture.
The Puttaswamy judgment further notes that every transaction on a digital platform is linked with some form of sensitive personal information — user IDs, account numbers, PAN numbers, biometric details. Payroll data falls precisely into this category. It is not a dataset that can sit in an unreviewed offshore location without governance.
The Data Processor contract problem
Beyond the cross-border question, there is a more immediate compliance issue. Section 8(2) of the DPDP Act requires a Data Fiduciary to engage a Data Processor only under a valid contract. That contract must — under Rule 6(1)(f) — include appropriate provisions for taking reasonable security safeguards.
Ananya’s firm signed up to the SaaS platform’s standard subscription agreement. That agreement almost certainly does not specify: the security standards to which the vendor holds itself, the encryption requirements for payroll personal data at rest and in transit, the access control and log retention requirements that Rule 6(1)(b) and (c) mandate, or the breach notification timeline that allows the firm to meet its 72-hour Board reporting obligation.
A standard SaaS subscription is not a DPDP-compliant Data Processor contract. The firm is processing employee personal data through a vendor with whom it has no contractual security obligations that meet the Act’s requirements. That is a compliance gap — and it exists for every SaaS tool in the firm’s technology stack.
The employees’ rights and what the firm cannot currently honour
Ananya’s three hundred employees are Data Principals under the DPDP Act. Each has the right under Section 11 to access a summary of their personal data being processed and the identities of all Data Processors with whom it has been shared. If an employee asks — which they are legally entitled to do — Ananya’s firm must disclose that their salary and bank account data is stored on servers in Singapore by a named SaaS vendor.
Each employee also has the right under Section 12 to request correction of inaccurate data and eventually erasure when employment ends. The firm must be able to give the SaaS vendor a contractually binding erasure instruction and receive confirmed deletion. Without a Data Processor contract that specifies this obligation, the erasure right cannot be practically honoured.
The practical steps Ananya’s firm needs to take — now
Review every SaaS and cloud platform in the technology stack that processes employee or customer personal data, and document where each platform stores data geographically.
Negotiate or obtain Data Processor Addendums from each vendor — specifying security safeguards, breach notification timelines, data residency commitments, and erasure procedures aligned with DPDP requirements.
Monitor the Central Government’s notifications under Section 16 for data localisation requirements — and build an architecture that can respond to those requirements without a full platform migration.
Build an employee-facing disclosure — accessible via the HR portal — that identifies the Data Processors used and the data shared with each, so that the right to access under Section 11 can be immediately satisfied.
The question every HR and operations leader must ask today
Do you know where every piece of employee personal data in your organisation is physically stored? If you do not — the DPDP Act requires you to find out, document it, govern it contractually, and be prepared to disclose it to every employee who asks.
The data did not leave India without anyone noticing. Someone noticed. Just not in time to prevent it, and not yet in time to govern it.
Series 2, Episode 2 — Post 2 of 3 | DPDP Meets Emerging Technologies
Sources: DPDP Act 2023 (Sections 8(1), 8(2), 11, 12, 16(1)) | DPDP Rules 2025 (Rules 6(1)(b)(c)(f)) | ICAI IS Audit 3.0 Course Materials | Justice K.S. Puttaswamy (Retd.) vs Union of India (2018)
Disclaimer
The contents of this post are intended for general awareness and informational purposes only. They do not constitute legal opinion, professional advice, consultancy, statutory interpretation, or a recommendation to act in any particular manner.
The Digital Personal Data Protection Act, 2023, related rules, notifications, regulatory guidance and judicial interpretations may evolve from time to time. The applicability of the law may also vary depending on the facts, sector, nature of data processing, organisational role, contractual terms and compliance framework.
Readers should not rely solely on this post for making legal, business, HR, technology, data-processing or compliance decisions. Specific advice from a qualified legal, privacy, cybersecurity, governance or compliance professional should be obtained before acting on any matter discussed.
The author / publisher shall not be responsible for any loss, liability, claim, penalty or consequence arising from reliance on the contents of this post without independent professional advice.
Authors:
This article has been co-authored by CA. Sunil Elayadath and CA. Karthik Narayanan S, Partners of Karthik & Sunil, together with Mr. Dhanesh P. K., Designated Partner, DSK Sustainability Tech.



