Cross-border data transfer affects all organizations that engage online IT services, cloud-based services, remote access services and global HR databases.
Transferring sensitive personal data or information (SPDI) inside and outside of India is allowed only when the entity receiving the SPDI maintains the same level of protection required under the Information Technology Rules, 2011 on Reasonable Security Practices and Procedures and Sensitive Personal Data or Information (“Privacy Rules”), as adhered to by the body corporate (i.e. the employer, in the context of HR).
In addition, SPDI can only be transferred with the consent of the information provider (i.e. the employee or other data subject), unless the transfer is necessary for the company to perform its obligations under a contract with the information provider. That said, note that if parties agree on what constitutes reasonable security practices/procedures, the parties can agree to exclude the applicability of the Privacy Rules.
HR Best Practices: The use of applications in the cloud frequently results in the international transfer of employee data. Sensitive personal information should only be transferred inside and outside India when the same level of protection required under the Data Protection Rules is followed by the receiving entity (except when parties have come to an agreement that includes security practices/procedures, and excludes the applicability of consent for data transfers under the Privacy Rules).