DPDP Compliance · GDPR · IT Staffing · Dual Regulation · India 2026

IT Staffing Agency Workforce Monitoring in India: DPDP + GDPR Dual-Compliance Guide (2026)

Q: Do DPDP Act 2023 and GDPR both apply to an IT staffing agency monitoring consultants placed with EU clients?

Yes, potentially both. Under DPDP Act 2023, an IT staffing agency is a data fiduciary for any consultant whose personal data it collects, processes, or stores in India — this obligation applies regardless of which client the consultant works for. When a consultant is placed with a European client and the agency or client processes the consultant's monitoring data in connection with EU operations, GDPR may additionally apply: the EU client may be a GDPR controller for monitoring data it receives, and the India staffing agency may be a GDPR processor or joint controller depending on the contractual structure. Neither regulator has issued binding joint guidance on this intersection. Both sets of obligations must be managed simultaneously; verify the specific structure with qualified data protection and employment counsel.

Q: What consent must an IT staffing agency obtain before monitoring a consultant under DPDP Act 2023?

Under DPDP Act 2023 Sections 5 and 6, an IT staffing agency must provide a clear privacy notice before or at the time of collection, explaining what monitoring data is collected, the purpose of collection, how long it is retained, and how the consultant can exercise their Data Principal rights. Consent must be specific to each processing purpose, freely given, and as easy to revoke as to give. For contract-to-hire (C2H) or fixed-term contract (FTC) arrangements, whether the agency or the client company bears the data fiduciary obligation for monitoring data depends on who controls the purpose and means of processing — which should be resolved in the engagement contract before monitoring begins. Verify your specific obligation with counsel.

Q: Can monitoring data about India-based IT consultants be stored outside India?

DPDP Act 2023 Section 16 permits the Central Government to restrict cross-border transfer of personal data to specified countries or territories. As of June 2026, the full permitted-countries notification under DPDP Rules has not been issued. However, cross-border transfer restrictions are expected to apply to certain categories of personal data. For IT staffing agencies routing consultant monitoring data through global HRMS platforms (Workday, SAP SuccessFactors) or EU-client monitoring systems, the safe approach is India data residency for DPDP-subject personal data with documented transfer mechanisms for any EU-side processing. Verify current Rules notification status and transfer obligations with data protection counsel before routing monitoring data offshore.

Q: Who is the data controller for a consultant's monitoring data — the staffing agency or the client company?

This depends on who determines the purpose and means of monitoring. Under both DPDP and GDPR, the entity that decides what to monitor, why, and how is the controller or data fiduciary. In most staffing arrangements: (1) if the client instructs the agency to install monitoring tools and defines what is tracked, the client may be the primary data fiduciary/controller; (2) if the agency deploys its own monitoring platform independently to manage consultant performance, the agency is likely the data fiduciary/controller; (3) if both make joint decisions about monitoring, a joint controller/co-fiduciary analysis is needed. This must be resolved in the agency-client services agreement and reflected in the consultant's monitoring notice. Verify with counsel before deploying any monitoring tool.

Q: How can an IT staffing agency demonstrate dual DPDP and GDPR compliance to enterprise clients?

Enterprise clients — especially NASSCOM-registered IT companies with EU client contracts — increasingly ask staffing agencies for written compliance evidence before onboarding. The four documents that satisfy most enterprise due diligence: (1) a DPDP data processing agreement (DPA) covering the staffing arrangement, specifying data fiduciary/processor roles, data categories, retention, and Indian data residency; (2) a GDPR sub-processing agreement for EU-side data flows, specifying Standard Contractual Clauses or adequacy basis; (3) a DPDP Section 5 notice template issued to consultants before monitoring begins, with a consent record for each individual; (4) a documented Data Principal rights response process covering access, correction, erasure, and nomination requests. The DPDP Vendor Comparison Scorecard covers the monitoring-vendor compliance criteria that clients will audit in your tool stack.

Do DPDP and GDPR both apply when an IT staffing agency monitors consultants in India? Yes, potentially both — simultaneously and independently. Under DPDP Act 2023, an IT staffing agency is a data fiduciary for any consultant whose personal data it processes in India, regardless of where that consultant is deployed. When the consultant is assigned to an EU-based client and monitoring data flows to the EU, GDPR may additionally govern that processing — the EU client typically becomes a GDPR controller, and the India agency a processor or joint controller depending on who determines the monitoring scope. The result is a dual-obligation structure that neither regulator has formally addressed together: you must satisfy DPDP consent and notice requirements in India and GDPR sub-processing or controller obligations for the EU side. No single monitoring tool automatically covers both. Verify your specific structure and obligations with qualified data protection and employment counsel before deploying workforce monitoring. This is general information, not legal advice.

Three figures IT staffing leadership needs for this decision — verify current data with respective sources

~5.4 million professionals employed in India’s IT-BPM sector as of FY2026, with a significant proportion working through staffing and contract-to-hire arrangements (NASSCOM FY2026 Annual Report — verify current figures at nasscom.in). Every agency placing consultants with GDPR-obligated EU clients faces the dual-regulation question this guide addresses.
Up to ₹250 crore per instance — the statutory maximum financial penalty under DPDP Act 2023 Section 33(1) for significant personal data breach violations (verify with counsel; enforcement amounts and timelines are subject to Data Protection Board guidance and orders, which are expected to be notified separately from the Act itself).
Up to €20 million or 4% of global annual turnover — the GDPR Article 83(5) maximum penalty for the most serious violations (verify with data protection counsel; GDPR enforcement for India-based processors is carried out by EU member-state supervisory authorities against the EU client-controller, but processor liability exposure exists under GDPR Article 82).

The IT staffing sector in India has a compliance gap that most agencies don’t discover until a client due-diligence questionnaire surfaces it: monitoring a consultant working for an EU client from India puts you inside two regulatory frameworks at once. DPDP Act 2023 governs the India side. GDPR governs the EU side. Neither framework gives clear joint guidance for staffing arrangements. This guide maps the obligations, the ownership question, and what your tool stack needs to cover both.

By Ashok Sachdev, Founder gStride AI Published 25 June 2026 14 min read

Why IT staffing agencies face a different compliance problem than direct employers

When a technology company hires an employee directly, the compliance question is relatively contained: one employer, one jurisdiction, one set of monitoring obligations. IT staffing agencies operate differently. The agency employs the consultant on its payroll; the client company directs the consultant’s work; the monitoring data may be collected by the agency, the client, or both; and the data may flow across borders depending on where the client’s systems are hosted.

This tripartite structure — agency, consultant, client — creates three compliance friction points that a direct employer does not face:

Who is the data fiduciary / controller? The entity that determines the purpose and means of monitoring is the primary data fiduciary under DPDP and the data controller under GDPR. In staffing arrangements, this is not always the agency. If the EU client specifies what monitoring tool to use and what data to collect, the client may be the primary controller; the India agency may be a processor or sub-processor.
Which framework governs which data flow? DPDP governs personal data processed by the India entity (the agency). GDPR governs personal data processed by EU entities (the client). When the monitoring platform is hosted in the EU, or monitoring data is transmitted to the client’s EU systems, GDPR’s reach extends to that data regardless of where the consultant physically works.
Whose consent notice covers what? The consultant needs a DPDP privacy notice from the India data fiduciary (typically the agency or co-fiduciary with client). If the client also processes monitoring data under GDPR, the consultant may need a separate GDPR-compliant notice from the EU controller. Many agencies issue a single onboarding notice that covers neither regime adequately.

These are structural differences, not edge cases. Any India IT staffing agency with EU-client placements must resolve them. The starting point is determining the data-flow architecture for every engagement type in your portfolio.

DPDP Act 2023: what applies to the India staffing agency

DPDP Act 2023 applies to an IT staffing agency whenever it processes the digital personal data of a consultant or contractor in India. “Processing” under DPDP is broad: it includes collection, storage, use, sharing, and transmission. Monitoring a consultant’s work output, application usage, attendance, or project activity constitutes processing of their personal data. The agency’s obligations as a data fiduciary include:

Privacy notice (Section 5)

Before collecting monitoring data, the agency must provide a clear notice to the consultant explaining: (a) what personal data is being collected; (b) the purpose of collection; (c) how long the data will be retained; (d) the identity of the data fiduciary and any data processors who will handle the data; (e) how the consultant can exercise their Data Principal rights; and (f) how they can withdraw consent. This notice must be in plain language and made available in English or the consultant’s preferred language if specified.

Consent (Section 6)

Consent must be specific to each monitoring purpose, freely given (not bundled into general employment terms as a take-it-or-leave-it condition without clear opt-out), and as easy to withdraw as to give. For staffing agencies, this creates a practical requirement: if the client instructs the agency to add a new monitoring tool mid-engagement, the consultant must receive a new or updated notice and fresh consent for that specific tool before monitoring begins. Retroactive consent is not valid under DPDP.

Data Principal rights (Chapter II)

Consultants placed through the agency are Data Principals with the rights to: access summaries of their monitoring data, request correction of inaccurate data, request erasure of data no longer needed for the stated purpose, and nominate a successor to exercise their data rights. The agency must have a mechanism to receive and respond to these requests within the timelines expected under DPDP — specific statutory timelines are subject to Rules notification; verify with counsel. Monitoring data collected on behalf of a client complicates this: when a consultant requests access to monitoring data held by the client, the agency must coordinate with the client to respond.

Grievance mechanism (Section 13)

The agency must designate a grievance officer to receive and resolve complaints about the processing of consultants’ personal data. The officer’s contact details must be made available to consultants before or at the time monitoring begins.

Data retention and security

Monitoring data should be retained only as long as necessary for the stated purpose. DPDP requires reasonable security safeguards. For staffing agencies, engagement end-dates create a specific challenge: when a consultant completes a placement, their monitoring data should be subject to a documented retention and deletion schedule, not indefinitely stored in an agency’s HRMS.

For a detailed breakdown of DPDP obligations by data type and processing activity, see the DPDP Act India workforce monitoring buyer guide and the NASSCOM DPDP vendor assessment checklist for India IT services.

GDPR: when it applies to India staffing agencies and what it requires

GDPR applies when personal data of EU residents is processed, or when a controller or processor — regardless of location — targets EU residents or monitors their behaviour within the EU (GDPR Article 3). For India IT staffing agencies, GDPR becomes relevant in three scenarios:

Consultant placed in the EU: If the consultant physically relocates to an EU country for a placement, they become a data subject under GDPR for any monitoring that occurs during that placement. The India agency processing their monitoring data is subject to GDPR.
Monitoring data processed by an EU client: Even if the consultant works from India, the EU client’s receipt of monitoring reports, dashboard access, or productivity data constitutes processing under GDPR. The EU client is a GDPR controller for data it receives. If the India agency provides the monitoring platform, it may be a GDPR processor in that data flow.
Monitoring platform hosted in the EU: If the monitoring tool itself is hosted on EU infrastructure (or a GDPR-obligated tool with EU data centres), the processing within that tool is subject to GDPR data processor obligations regardless of where the consultant works.

When GDPR applies, the India staffing agency’s obligations depend on its role:

As a GDPR processor: The agency must sign a data processing agreement (DPA) with the EU controller (the client) under GDPR Article 28, covering processing purposes, data categories, security measures, sub-processor restrictions, and breach notification obligations. The agency can only process data as instructed by the EU controller.
As a GDPR controller or joint controller: If the agency determines the purpose and means of monitoring independently, it bears full GDPR controller obligations: lawful basis (Article 6), transparency, data subject rights, retention, cross-border transfer compliance (Chapter V), and Data Protection Impact Assessment (DPIA) for high-risk processing.

For the GDPR compliance obligations that India IT exporters commonly face in their monitoring stack, see the GDPR employee monitoring compliance checklist for India IT exporters (2026).

The dual-reg compliance gap: what neither framework resolves on its own

DPDP and GDPR were designed independently. They share conceptual similarities — consent, purpose limitation, data minimisation, rights of data subjects — but they differ in important operational details that matter for staffing agencies:

Requirement	DPDP Act 2023 (India)	GDPR (EU)	Staffing agency impact
Lawful basis for monitoring	Consent (Sections 5–6) or legitimate use (Section 4) — specific obligations subject to Rules notification; verify with counsel	Consent (Art. 6(1)(a)), legitimate interests (Art. 6(1)(f)), or contractual necessity (Art. 6(1)(b)) — employment monitoring legitimate interests require balancing test	The agency may need a different lawful basis under each framework for the same monitoring activity. Consent under DPDP does not substitute for a GDPR lawful basis.
Notice to monitored person	DPDP Section 5 notice before or at collection, in plain language, specifying purpose, retention, rights, grievance contact	GDPR Articles 13–14 transparency notice; must include legal basis, data controller identity, retention periods, data subject rights, DPO contact if applicable	Two separate notices or one combined notice must cover all required elements of both frameworks. A single onboarding notice drafted for one framework typically does not satisfy the other.
Data residency / cross-border transfer	Cross-border transfer restrictions subject to Rules notification (not yet fully notified as of Jun 2026); India data residency is the safe default for DPDP personal data	Chapter V: transfers outside EEA require adequacy decision, SCCs, binding corporate rules, or other Art. 46 transfer mechanisms. India does not have EU adequacy as of Jun 2026.	Monitoring data transferred from EU-side systems to India requires GDPR transfer mechanism (typically SCCs). Monitoring data in India sent to EU client requires India-side analysis of DPDP cross-border rules.
Data subject / Data Principal rights	Access, correction, erasure, nomination. Response timelines subject to Rules notification; verify with counsel.	Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21). Response within 30 days generally (Art. 12).	A consultant may exercise rights under DPDP with the India agency and under GDPR with the EU controller for the same underlying data. Agency must coordinate responses across both obligations.
Sub-processor / data processor controls	DPDP addresses data processors under Section 8(2); data processor may not process beyond what the data fiduciary instructs	GDPR Article 28: detailed written DPA required; processor must notify controller of sub-processors; controller authorisation required for sub-processor changes	If the agency uses a third-party monitoring tool (e.g., gStride), the tool is a DPDP data processor and may be a GDPR sub-processor. Written agreements covering both frameworks are required.
Breach notification	Breach notification obligations subject to Rules notification; expected to apply to significant breaches; verify timelines with counsel	GDPR Article 33: notify supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals. Article 34: notify individuals if high risk.	A breach of monitoring data triggers dual notification obligations. The India agency must comply with DPDP breach rules and notify the EU controller so the controller can comply with GDPR Article 33.
Impact assessment	DPDP does not currently mandate a formal DPIA equivalent; conduct is advisable for high-risk processing as best practice	GDPR Article 35: DPIA mandatory for high-risk processing, including systematic monitoring of employees. Monitoring of consultants likely triggers DPIA requirement for EU controllers.	EU clients deploying monitoring to India-based consultants should complete a GDPR DPIA. India agency should support by providing data processing documentation.

This table reflects the frameworks as of June 2026. DPDP Rules are in the process of notification; specific obligations may change as Rules are issued. Verify current obligations with qualified data protection counsel before acting on this comparison.

The controller / data fiduciary question: resolve it before monitoring begins

The single most important question for any IT staffing arrangement with monitoring is: who controls the monitoring? The answer determines which framework obligations fall on which party — and which party is liable for compliance failures.

Four arrangement types cover most IT staffing scenarios:

Type 1: Agency-controlled monitoring (agency is the data fiduciary / controller)

The agency independently deploys a monitoring tool, defines what is tracked, and provides reports to the client. The agency is the data fiduciary under DPDP. If the monitoring is accessed by the EU client, the agency may also be a GDPR controller for that data. The agency’s obligations are the heaviest in this model: full DPDP fiduciary compliance + potential GDPR controller obligations. The agency must issue the DPDP Section 5 notice, collect consent, maintain the Data Principal rights portal, and — if GDPR applies — establish the GDPR lawful basis and enter a Data Sharing Agreement with the EU client.

Type 2: Client-directed monitoring (client is the controller; agency is the processor)

The client specifies which monitoring tool to use, what to track, and how reports are generated. The India staffing agency installs or operates the tool on behalf of the client. The client is the primary data fiduciary under DPDP (for India-side processing under their direction) and the GDPR controller (for EU-side data). The India agency is a DPDP data processor and a GDPR processor. The agency must sign a data processing agreement with the client under both frameworks, comply with the client’s monitoring instructions, and not process data beyond what is instructed. The consent notice should be issued by the client as controller, not the agency as processor — but the agency may be responsible for distributing it to consultants.

Type 3: Joint determination (agency and client are joint data fiduciaries / controllers)

The agency and client jointly determine the monitoring scope, tool selection, and purpose. This is the most complex model and creates joint liability under both frameworks. Both parties are jointly responsible for DPDP fiduciary obligations and GDPR controller obligations. A joint controller agreement (GDPR Article 26) and a documented joint data fiduciary arrangement should govern the relationship. The consultant must be informed of both parties’ identities and which party handles each rights-request category.

Type 4: Consultant self-monitoring (neither agency nor client is the data fiduciary for monitoring data)

The consultant uses their own productivity tools and shares aggregated, self-selected data with the client. This model reduces the agency’s DPDP and GDPR obligations significantly — but only if the agency truly does not access, store, or process the underlying monitoring data. If the agency periodically pulls reports, stores them in its HRMS, or uses them for performance reviews, the agency becomes a data fiduciary/controller regardless of the arrangement’s label.

The type of arrangement determines every compliance decision downstream: notice language, consent trigger, rights-request routing, breach notification chain, and data processing agreement structure. It must be resolved in writing in the engagement contract before deployment, not after a data subject request arrives.

What the monitoring tool stack must provide for dual-reg compliance

Regardless of the arrangement type, the monitoring tool deployed in a dual-reg IT staffing engagement must support specific technical and compliance features to avoid creating a compliance gap by design:

India data residency: Monitoring data for India-based consultants must be processable in India under DPDP’s anticipated localisation requirements. Tools that host all data in the US or EU by default create a DPDP cross-border transfer risk before any data is even shared with the client.
DPDP consent workflow: The tool must support issuing a configurable DPDP Section 5 notice to each consultant individually and recording their consent (or revocation) per processing purpose. “Onboarding agreement” bundled consent does not satisfy DPDP’s specificity requirement.
GDPR sub-processing documentation: If the monitoring tool processes EU-relevant data, the tool vendor must provide a GDPR-compliant Data Processing Agreement (Article 28), Standard Contractual Clauses for transfers if applicable, and sub-processor transparency. Verify current GDPR documentation with the tool vendor before signing an enterprise contract.
Data Principal rights portal: Consultants must be able to submit access, correction, and erasure requests against their monitoring data. The tool should route these requests to the correct party — agency or client — based on who is the data fiduciary for the request category.
Audit trail: A tamper-evident log of what monitoring data was collected, when, and who accessed it supports both DPDP regulatory demonstration and GDPR accountability principle compliance. This log is the evidence layer if either regulator opens an inquiry.
Output-signal design (DPDP data minimisation): DPDP Section 4(1)(b) requires data minimisation — collecting only data necessary for the stated purpose. Monitoring tools that collect keystrokes, screenshots, and application metadata for all work hours create a larger DPDP exposure than tools that measure deliverable outcomes (tasks completed, repository activity, ticket closure rate). For IT staffing, where the outcome — billable deliverables — is what clients pay for, outcome-signal monitoring is both more defensible under DPDP and more aligned with the commercial purpose of the engagement.

GCCs with dual DPDP and GDPR obligations face a structurally similar challenge. See the GCC India employee monitoring DPDP compliance 2026 guide for how GCCs in the IT sector manage dual-framework monitoring. For the significant data fiduciary question — which IT staffing agencies may become if they process large volumes of consultant personal data — see the DPDP significant data fiduciary workplace monitoring guide.

How gStride handles dual-reg monitoring for IT staffing arrangements

gStride is designed as an outcome-signal intelligence platform, not a surveillance tool. For IT staffing agencies, this design choice has direct compliance implications:

India data residency by default: gStride’s primary deployment is on India cloud infrastructure. Monitoring data for India-based consultants is processed and stored in India, reducing DPDP cross-border transfer risk as localisation rules are notified.
DPDP consent workflow built in: The agency or client (depending on the arrangement type) issues a DPDP Section 5 notice through gStride’s employee portal. Each consultant reviews and acknowledges consent for specific monitoring purposes. Consent records are timestamped and stored in a consent ledger that is exportable for DPDP regulatory demonstration or client due diligence.
GDPR sub-processing documentation available: gStride provides a GDPR Article 28 Data Processing Agreement covering data categories, processing purposes, security measures, and sub-processor disclosure. For EU-client engagements, this documentation is available for review by the EU client’s DPO before the monitoring agreement is signed. Verify current GDPR documentation with gStride before relying on it for a specific engagement.
Data Principal rights portal: Consultants can submit access, correction, erasure, and nomination requests through gStride’s employee-facing interface. Requests are routed to the configured data fiduciary (agency or client) with statutory timeline tracking.
Outcome signals, not surveillance: gStride scores deliverable velocity, project task completion, repository commits, and calendar participation — the signals that map to billable output. No keystrokes, no screenshots, no always-on activity monitoring. For DPDP data minimisation analysis, this is a low-exposure monitoring model for the deliverable-focused IT staffing context.
Audit trail: gStride generates a tamper-evident processing activity log covering what data was collected, when, on what basis, and who accessed it. This log satisfies the DPDP accountability expectation and supports GDPR accountability principle compliance for the EU-client data flow.

For the dual-reg scorecard criteria that enterprise IT and BFSI clients use when evaluating a staffing agency’s monitoring stack, use the DPDP Vendor Comparison Scorecard to score your current tool against 12 DPDP criteria before client due diligence surfaces the gaps.

Practical steps for IT staffing agencies starting dual-reg compliance

A phased approach works better than attempting full dual-reg compliance in one go. The sequence for a typical India IT staffing agency with mixed India-only and EU-client placements:

Phase	Action	Owner	Priority
Phase 1 — Data flow audit (1–2 weeks)	Map every current engagement type: which clients are EU-based, which monitoring tools are deployed, who instructs the monitoring (agency or client), where monitoring data is hosted, and who receives reports. Output: a data-flow register covering all active placements.	IT + Legal	Must-do first — all subsequent decisions depend on the data-flow map
Phase 2 — Role determination (1 week)	For each engagement type identified in Phase 1, determine the data fiduciary/controller role: agency-controlled, client-directed, or joint. Update engagement contract templates to reflect the determined role and include data processing agreement clauses (DPDP Section 8 + GDPR Article 28).	Legal + Business Development	Resolve before any new engagement is signed
Phase 3 — Notice and consent deployment (1–2 weeks)	For all active placements where the agency is the data fiduciary: issue DPDP Section 5 compliant notices to all consultants currently being monitored. Collect and record consent. For EU-placed consultants: confirm the EU client has issued or will issue a GDPR Article 13/14 notice. Update onboarding templates for all new placements.	HR + Legal	Required for active placements — retroactive consent is not valid; if monitoring has begun without notice, pause monitoring, issue notice, collect consent, then resume
Phase 4 — Tool stack compliance verification (2 weeks)	For each monitoring tool in the stack: verify India data residency documentation, DPDP consent workflow availability, GDPR Article 28 DPA availability, Data Principal rights portal, and audit trail. Tools without adequate documentation should be replaced or supplemented.	IT + Procurement	Do alongside Phase 3 — tool gaps affect notice language (you can only disclose what the tool actually does)
Phase 5 — Data Principal rights process (1 week)	Establish a documented response process for DPDP access, correction, erasure, and nomination requests from consultants. Designate a grievance officer per DPDP Section 13. For EU placements, confirm the GDPR data subject rights response process is linked to the EU client’s process for the data the client holds.	HR + Legal	Required before Phase 3 notice is issued — the notice must include the rights-request contact

Score your monitoring tool stack against 12 DPDP criteria — free

The DPDP Vendor Comparison Scorecard is the fastest way to identify compliance gaps in your current monitoring tool before a client due-diligence questionnaire does it for you. It maps any monitoring or analytics tool against 12 DPDP-specific criteria: consent ledger, India data residency, DPDP Section 5 notice, Data Principal rights portal, grievance mechanism, audit trail, breach notification SLA, EU AI Act readiness, data minimisation, sub-processor transparency, and two more. For IT staffing agencies serving both India and EU clients, score your tool against both the DPDP scorecard and the EU AI Act vendor scorecard — both are free. PDF with 8-vendor pre-scored matrix is email-gated.

Score your monitoring tool for DPDP → Book a 30-min dual-reg compliance review

Also: the Switch Cost Estimator calculates the cost of moving from your current monitoring tool to a DPDP + GDPR dual-compliant platform, based on your placement headcount and stack configuration.

Frequently asked questions

Do DPDP Act 2023 and GDPR both apply to an IT staffing agency monitoring consultants placed with EU clients?

Yes, potentially both simultaneously. DPDP applies to any processing of consultant personal data by the India entity. GDPR applies when monitoring data flows to an EU-based client or is processed within an EU system. The exact obligations depend on who controls the monitoring (agency or client) and the data flow architecture. Neither regulator has issued joint guidance for staffing arrangements. Verify your structure with qualified data protection counsel.

What consent must an IT staffing agency obtain before monitoring a consultant under DPDP Act 2023?

The agency must provide a DPDP Section 5 notice before or at the time of data collection, specifying what is monitored, the purpose, retention period, and how rights can be exercised. Consent must be specific to each monitoring purpose, freely given, and revocable. For C2H and FTC arrangements, who bears the data fiduciary consent obligation depends on who controls the monitoring purpose — resolve this in the engagement contract. Verify with counsel.

Can monitoring data about India-based IT consultants be stored outside India?

DPDP cross-border transfer restrictions are expected under Section 16, though the full permitted-countries notification has not been issued as of June 2026. The safe default is India data residency for all DPDP-subject personal data. If monitoring data is routed through a global HRMS or an EU-client system, assess DPDP transfer obligations as Rules are notified. For GDPR, any transfer of consultant monitoring data from EU to India requires a valid GDPR transfer mechanism. Verify both with data protection counsel.

Who is the data controller for a consultant’s monitoring data — the staffing agency or the client company?

It depends on who determines the purpose and means of monitoring. If the agency deploys the tool independently and defines what is tracked, the agency is likely the data fiduciary/controller. If the client specifies the tool and monitoring scope, the client is likely the primary controller and the agency a processor. Joint determination creates joint controller/joint fiduciary obligations. This must be resolved in the engagement contract before any monitoring begins — verify with counsel.

How can an IT staffing agency demonstrate dual DPDP and GDPR compliance to enterprise clients?

The four documents enterprise clients most commonly request: (1) a DPDP data processing agreement covering the staffing arrangement, data categories, and India data residency; (2) a GDPR Article 28 sub-processing agreement with Standard Contractual Clauses for EU data flows; (3) a DPDP Section 5 notice template for consultants, with evidence of consent collection; (4) a documented Data Principal rights response process. The DPDP Vendor Comparison Scorecard covers the tool-level criteria that clients audit when evaluating a staffing agency’s monitoring stack.

Score your vendor against 12 DPDP criteria — free → The DPDP Vendor Comparison Scorecard scores your monitoring tool and 7 alternatives against consent ledger, data residency, audit log, breach-notification SLA, and 8 more DPDP criteria in under 5 minutes. Free to score — email-gate only at the full PDF + 8-vendor pre-scored matrix. · · Book a 30-min dual-reg compliance review

Disclaimer: This article is general information, not legal advice. DPDP Act 2023 obligations, Rules notifications, consent requirements, Data Principal rights timelines, enforcement posture, and applicable Rules are subject to Data Protection Board guidance and orders expected to be notified separately from the Act. GDPR obligations and their application to India-based entities are subject to EU supervisory authority guidance and may vary by jurisdiction, processing activity, and engagement structure. Nothing in this guide constitutes a compliance assessment or legal opinion applicable to any specific staffing arrangement. Verify all DPDP and GDPR obligations with qualified data protection and employment counsel before deploying workforce monitoring in IT staffing arrangements.