Expanding into India is an attractive opportunity for foreign companies due to its growing economy and business-friendly reforms. However, the process of company incorporation involves multiple regulatory steps, including compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), which introduces new obligations related to data protection.
This guide outlines the standard procedure for setting up a company in India and highlights the additional steps foreign businesses must take to comply with the DPDP Act.
Step 1: Choose the Business Structure
Foreign companies must first decide on the appropriate business structure. The most common options include:
- Wholly Owned Subsidiary (for sectors where 100% Foreign Direct Investment (FDI) is allowed).
- Joint Venture (JV) (if partnering with an Indian company).
- Branch Office (BO), Liaison Office (LO), or Project Office (PO) (approval required from the Reserve Bank of India (RBI)).
- Limited Liability Partnership (LLP) (only allowed in sectors where 100% FDI is permitted).
A Private Limited Company (Pvt Ltd) is the most preferred structure due to limited liability protection and ease of doing business.
➡️ Additional Consideration Under DPDP Act:
If the company will be collecting, processing, or storing personal data of Indian employees, directors, or customers during incorporation, the business must comply with data protection requirements (explained in later steps).
Step 2: Reserve the Company Name
- Apply for company name approval through the RUN (Reserve Unique Name) service on the Ministry of Corporate Affairs (MCA) portal.
- Ensure the proposed name is unique and does not conflict with existing trademarks.
➡️ Additional Consideration Under DPDP Act:
- If the company name registration process requires submission of personal details of directors or promoters, consent must be obtained before processing such data.
- The company must ensure that data submitted to the MCA is stored securely and used only for incorporation purposes.
Step 3: Obtain Digital Signature Certificate (DSC) and Director Identification Number (DIN)
- DSC (Digital Signature Certificate): Required for all directors and authorized signatories to digitally sign incorporation documents.
- DIN (Director Identification Number): Mandatory for all directors, obtained via Form DIR-3.
➡️ Additional Consideration Under DPDP Act:
- Personal data such as passport copies, address proofs, and phone numbers are submitted for obtaining DSC and DIN. Companies must:
- Ensure consent from directors before submitting personal details.
- Secure storage of digital identity data to prevent misuse.
- If outsourcing this process, verify the service provider’s data protection compliance.
Step 4: File for Company Incorporation (SPICe+ Form)
- Submit the SPICe+ (INC-32) form online to register the company with the MCA.
- Attach Memorandum of Association (MoA) and Articles of Association (AoA).
- Provide details of directors, shareholders, and registered office address.
➡️ Additional Consideration Under DPDP Act:
- The SPICe+ form requires personal information of directors and shareholders, including identification and contact details.
- Companies must ensure:
- That this data is only shared with authorized regulatory bodies.
- Proper data security measures are in place to protect sensitive information from breaches.
- That any third-party service providers assisting in incorporation adhere to DPDP Act requirements.
Step 5: PAN, TAN, and Bank Account Setup
- Obtain Permanent Account Number (PAN) and Tax Deduction and Collection Account Number (TAN) from the Income Tax Department.
- Open a corporate bank account in India by submitting incorporation documents and KYC details of directors.
➡️ Additional Consideration Under DPDP Act:
- Bank KYC requires submission of personal data, such as passport copies, proof of address, and photographs of directors.
- Foreign companies must ensure that:
- The bank follows DPDP Act provisions regarding data protection and privacy.
- Personal data collected for KYC purposes is only used for account opening and not shared for other purposes without consent.
Step 6: GST Registration (If Applicable)
- If the business is expected to exceed the GST threshold, register for Goods and Services Tax (GST) via the GST portal.
- Submit business details, directors’ KYC documents, and proof of address.
➡️ Additional Consideration Under DPDP Act:
- GST registration requires submission of personal data of company representatives.
- Companies must ensure that the data protection principles of minimalism and purpose limitation are followed (i.e., data is used only for GST registration).
Step 7: Compliance with Labor Laws & Employee Data Protection
- If hiring employees, register with:
- Employees’ Provident Fund Organization (EPFO).
- Employees’ State Insurance Corporation (ESIC).
- Professional Tax (PT) authorities (if applicable).
➡️ Additional Consideration Under DPDP Act:
- Employee registration involves collection of Aadhaar, PAN, bank details, and health data.
- Foreign companies must:
- Obtain explicit consent before collecting and processing employee data.
- Implement data security measures to protect sensitive employee information.
- Ensure that payroll service providers comply with DPDP regulations.
Step 8: Drafting & Implementing Data Protection Policies
- Once incorporated, companies must draft:
- Privacy Policies explaining how personal data is collected, stored, and used.
- Data Processing Agreements (DPAs) with third-party vendors handling customer or employee data.
- Internal compliance frameworks ensuring DPDP Act adherence.
➡️ Additional Consideration Under DPDP Act:
- If the Indian subsidiary processes personal data on behalf of its foreign parent company, it must ensure:
- Cross-border data transfer compliance if personal data is sent abroad.
- That Indian customer data is not shared with foreign entities without proper legal safeguards.
- Companies must appoint a Data Protection Officer (DPO) if handling large-scale personal data.
Conclusion
Setting up a company in India involves multiple regulatory steps, and with the DPDP Act in place, foreign companies must take extra precautions while handling personal data.
Key DPDP Compliance Takeaways for Foreign Companies:
âś… Obtain explicit consent before collecting and processing personal data.
âś… Ensure secure handling and limited access to personal details of directors, shareholders, and employees.
âś… Verify that third-party service providers (lawyers, consultants, banks) comply with DPDP requirements.
âś… Implement data security measures to prevent breaches or unauthorized access.
âś… Adhere to cross-border data transfer rules when sharing data with foreign parent companies.
By integrating data protection compliance into the company incorporation process, foreign businesses can avoid legal risks and ensure a smooth entry into the Indian market.