The regulatory checklist that separates a compliant GCC from one that is accumulating liability from Day 1. Entity structure, employment law, tax, data protection, and what your workspace partner should be handling.
GCC compliance in India covers five domains: entity formation (Companies Act 2013, ROC), taxation (GST, TDS, transfer pricing), employment (four Labour Codes effective November 2025, EPF, ESIC), data protection (DPDP Act 2023, full compliance deadline May 13, 2027), and foreign exchange (FEMA, RBI). India consolidated 29 labour laws into four codes in November 2025, and the standardised wages definition now requires basic pay to be at least 50% of gross salary. The DPDP deadline is 11 months away. This guide covers every compliance requirement a GCC needs to address from pre-incorporation to steady-state operations.
1. Entity formation and ROC registration
The standard legal structure for a GCC in India is a Private Limited Company incorporated under the Companies Act, 2013. The registration is filed electronically through the MCA’s SPICe+ portal with the Registrar of Companies (ROC).
What SPICe+ covers in a single filing
- Company name reservation and approval
- Certificate of Incorporation from ROC
- Permanent Account Number (PAN) from Income Tax Department
- Tax Deduction Account Number (TAN)
- GST registration (optional at filing, can be done separately)
- EPFO and ESIC registration (optional at filing)
- Opening of bank account (via AGILE-PRO form, filed alongside SPICe+)
Pre-requisites before filing
- Minimum two directors (at least one must be an Indian resident who has stayed in India for 120+ days in the preceding financial year)
- Minimum two shareholders (can be the same as directors)
- Digital Signature Certificates (DSC) for all proposed directors
- Director Identification Numbers (DIN) for all directors
- Registered office address in India (proof of address required)
- Memorandum of Association (MoA) and Articles of Association (AoA)
Post-incorporation ROC obligations
Once incorporated, the GCC entity has ongoing filing obligations with the ROC. These are not optional and carry penalties for non-compliance.
- Annual financial statements (Form AOC-4) within 30 days of AGM
- Annual return (Form MGT-7) within 60 days of AGM
- First board meeting within 30 days of incorporation
- Minimum four board meetings per year (one per quarter, gap not exceeding 120 days)
- Statutory audit appointment within 30 days of incorporation
- Commencement of Business declaration (Form INC-20A) within 180 days
LLPs have FDI restrictions under FEMA that create downstream complications for GCCs funded by foreign parent companies. Branch offices require prior RBI approval and cannot independently hire or contract. Section 8 companies are for non-profit purposes. A Private Limited Company via SPICe+ is the standard, fastest, and most flexible route for a foreign-funded GCC. Get this decision right before any filing begins.
2. FDI, FEMA, and RBI compliance
Every GCC funded by a foreign parent company involves Foreign Direct Investment and must comply with the Foreign Exchange Management Act (FEMA), 1999 and RBI regulations.
Key FDI and FEMA obligations
- Report FDI receipt to RBI within 30 days via Form FC-GPR (Foreign Currency Gross Provisional Return)
- File Annual Return on Foreign Liabilities and Assets (FLA) with RBI by July 15 each year
- Ensure FDI pricing complies with RBI valuation norms (fair market value based on DCF or NAV method)
- Downstream investment reporting if the Indian entity further invests in another Indian company
- All transactions with the foreign parent must be at arm’s length (connects to transfer pricing, Section 4 below)
Most GCCs fall under the 100% FDI automatic route, meaning no prior RBI or government approval is needed. However, certain sectors (defence, telecom, insurance, multi-brand retail) have sectoral caps or require government route approval. Verify the applicable FDI policy for your GCC’s sector before filing.
The 30-day FC-GPR filing window is tight. Appoint a Company Secretary or compliance advisor before the FDI hits the Indian bank account, not after. Late filing attracts compounding fees from RBI that escalate quickly.
3. GST and tax compliance
GCCs providing services to their overseas parent company are subject to India’s Goods and Services Tax (GST) framework, but the treatment depends on how the transaction is classified.
GST for inter-company services
Services provided by an Indian GCC to its foreign parent are treated as an “export of services” if the following conditions are met: the supplier (GCC) is in India, the recipient (parent) is outside India, the place of supply is outside India, payment is received in convertible foreign exchange, and the supplier and recipient are not merely establishments of the same person. If these conditions are met, the services qualify as zero-rated exports under GST. The GCC can either export under bond or Letter of Undertaking (LUT) without paying IGST and claim input tax credit refunds, or pay IGST and claim a refund.
However, if the Indian entity and the foreign parent are treated as “related persons” under GST law (which most GCC structures are), the transaction must still be reported at fair market value. Open supply without consideration between related parties can trigger GST on a deemed valuation basis.
Ongoing GST compliance
- Monthly GSTR-1 (outward supplies) by the 11th of the following month
- Monthly GSTR-3B (summary return with tax payment) by the 20th
- Annual GSTR-9 return
- GST audit (GSTR-9C) if turnover exceeds Rs 5 crore
- LUT renewal annually (Form GST RFD-11)
- Input tax credit reconciliation and reversal monitoring
4. Transfer pricing
This is the compliance area most likely to trigger an audit for a GCC. Every service provided by the Indian entity to its foreign parent is an “international transaction” under the Income Tax Act and must be priced at arm’s length.
What transfer pricing requires
- Benchmarking study: identify comparable transactions to establish that the GCC’s service fee is at arm’s length
- Transfer pricing documentation (Form 3CEB, filed with the income tax return)
- Maintain contemporaneous documentation throughout the year
- Safe harbour election (optional but simplified): Union Budget 2026 set a uniform 15.5% safe harbour margin for IT and ITeS services, with the threshold raised from Rs 300 crore to Rs 2,000 crore. This covers the majority of GCCs and significantly reduces audit risk for those that elect it
Transfer pricing documentation is not a Year 2 problem. It is a pre-launch problem. The arm’s length pricing structure, the benchmarking study, and the documentation framework should be in place before the GCC raises its first inter-company invoice. Retroactive adjustments after an audit notice are expensive and disruptive. The safe harbour option is the simplest path for most GCCs, but it still requires a formal election and documentation.
5. Labour law: India’s four new codes
On November 21, 2025, India replaced 29 existing central labour laws with four consolidated Labour Codes. This is the most significant change to employment compliance in India in three decades, and every GCC must restructure its HR and payroll processes accordingly.
The four codes
| Code | What it covers | Key GCC impact |
|---|---|---|
| Code on Wages, 2019 | Minimum wages, payment of wages, bonus | Standardised “wages” definition: basic pay must be at least 50% of gross salary. Affects every salary structure. |
| Code on Social Security, 2020 | EPF, ESIC, gratuity, maternity, pension | Expanded coverage to gig and platform workers. EPF and gratuity calculations now based on new wages definition. |
| OSH Code, 2020 | Workplace safety, working conditions, working hours | Single registration for establishments. Working hours capped at 48/week. Women permitted on night shifts with safety provisions. |
| Industrial Relations Code, 2020 | Trade unions, standing orders, dispute resolution | Standing orders mandatory for establishments with 300+ workers. Fixed-term employment recognised with full benefits parity. |
The 50% wages rule: what it means for GCC salary structures
Under the new standardised definition, “wages” means all remuneration excluding HRA, overtime, bonus, gratuity, conveyance allowance, employer PF contribution, and a few other specified exclusions. The critical constraint: if the total excluded components exceed 50% of gross remuneration, the excess gets reclassified as wages. In practice, this means basic pay must be at least 50% of CTC for most employees.
The downstream impact is significant. PF contributions, gratuity calculations, bonus computations, and leave encashment all increase because they are computed on the higher “wages” base. For a GCC with 200 employees, this can increase the annual payroll cost by 8 to 15% if salary structures are not restructured proactively.
Audit every existing salary structure against the new wages definition. Restructure CTC breakdowns so that basic pay is at least 50% of gross. Model the impact on PF, gratuity, and bonus costs. Do this before the first payroll cycle, not after the first inspection notice. Central rules are being finalised (expected mid-2026), but the codes themselves are already in force.
6. EPF, ESIC, and payroll compliance
These registrations are mandatory before the first employee is onboarded.
Employees’ Provident Fund (EPF)
- Mandatory for establishments with 20+ employees
- Employer contributes 12% of wages (as defined under the new codes); employee contributes 12%
- Monthly ECR (Electronic Challan cum Return) filing by the 15th of the following month
- Registration via EPFO Unified Portal
Employee State Insurance (ESIC)
- Mandatory for establishments with 10+ employees (threshold varies by state notification)
- Applicable to employees earning up to Rs 21,000/month in gross wages
- Employer contributes 3.25%; employee contributes 0.75%
- Half-yearly returns
Other payroll compliance
- TDS on salaries: deduct and deposit monthly; file quarterly TDS returns (Form 24Q)
- Professional Tax: state-specific; most states require registration and monthly/annual filing
- Shops and Establishments Act registration: state-level; required before the office opens
- Gratuity: payable to employees who complete 5 years of continuous service; now computed on the new wages base
- Mandatory appointment letters for every employee (now a statutory requirement under the new codes)
7. DPDP Act 2025: the May 2027 deadline
The DPDP Rules 2025 were notified on November 13, 2025. All substantive compliance obligations become enforceable on May 13, 2027. There is no grace period. Penalties can reach Rs 250 crore. As of May 2026, GCCs have 11 months to achieve full compliance.
The Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 together create India’s first comprehensive data protection framework. Every GCC that processes personal data of individuals in India, whether employee data, customer data, or data processed on behalf of the parent company, is subject to this law.
Key DPDP obligations for GCCs
Consent and notice (Rule 3)
Every collection of personal data requires a valid, informed, specific, and freely given consent from the data principal (the individual). The consent notice must be clear, in plain language, and specify the purpose of processing. For employee data, consent mechanisms must be built into onboarding workflows. For data processed on behalf of the parent entity, the GCC needs documented Data Fiduciary-Data Processor agreements.
Breach notification (Rule 7)
Any personal data breach must be reported to the Data Protection Board of India within 72 hours of becoming aware of the breach. The affected data principals must also be notified. This requires pre-built incident response protocols, not ad hoc responses after a breach occurs.
Data erasure (Rule 8)
Personal data must be erased once the purpose of processing is fulfilled, unless retention is required by law. Automated erasure systems must be in place by May 2027. Manual deletion processes will not meet the regulatory standard.
Log retention
All processing logs, security logs, and traffic logs must be retained for a minimum of one year. This applies even after a user account is deleted or consent is withdrawn.
Cross-border data transfer
GCCs transferring personal data to the parent company outside India must comply with the cross-border transfer provisions. The government will notify a list of approved countries. Transfers to non-approved countries may require additional safeguards. As of May 2026, the approved country list has not yet been notified, but GCCs should prepare by categorising all cross-border data flows and implementing data rights management controls.
DPDP compliance roadmap for GCCs
| Phase | Timeline | Actions |
|---|---|---|
| Phase 1: Foundation | Now to Nov 2026 | Data mapping and inventory. Gap assessment. Consent strategy design. Breach response protocol. Vendor and processor agreements. |
| Phase 2: Implementation | Nov 2026 to May 2027 | Deploy consent mechanisms. Implement automated erasure. Build log retention infrastructure. Test breach notification workflow. Staff training. |
| Phase 3: Operational | From May 2027 | Full compliance operational. Continuous monitoring. Annual DPIAs (if designated as Significant Data Fiduciary). Audit trail maintenance. |
If your GCC processes personal data on behalf of the overseas parent, the compliance responsibility rests with the Data Fiduciary (the entity that determines the purpose and means of processing). In most GCC structures, the parent entity is the Data Fiduciary and the Indian GCC is the Data Processor. However, the DPDP Rules require valid contracts between Fiduciary and Processor with appropriate security provisions. Get these agreements drafted and executed well before May 2027.
8. Workspace compliance: what your MO-GCC partner handles
Compliance is not just statutory and regulatory. There is an entire layer of physical and operational compliance that applies to the workspace itself. For GCCs that operate under SOC2, ISO 27001, or GDPR-equivalent frameworks, the workspace must meet specific physical security, network isolation, and access control standards.
In a self-build model, the GCC is responsible for all of this. In Synqwork’s MO-GCC model, the workspace compliance layer is handled entirely by Synqwork as part of end-to-end operations.
What Synqwork handles under MO-GCC
- Fire safety compliance: NOC from fire department, fire extinguishers, sprinkler systems, evacuation plans, fire drills
- Building and occupancy certificates
- Electrical safety compliance and certification
- CCTV and physical security: 24/7 monitoring, access logs, visitor management
- Biometric access control with audit trail
- Dedicated network perimeter for client isolation (relevant for SOC2, ISO 27001)
- UPS and DG backup with uptime SLAs
- Housekeeping, pantry, cafeteria compliance (FSSAI where applicable)
- Waste management and environmental compliance
- Insurance: property, public liability, workers’ compensation
When a GCC client or regulatory auditor reviews physical security and workspace compliance, having a single MO-GCC partner with documented SOPs, maintained audit trails, and standardised processes makes the audit significantly smoother than coordinating evidence across 8 to 15 separate vendors. Synqwork provides fully managed offices across New Delhi, Gurugram, Faridabad, Mumbai, and Chennai with documented compliance frameworks that support SOC2, ISO 27001, and equivalent audit requirements.
9. Master compliance checklist
| Domain | Requirement | Deadline |
|---|---|---|
| Entity | Private Limited Company via SPICe+ (Companies Act 2013) | Pre-operations |
| Entity | Commencement of Business (INC-20A) | Within 180 days of incorporation |
| Entity | Statutory auditor appointment | Within 30 days of incorporation |
| FDI | RBI FDI receipt reporting (Form FC-GPR) | Within 30 days of FDI |
| FDI | Annual FLA filing with RBI | By July 15 annually |
| Tax | PAN, TAN registration | With SPICe+ |
| Tax | GST registration + LUT for zero-rated exports | Pre-operations |
| Tax | Transfer pricing documentation and benchmarking | Before first inter-company invoice |
| Employment | EPF registration (EPFO Unified Portal) | Before first hire |
| Employment | ESIC registration | Before first hire |
| Employment | Shops and Establishments Act (state-level) | Before office opens |
| Employment | Professional Tax registration | Before first payroll |
| Employment | Salary restructuring per new wages definition | Immediate |
| Data | DPDP Act compliance (consent, breach, erasure) | May 13, 2027 |
| Data | Consent Manager framework operational | November 13, 2026 |
| Workspace | Fire safety, electrical, occupancy compliance | Pre-occupancy (handled by MO-GCC partner) |
| Workspace | Physical security and access control audit trail | Ongoing (handled by MO-GCC partner) |
| Annual | ROC annual returns (AOC-4, MGT-7) | Post-AGM annually |
| Annual | Tax audit and income tax return | By September 30 / November 30 (TP cases) |
10. FAQ
What compliance is required to run a GCC in India?
Five domains: entity formation (Private Limited Company under Companies Act 2013, ROC filings), taxation (GST, TDS, transfer pricing), employment law (four Labour Codes effective November 2025, EPF, ESIC), data protection (DPDP Act 2023 with full compliance by May 13, 2027), and foreign exchange (FEMA 1999, RBI FDI reporting). A MO-GCC partner like Synq.Work handles physical workspace compliance (fire safety, building approvals, access control, security) so GCC leadership can focus on statutory and regulatory compliance.
What are the labour laws for GCC in India?
India consolidated 29 labour laws into four Labour Codes effective November 21, 2025: Code on Wages (minimum wages, payment timelines, bonus), Code on Social Security (EPF, ESIC, gratuity, maternity), Occupational Safety Health and Working Conditions Code (workplace safety, working hours), and Industrial Relations Code (standing orders, dispute resolution). The most operationally significant change is the standardised wages definition. Basic pay must now be at least 50% of gross salary, which increases PF, gratuity, bonus, and leave encashment costs. Every GCC should audit and restructure its salary frameworks accordingly.
How does the DPDP Act affect GCCs in India?
Every GCC processing personal data in India is subject to the DPDP Act 2023 and DPDP Rules 2025. Full compliance is required by May 13, 2027. Key obligations: verifiable consent mechanisms for all data collection, 72-hour breach notification to the Data Protection Board, automated data erasure when processing purpose is fulfilled, minimum one-year log retention, and Data Fiduciary-Processor agreements for inter-company data processing. Penalties can reach Rs 250 crore. GCCs should treat 2026 as the primary build year for DPDP compliance infrastructure.
What is ROC registration for a GCC?
ROC registration is the incorporation of your GCC’s legal entity with the Registrar of Companies, typically a Private Limited Company filed through the MCA’s SPICe+ portal. It includes company name reservation, PAN and TAN allocation, Director Identification Numbers, and filing of MoA and AoA. Post-incorporation, the entity must file annual returns (AOC-4, MGT-7) and financial statements with the ROC. The first board meeting must be held within 30 days of incorporation, and the Commencement of Business declaration (INC-20A) must be filed within 180 days.
End-to-end GCC compliance and workspace with Synq.Work
Synqwork’s MO-GCC model handles the entire workspace compliance layer, from fire safety to physical security to network isolation, so your leadership focuses on statutory and regulatory compliance. Fully managed offices across New Delhi, Gurugram, Faridabad, Mumbai, and Chennai.
Explore GCC workspace solutionsRelated reading
How to set up a GCC in India: Complete 2026 guide (Blog 1)
The 60-day GCC setup roadmap (Blog 2)
GCC office space and managed workspace in India
Data sources and credits
- Ministry of Corporate Affairs — Companies Act 2013, SPICe+ portal, ROC filing requirements
- Reserve Bank of India — FEMA 1999, FDI reporting (Form FC-GPR), FLA filing requirements
- Central Board of Indirect Taxes & Customs — GST Act 2017, GSTR filing schedules, LUT provisions
- Ministry of Labour & Employment — Four Labour Codes effective November 21, 2025; draft Central Rules notified December 30, 2025; FAQs released March 16, 2026
- BDO India — Analysis of final Central Rules under Labour Codes, May 2026
- KPMG India — GMS Flash Alert 2026-007: Draft Central Rules under Four Labour Codes
- Mercans — India Labour Codes Implementation: Key Changes & Employer Impact, April 2026
- MeitY — Digital Personal Data Protection Act 2023; DPDP Rules 2025 notified November 13, 2025 (G.S.R. 846(E))
- Fisher Phillips — India’s New Data Privacy Rules: 8 Steps for Businesses, February 2026
- DLA Piper — Data Protection Laws of the World: India (DPDP phased commencement schedule)
- Union Budget 2026 — Transfer pricing safe harbour margin (15.5%), threshold revision to Rs 2,000 crore
- EPFO / ESIC — Registration and contribution requirements
All data is current as of May 2026. Compliance requirements are subject to change as Central and State rules under the Labour Codes are finalised and the DPDP approved country list is notified. This guide is informational and does not constitute legal advice. Engage qualified legal and tax advisors for entity-specific compliance planning.
