Data Privacy

GDPR vs DPDP Act: Key Differences for Businesses Operating in India & EU

February 12, 2026 10 min read
GDPR vs DPDP Comparison

If your business touches both Indian and European users, you need to comply with two different data protection regimes. The EU's GDPR (2018) and India's DPDP Act (2023) share common roots in privacy principles but differ significantly in approach, scope, and enforcement. This guide breaks down every key difference.

Quick Comparison Table

AspectGDPR (EU)DPDP Act (India)
Enacted2016 (enforced 2018)2023 (rules being notified)
ScopeEU residents' data, regardless of processor locationDigital personal data processed in India or for offering goods/services to India
Consent6 lawful bases (consent is one)Consent is the primary basis; "legitimate use" is narrower
Data Subject Rights8 rights (access, rectification, erasure, portability, etc.)Fewer rights; no right to data portability explicitly
DPORequired for certain organizationsNo DPO concept; uses "Consent Manager"
Cross-Border TransferAdequacy decisions, SCCs, BCRsAllowed except to government-blacklisted countries
Breach Notification72 hours to supervisory authorityTo Data Protection Board; timeline per rules
Max Penalty€20M or 4% global turnover₹250 crore (~€28M) per instance
Children's DataParental consent for under 16 (member states can lower to 13)Verifiable parental consent for under 18; no tracking or targeted ads

Deep Dive: Key Differences

🔑 1. Lawful Basis for Processing

GDPR provides 6 lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests. DPDP primarily relies on consent and "certain legitimate uses" (employment, medical emergency, state functions). Notably absent: legitimate interests , a widely used GDPR basis.

🔑 2. Data Principal (Subject) Rights

GDPR grants 8 rights including data portability and the right to object to automated decision-making. DPDP grants: right to access, correction, erasure, and grievance redressal. No data portability right creates challenges for inter-platform data movement.

🔑 3. Cross-Border Data Transfers

GDPR requires adequacy decisions or Standard Contractual Clauses (SCCs) for transfers outside the EU. DPDP takes a more permissive approach: transfers are allowed to all countries except those specifically blocked by the government (negative list approach).

🔑 4. Children's Data Protection

DPDP is significantly stricter: consent required for all users under 18 (vs GDPR's 16), no behavioral tracking or targeted advertising to children, and no data processing that could be detrimental to children's well-being. This impacts EdTech, gaming, and social media companies significantly.

🔑 5. Enforcement Mechanism

GDPR is enforced by Data Protection Authorities (DPAs) in each member state, with a well-established complaint and investigation mechanism. DPDP creates a Data Protection Board of India , a digital-first adjudicatory body. Its effectiveness remains to be tested.

Impact on Contracts

Businesses operating across both jurisdictions need to address data protection in their contracts:

  1. Data Processing Agreements (DPAs): GDPR requires detailed DPAs with processors. DPDP requires similar contractual safeguards with "Data Processors"
  2. Privacy Policies: Must comply with both regimes' transparency requirements. Consider separate or multi-layered policies
  3. Consent Mechanisms: GDPR's granular consent vs DPDP's consent manager approach. Design for the stricter requirement
  4. Vendor Contracts: Add data protection clauses covering both GDPR and DPDP obligations
  5. Cross-Border Transfer Clauses: SCCs for EU transfers + DPDP-compliant transfer provisions for Indian data

Compliance Roadmap for Dual-Jurisdiction Businesses

  1. Map your data flows: Identify what data you collect, where it's stored, and where it flows
  2. Audit consent mechanisms: Ensure consent meets both GDPR (granular, specific) and DPDP (verifiable, clear) standards
  3. Update contracts: Add dual-compliance data protection clauses to all vendor, employee, and customer agreements
  4. Appoint compliance roles: DPO for GDPR + internal data protection lead for DPDP
  5. Implement breach notification: 72-hour process for GDPR + DPDP Board notification process
  6. Review children's data handling: DPDP's under-18 threshold may require significant product changes

Don't Sign Blindly.

Templates are just a start. Use AI to scan your specific contract for hidden risks and unfair clauses in 60 seconds.

Analyze Your Contract Free →

Key Takeaways

  • ✅ GDPR has 6 lawful bases; DPDP relies primarily on consent
  • ✅ DPDP sets children's age at 18 (vs GDPR's 16) , impacting EdTech and gaming
  • ✅ Cross-border transfers are more permissive under DPDP (negative list approach)
  • ✅ Both require data processing agreements in vendor contracts
  • ✅ Design for the stricter standard when complying with both jurisdictions
  • ✅ Maximum penalties are comparable (~€20M vs ~₹250 crore)

Frequently Asked Questions

Is the DPDP Act similar to GDPR?

The DPDP Act draws inspiration from GDPR but differs significantly. GDPR is more detailed with 99 articles covering specific scenarios, while the DPDP Act is principles-based with fewer provisions. GDPR has broader scope (all personal data), while DPDP focuses on digital personal data. GDPR fines are revenue-based (4% of global turnover); DPDP has fixed caps.

Do Indian companies need to comply with GDPR?

Yes, if they process personal data of EU residents, offer goods or services to EU residents, or monitor behavior of individuals in the EU. Many Indian IT companies and BPOs must comply with GDPR because they process data of EU clients. Non-compliance can attract fines up to 4% of global annual turnover.

What is the right to be forgotten under DPDP vs GDPR?

GDPR provides an explicit right to erasure (Article 17) with specified grounds. The DPDP Act provides a right to erasure when consent is withdrawn and the purpose is fulfilled. However, DPDP does not provide as detailed grounds as GDPR and the Data Protection Board decides on disputed erasure requests.

Which law is stricter, GDPR or DPDP Act?

GDPR is generally considered stricter due to broader scope, more detailed requirements, revenue-based fines, and established enforcement track record. DPDP is newer with enforcement still evolving. However, DPDP penalties can be significant (up to Rs 250 crore per violation) and the law is expected to become more stringent with rules yet to be notified.

Related reads: DPDP Act Impact on Contracts · E-Contracts India Guide · Contract Compliance Checklist