Data Privacy
GDPR vs DPDP Act: Key Differences for Businesses Operating in India & EU
What is an Gdpr Vs Dpdp Act?
The Digital Personal Data Protection (DPDP) Act 2023 is India's comprehensive data privacy law. It regulates the processing of digital personal data, mandating consent notices, data fiduciaries' obligations, and individual rights.
Quick Comparison Table
| Aspect | GDPR (EU) | DPDP Act (India) |
|---|---|---|
| Enacted | 2016 (enforced 2018) | 2023 (rules being notified) |
| Scope | EU residents' data, regardless of processor location | Digital personal data processed in India or for offering goods/services to India |
| Consent | 6 lawful bases (consent is one) | Consent is the primary basis; "legitimate use" is narrower |
| Data Subject Rights | 8 rights (access, rectification, erasure, portability, etc.) | Fewer rights; no right to data portability explicitly |
| DPO | Required for certain organizations | No DPO concept; uses "Consent Manager" |
| Cross-Border Transfer | Adequacy decisions, SCCs, BCRs | Allowed except to government-blacklisted countries |
| Breach Notification | 72 hours to supervisory authority | To Data Protection Board; timeline per rules |
| Max Penalty | €20M or 4% global turnover | ₹250 crore (~€28M) per instance |
| Children's Data | Parental consent for under 16 (member states can lower to 13) | Verifiable parental consent for under 18; no tracking or targeted ads |
Deep Dive: Key Differences
🔑 1. Lawful Basis for Processing
GDPR provides 6 lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests. DPDP primarily relies on consent and "certain legitimate uses" (employment, medical emergency, state functions). Notably absent: legitimate interests , a widely used GDPR basis.
🔑 2. Data Principal (Subject) Rights
GDPR grants 8 rights including data portability and the right to object to automated decision-making. DPDP grants: right to access, correction, erasure, and grievance redressal. No data portability right creates challenges for inter-platform data movement.
🔑 3. Cross-Border Data Transfers
GDPR requires adequacy decisions or Standard Contractual Clauses (SCCs) for transfers outside the EU. DPDP takes a more permissive approach: transfers are allowed to all countries except those specifically blocked by the government (negative list approach).
🔑 4. Children's Data Protection
DPDP is significantly stricter: consent required for all users under 18 (vs GDPR's 16), no behavioral tracking or targeted advertising to children, and no data processing that could be detrimental to children's well-being. This impacts EdTech, gaming, and social media companies significantly.
🔑 5. Enforcement Mechanism
GDPR is enforced by Data Protection Authorities (DPAs) in each member state, with a well-established complaint and investigation mechanism. DPDP creates a Data Protection Board of India , a digital-first adjudicatory body. Its effectiveness remains to be tested.
Impact on Contracts
Businesses operating across both jurisdictions need to address data protection in their contracts:
- Data Processing Agreements (DPAs): GDPR requires detailed DPAs with processors. DPDP requires similar contractual safeguards with "Data Processors"
- Privacy Policies: Must comply with both regimes' transparency requirements. Consider separate or multi-layered policies
- Consent Mechanisms: GDPR's granular consent vs DPDP's consent manager approach. Design for the stricter requirement
- Vendor Contracts: Add data protection clauses covering both GDPR and DPDP obligations
- Cross-Border Transfer Clauses: SCCs for EU transfers + DPDP-compliant transfer provisions for Indian data
Compliance Roadmap for Dual-Jurisdiction Businesses
- Map your data flows: Identify what data you collect, where it's stored, and where it flows
- Audit consent mechanisms: Ensure consent meets both GDPR (granular, specific) and DPDP (verifiable, clear) standards
- Update contracts: Add dual-compliance data protection clauses to all vendor, employee, and customer agreements
- Appoint compliance roles: DPO for GDPR + internal data protection lead for DPDP
- Implement breach notification: 72-hour process for GDPR + DPDP Board notification process
- Review children's data handling: DPDP's under-18 threshold may require significant product changes
Don't Sign Blindly. Protect Yourself.
Templates are just a start. Use Contract Shield's AI to scan your contract for hidden risks, unfair clauses, and Indian legal compliance issues — in 60 seconds.
Analyze Your Contract Free →Key Takeaways
- ✅ GDPR has 6 lawful bases; DPDP relies primarily on consent
- ✅ DPDP sets children's age at 18 (vs GDPR's 16) , impacting EdTech and gaming
- ✅ Cross-border transfers are more permissive under DPDP (negative list approach)
- ✅ Both require data processing agreements in vendor contracts
- ✅ Design for the stricter standard when complying with both jurisdictions
- ✅ Maximum penalties are comparable (~€20M vs ~₹250 crore)
Frequently Asked Questions
Is the DPDP Act similar to GDPR?
The DPDP Act draws inspiration from GDPR but differs significantly. GDPR is more detailed with 99 articles, while DPDP is principles-based. GDPR covers all personal data; DPDP focuses on digital personal data. GDPR fines are revenue-based; DPDP has fixed caps. Compliance must align with the Digital Personal Data Protection (DPDP) Act 2023, which imposes obligations on data fiduciaries to obtain explicit consent and implement robust security safeguards for processing personal data.
Do Indian companies need to comply with GDPR?
Yes, if they process personal data of EU residents, offer goods or services to EU residents, or monitor behavior of individuals in the EU. Non-compliance can attract fines up to 4% of global annual turnover. Compliance must align with the Digital Personal Data Protection (DPDP) Act 2023, which imposes obligations on data fiduciaries to obtain explicit consent and implement robust security safeguards for processing personal data.
What is the right to be forgotten under DPDP vs GDPR?
GDPR provides an explicit right to erasure (Article 17) with specified grounds. The DPDP Act provides erasure when consent is withdrawn and purpose is fulfilled, but with less detail than GDPR. Compliance must align with the Digital Personal Data Protection (DPDP) Act 2023, which imposes obligations on data fiduciaries to obtain explicit consent and implement robust security safeguards for processing personal data.
Which law is stricter, GDPR or DPDP Act?
GDPR is generally stricter due to broader scope, more detailed requirements, revenue-based fines, and established enforcement. DPDP is newer with enforcement evolving, but penalties can reach Rs 250 crore per violation. Compliance must align with the Digital Personal Data Protection (DPDP) Act 2023, which imposes obligations on data fiduciaries to obtain explicit consent and implement robust security safeguards for processing personal data.
How does India's DPDP Act 2023 affect commercial contracts?
The Digital Personal Data Protection (DPDP) Act 2023 requires contracts involving data processing to explicitly define the obligations of the Data Processor. Businesses must obtain clear, unconditional consent, specify processing purposes, and implement robust security safeguards, facing penalties up to Rs 250 crore for non-compliance.
Related reads: DPDP Act Impact on Contracts · E-Contracts India Guide · Contract Compliance Checklist