Loading…
The DPDPA borrows heavily from the GDPR — purpose limitation, data principal rights, breach notification, the very concept of a Data Protection Officer. But India's framework is leaner, more consent-centric, dispenses with the 'legitimate interests' lawful basis, and uses per-violation crores caps rather than turnover-percentage fines. If you serve Indian data principals from anywhere in the world, you need both perspectives.
| Dimension | 🇮🇳 DPDPA | 🇪🇺 GDPR |
|---|---|---|
| Legal instrument | Digital Personal Data Protection Act, 2023 + DPDP Rules 2025 (G.S.R. 846(E)) | Regulation (EU) 2016/679 |
| Effective date | Act: 11 Aug 2023; Rules: phased through 2025–2026 | 25 May 2018 |
| Territorial scope | Processing of Indian data principals' digital personal data — anywhere in the world (Section 3) | EU/EEA + extraterritorial under Art. 3 |
| Lawful bases | Consent OR "certain legitimate uses" (Section 7) — narrowly defined | Six bases (Art. 6); legitimate interests broadly available |
| Consent requirements | Free, specific, informed, unconditional, unambiguous — with clear notice (Section 6) | Freely given, specific, informed, unambiguous — withdrawable (Art. 7) |
| Data Protection Officer | Significant Data Fiduciaries (SDFs) — must appoint DPO in India (Section 10) | Mandatory in defined cases (Art. 37) |
| Local representative | Not required by statute (but operationally critical for Board interaction) | Article 27 EU Representative mandatory for non-EU controllers |
| Maximum fine (per instance) | ₹250 crore (~$30M USD) — security safeguards (Rule 6) | €20M or 4% global turnover (Art. 83(5)) |
| Tiered penalty structure | ₹250 cr security · ₹200 cr breach-notification · ₹150 cr children's data · ₹50 cr other | Two tiers: €10M/2% (lower) and €20M/4% (upper) |
| Breach notification | Within 72 hours to Data Protection Board of India + affected data principals (Rule 7) | 72 hours to Supervisory Authority (Art. 33) + data subjects if high risk (Art. 34) |
| Regulator | Data Protection Board of India (DPBI) | 27 EU Member State DPAs + EDPB |
| Children's data | Verifiable parental consent under 18 (Section 9). No behavioural tracking, no targeted ads. | Default age of consent 16 (Member States may lower to 13) |
| Data principal rights | Access, correction, erasure, grievance redressal, nomination, withdraw consent (Sections 11–14) | 8 rights (Arts. 15–22) including portability, automated decision objection |
| Right to portability | Not granted under DPDPA | Yes — Art. 20 |
| Right to object to automated decisions | Not granted under DPDPA | Yes — Art. 22 |
| Cross-border transfer | Permitted unless Central Government restricts the specific destination (Section 16) | Restricted — SCC/BCR/adequacy required (Chapter V) |
| Data localisation | No blanket localisation in the Act; RBI rules require payment data localisation | No localisation by GDPR; some Member States impose sector rules |
| Sensitive data category | Not explicitly categorised (single tier of personal data) | Special-category data (Art. 9) with explicit-consent requirement |
| DPIA equivalent | Mandatory for SDFs (Section 10(2)) | Mandatory for high-risk processing (Art. 35) |
| Independent SA appeal | Telecom Disputes Settlement and Appellate Tribunal (TDSAT) | Direct judicial remedy + DPA complaint right (Arts. 77–79) |
No — though it borrows GDPR's vocabulary. DPDPA is consent-first with a narrower set of "legitimate uses," omits the right to data portability and right to object to automated decisions, and uses per-violation crores caps rather than turnover-percentage fines. The penalty exposure can still hit ₹500 crore for systematic violations.
No — operate one mapped programme. Use the GDPR's stricter requirements (DPIA, consent withdrawal, breach 72h) as a baseline, and add the DPDPA-specific overlays (Board notification, India DPO for SDFs, children's data restrictions).
Yes, if you offer goods or services to data principals in India (Section 3(b)). The law applies extraterritorially regardless of where your servers or entity is located.
The Act is in force, but Rules are being implemented in phases through 2025–2026. The Data Protection Board is operational. Enforcement is expected to ramp through 2026 — get ready now.
India is stricter: under 18 requires verifiable parental consent and prohibits behavioural tracking or targeted advertising. GDPR's default consent age is 16 with permitted lowering to 13, and behavioural tracking is permitted with consent and DPIA.
Not in the Act, but practically the Data Protection Board of India expects a designated, India-resident point of contact for Significant Data Fiduciaries. That's the role our India representation service plays.
Map controls once, comply twice. RegulatoryBridge gives you a single DSAR pipeline, single DPO, single breach runbook — covering both frameworks.