Why This Comparison Matters Now
India's Digital Personal Data Protection Act, 2023 (DPDPA) is no longer a future concern. The DPDP Rules were notified in November 2025, and enforcement is set to begin in May 2027. For technology companies that already comply with the EU's General Data Protection Regulation (GDPR), the natural question is: how much of our existing compliance framework carries over, and where do we need to build something new?
The answer is more nuanced than most summaries suggest. While the DPDPA draws clear inspiration from the GDPR, it departs from the European model in several fundamental ways. These differences are not merely academic. They affect how companies design consent flows, structure data processing agreements, handle cross-border transfers, and allocate compliance resources.
This article provides a detailed, section-by-section comparison of the two laws, with specific references to the relevant provisions. It is written for legal, compliance, and technology teams at companies that process personal data in both India and the EU.
1. Scope and Applicability
The most significant difference between the two laws begins at the threshold question: what data is covered?
DPDPA (Section 3): The Act applies only to digital personal data, that is, personal data collected in digital form or personal data collected in non-digital form and subsequently digitised. Personal data that remains in purely physical or manual form falls entirely outside the DPDPA's scope. The Act applies to processing within India, and to processing outside India if it relates to offering goods or services to individuals in India.
GDPR (Article 2): The Regulation applies to the processing of personal data wholly or partly by automated means, and to non-automated processing of personal data that forms part of a filing system or is intended to form part of a filing system. This means the GDPR covers manual filing systems, paper records organised in a structured way, and mixed analogue-digital processing environments. Its territorial scope extends to any organisation processing the data of individuals in the EU, regardless of where the organisation is established (Article 3).
Practical implication: Companies that maintain physical records, structured paper files, or hybrid processing systems in India may find that these fall outside the DPDPA while remaining within the GDPR's scope. This asymmetry matters for records management policies and retention schedules.
2. Legal Bases for Processing
This is where the two laws diverge most sharply in their regulatory philosophy.
DPDPA (Sections 4-7): The Act recognises only two legal bases for processing personal data: consent of the Data Principal, and "certain legitimate uses" specified in Section 7. These legitimate uses include processing necessary for the State to provide benefits or services, processing for medical emergencies, processing for employment purposes, and processing in the public interest. Critically, the DPDPA does not include a general "legitimate interest" basis analogous to the GDPR.
GDPR (Article 6): The Regulation provides six legal bases for processing: consent, performance of a contract, legal obligation, vital interests, public interest or official authority, and legitimate interests of the controller or a third party. The legitimate interest basis (Article 6(1)(f)) is one of the most widely relied upon grounds in the EU, particularly for activities like fraud prevention, direct marketing, network security, and intra-group data sharing.
Practical implication: Technology companies that rely heavily on legitimate interest under the GDPR, for example, for analytics, personalisation, or B2B marketing, will need to secure explicit consent for the same processing activities under the DPDPA. This requires rethinking consent architectures, not merely translating existing consent notices.
3. Consent Requirements
Both laws set a high standard for valid consent, but they differ in how much weight consent bears in the overall framework.
DPDPA (Section 6): Consent must be free, specific, informed, unconditional, and unambiguous, given by a clear affirmative action. The Data Fiduciary must present the request in clear and plain language, and must specify every purpose for which data will be processed. The Data Principal has the right to withdraw consent at any time, and withdrawal must be as easy as giving consent. Upon withdrawal, the Data Fiduciary must cease processing and delete the data, unless retention is required by law.
GDPR (Article 7, Recitals 32, 42-43): Consent must be freely given, specific, informed, and unambiguous. The GDPR adds that consent must be distinguishable from other matters, presented in an intelligible and easily accessible form, using clear and plain language. Withdrawal must be as easy as giving consent. However, because the GDPR offers five other legal bases, consent is not required for every processing activity. Controllers can shift to another lawful basis where appropriate.
Practical implication: Under the DPDPA, consent does significantly more work than under the GDPR. Companies must design consent management platforms that can handle granular, purpose-specific consent collection at a scale that may not have been necessary for their EU operations. The cost of getting consent wrong is higher under the DPDPA because there are fewer fallback bases available.
4. Data Subject Rights
Both laws grant individuals a set of rights over their personal data, but the DPDPA's rights catalogue is narrower than the GDPR's.
| Right | DPDPA | GDPR |
|---|---|---|
| Right to Access | Yes. Right to obtain a summary of personal data being processed and processing activities (Section 11) | Yes. Right to obtain confirmation of processing and access to the data, including a copy (Article 15) |
| Right to Correction | Yes. Right to have inaccurate or misleading data corrected or completed (Section 12) | Yes. Right to rectification of inaccurate data without undue delay (Article 16) |
| Right to Erasure | Yes. Right to have personal data erased when consent is withdrawn or the specified purpose is no longer being served (Section 12) | Yes. Right to erasure ("right to be forgotten") across six specified grounds (Article 17) |
| Right to Data Portability | No. The DPDPA does not include a right to data portability | Yes. Right to receive personal data in a structured, commonly used, machine-readable format (Article 20) |
| Right to Object | No. No general right to object to processing | Yes. Right to object to processing based on legitimate interest or public interest, including profiling (Article 21) |
| Right to Restrict Processing | No. Not provided for in the DPDPA | Yes. Right to restrict processing in specified circumstances (Article 18) |
| Right Against Automated Decision-Making | No. Not explicitly addressed in the DPDPA | Yes. Right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects (Article 22) |
| Right to Nominate | Yes. Right to nominate another person to exercise rights in case of death or incapacity (Section 14) | No. Not explicitly provided (left to member state law) |
Practical implication: Companies cannot assume that a GDPR-compliant rights management system will satisfy the DPDPA, or vice versa. The absence of portability and objection rights under the DPDPA simplifies some aspects of Indian compliance, but the nomination right (Section 14) introduces a requirement that most GDPR-focused systems do not accommodate. Both systems must be maintained in parallel.
5. Cross-Border Data Transfers
The two laws take fundamentally opposite approaches to regulating international data flows.
DPDPA (Section 16): India adopts a blacklist (negative list) approach. Personal data may be transferred to any country unless the Central Government specifically restricts transfers to that country by notification. As of April 2026, no restricted country list has been published, meaning transfers are currently permitted to all jurisdictions. However, the government retains broad discretion to restrict transfers at any time, and the DPDP Rules require Data Fiduciaries to ensure that the receiving entity provides a comparable level of protection.
GDPR (Chapter V, Articles 44-49): The EU uses a whitelist (positive list) approach. Transfers to countries outside the EEA are prohibited unless an adequacy decision exists, or appropriate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or approved codes of conduct are in place. Since the Schrems II decision (C-311/18), Transfer Impact Assessments are also required when relying on SCCs.
Practical implication: The DPDPA's approach is initially more permissive, but the uncertainty about future restrictions creates planning risk. Companies should map all cross-border data flows involving Indian personal data and develop contingency plans for the possibility that key jurisdictions are restricted. For transfers from the EU to India, the absence of an EU adequacy decision for India means that SCCs or BCRs remain necessary. For a deeper analysis, see our guide on DPDPA compliance.
6. Data Protection Officer Requirements
DPDPA (Section 10): The Act does not mandate a Data Protection Officer for all organisations. Instead, it requires Significant Data Fiduciaries (a category to be designated by the Central Government based on volume and sensitivity of data processed, risk to Data Principals, and other factors) to appoint a Data Protection Officer who must be based in India. Only entities meeting the Significant Data Fiduciary threshold face this requirement.
GDPR (Articles 37-39): The Regulation requires a DPO for all public authorities, organisations whose core activities involve regular and systematic monitoring of individuals on a large scale, or organisations whose core activities involve large-scale processing of special category data. The DPO need not be based in the EU but must be accessible to the supervisory authority. Many technology companies, particularly those in adtech, healthtech, and fintech, meet these thresholds.
Practical implication: Companies that have appointed a DPO for GDPR purposes may not be required to appoint one under the DPDPA unless designated as a Significant Data Fiduciary. However, the DPDPA's requirement that the DPO be based in India means that a single global DPO cannot serve both regimes. Companies should anticipate the need for a locally resident officer if they are likely to be designated as Significant Data Fiduciaries.
7. Breach Notification
DPDPA (Section 8(6)): Data Fiduciaries must notify the Data Protection Board of India and each affected Data Principal in the event of a personal data breach. The notification must be made "without delay" but no specific time limit is prescribed in the Act. The DPDP Rules are expected to provide further detail on the form and manner of notification. Notably, the obligation to notify affected individuals directly is mandatory, not discretionary.
GDPR (Articles 33-34): Controllers must notify the relevant supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. Notification to affected data subjects is required only where the breach is likely to result in a high risk to their rights and freedoms. Processors must notify controllers "without undue delay."
Practical implication: The DPDPA's requirement to notify all affected individuals (not just those at high risk) is broader than the GDPR's notification obligation. Companies need separate breach response playbooks for each jurisdiction. The absence of a specific time limit in the DPDPA (compared to the GDPR's 72-hour window) does not mean companies can delay; "without delay" will be interpreted strictly by the Board.
8. Penalties
Both laws impose substantial penalties, but the structures differ significantly.
| Category | DPDPA | GDPR |
|---|---|---|
| Maximum Penalty | INR 250 crore (~EUR 27 million) per instance of non-compliance (Schedule) | EUR 20 million or 4% of global annual turnover, whichever is higher (Article 83) |
| Penalty Basis | Fixed maximum amounts specified for each category of violation in the Schedule to the Act | Turnover-based, scaled to the size of the organisation |
| Breach of Children's Data Provisions | Up to INR 200 crore (~EUR 22 million) | Up to EUR 20 million or 4% of global annual turnover |
| Failure to Notify Breach | Up to INR 200 crore (~EUR 22 million) | Up to EUR 10 million or 2% of global annual turnover |
| Non-Compliance by Data Processor | Penalties apply to the Data Fiduciary; Data Processors are not directly penalised under the DPDPA | Penalties can apply to both controllers and processors (Article 83) |
| Right of Individuals to Compensation | No. The DPDPA does not provide a private right of action for compensation | Yes. Data subjects have the right to compensation for material or non-material damage (Article 82) |
Practical implication: The GDPR's turnover-based penalty model means that large multinational companies face proportionally greater exposure under the GDPR. However, the DPDPA's fixed-cap model can be more punitive for smaller companies. The absence of a private right of action under the DPDPA reduces litigation risk in India, but enforcement by the Data Protection Board is expected to be active. Companies should budget for compliance in both jurisdictions independently.
9. Regulatory Body Independence
The independence of the supervisory authority is one of the most debated structural differences between the two regimes.
DPDPA (Sections 18-26): The Act establishes the Data Protection Board of India (DPBI) as the adjudicatory body. Members of the Board are appointed by the Central Government, specifically by the Ministry of Electronics and Information Technology (MeitY). The Board's chairperson and members serve for terms determined by the Central Government. The Board functions as a digital office and adjudicates complaints and non-compliance proceedings. Critics have raised concerns that the Board lacks structural independence from the executive branch, given the government's role in appointments, tenure, and removal.
GDPR (Articles 51-59): Each EU member state must establish one or more independent supervisory authorities (Data Protection Authorities or DPAs). The GDPR explicitly requires that these authorities act with complete independence, free from external influence. DPA members are appointed through transparent processes, have fixed terms, and can only be dismissed for serious misconduct. The European Data Protection Board (EDPB) coordinates enforcement across member states.
Practical implication: The question of regulatory independence affects how predictably and consistently the DPDPA will be enforced. Companies should monitor the DPBI's early enforcement decisions carefully to understand its approach. The EU's independent DPA model provides more established precedent and predictability, which aids compliance planning. For multinational companies, this difference translates into different risk assessment frameworks for each jurisdiction.
10. Children's Data
DPDPA (Section 9): The Act imposes a blanket requirement of verifiable parental consent before processing the personal data of any individual under the age of 18. Data Fiduciaries are prohibited from undertaking tracking, behavioural monitoring, or targeted advertising directed at children. The Central Government may, by notification, exempt certain Data Fiduciaries or classes of Data Fiduciaries from these requirements if their processing is demonstrably in the best interest of the child.
GDPR (Article 8): The Regulation sets the baseline age of consent for information society services at 16 years, but allows member states to lower this threshold to as low as 13 years. Where the child is below the applicable age, processing is lawful only with the consent or authorisation of the holder of parental responsibility. The controller must make reasonable efforts to verify parental consent, taking into account available technology.
Practical implication: The DPDPA's uniform age threshold of 18 is significantly higher than the GDPR's 13-16 range. This has substantial consequences for edtech, gaming, social media, and any platform with users under 18 in India. Age verification mechanisms that satisfy the GDPR's requirements for a 13-year-old user will likely be insufficient for the DPDPA's requirement of verifiable parental consent for a 17-year-old. Companies must design age-gating and consent collection flows specifically for the Indian market.
Key Takeaways for Companies Operating in Both Jurisdictions
For technology companies subject to both the DPDPA and the GDPR, the following principles should guide compliance strategy:
- Do not assume GDPR compliance equals DPDPA compliance. The differences in legal bases, consent requirements, children's data rules, and breach notification obligations mean that a GDPR-compliant framework will have material gaps when applied to Indian operations
- Consent architecture requires separate design. The absence of a legitimate interest basis under the DPDPA means that processing activities relying on Article 6(1)(f) GDPR will need consent-based justification in India. This is not a labelling exercise; it requires rethinking data flows and user interfaces
- Rights management systems need jurisdiction-aware logic. The DPDPA's nomination right and the GDPR's portability and objection rights do not overlap. Systems must handle jurisdiction-specific requests correctly
- Cross-border transfer strategies must account for both directions. Transfers from India are currently unrestricted but may be restricted at short notice. Transfers from the EU to India require SCCs or BCRs. Build flexibility into your transfer mechanisms
- Breach response plans must be jurisdiction-specific. The DPDPA's mandatory notification to all affected individuals differs from the GDPR's risk-based approach. A single global breach response protocol will not suffice
- Budget for separate DPO and compliance functions. The DPDPA's India-based DPO requirement for Significant Data Fiduciaries cannot be satisfied by a European-based DPO. Plan for local compliance headcount
- Monitor the Data Protection Board of India's early enforcement actions. The Board's interpretation of "without delay," "verifiable parental consent," and other open-textured standards will shape compliance requirements significantly
How Lawsel Advisory Can Help
Navigating dual compliance under the DPDPA and the GDPR requires more than surface-level comparison. It requires a detailed understanding of how each law applies to your specific data processing activities, technology infrastructure, and business model.
At Lawsel Advisory, we work with technology companies to build practical, jurisdiction-aware data privacy compliance programmes. Our services include:
- Dual-jurisdiction gap assessments that map your existing GDPR compliance framework against DPDPA requirements and identify specific areas requiring additional work
- Consent architecture design for platforms that must operate under both consent-heavy (DPDPA) and multi-basis (GDPR) regimes
- Cross-border data transfer structuring that accounts for both the DPDPA's blacklist approach and the GDPR's SCC and BCR requirements
- Breach response planning with jurisdiction-specific playbooks for India and the EU
- Ongoing compliance monitoring as the DPBI begins enforcement and the regulatory landscape matures
For a detailed walkthrough of DPDPA-specific compliance requirements, see our comprehensive DPDPA compliance guide.
To discuss how these differences affect your organisation, schedule a consultation with our data privacy team.