Executive Summary
The Digital Personal Data Protection Act, 2023 (DPDP Act) draws inspiration from GDPR but diverges significantly in scope, implementation, and enforcement. For multinational corporations and Indian businesses with global operations, understanding these differences is critical for dual compliance. This article provides a detailed comparison across 15 key parameters with practical compliance implications.
Key Differences:
- DPDP covers only digital personal data; GDPR covers all personal data
- DPDP uses "negative list" for transfers; GDPR requires adequacy decisions
- DPDP penalties capped at ₹250 crore; GDPR at 4% global turnover
- DPDP has no explicit DPO requirement; GDPR mandates DPO for certain processors
- DPDP lacks data portability right; GDPR includes comprehensive portability
Introduction
When India's DPDP Act was enacted in August 2023 and rules notified in 2025, comparisons with the EU's General Data Protection Regulation (GDPR) were inevitable. Both frameworks share common principles - consent, purpose limitation, data minimization - but their implementation differs substantially.
For businesses operating in both jurisdictions, "GDPR compliance" doesn't automatically mean "DPDP compliance." This guide maps the differences to help build a unified compliance strategy.
Section 1: Scope and Applicability
Territorial Scope
| Aspect | DPDP Act | GDPR |
|---|---|---|
| Primary Application | India | EU/EEA |
| Extraterritorial Reach | Processing of Indian residents' data | Processing EU residents' data |
| Establishment Test | Yes | Yes |
| Offering Goods/Services Test | Yes | Yes |
| Monitoring Behavior Test | Not explicit | Yes (Art. 3(2)(b)) |
Material Scope
DPDP Act:
- Covers ONLY digital personal data
- Digitized offline data included
- No coverage for purely offline (paper) records
- No distinction between automated and manual processing
GDPR:
- Covers ALL personal data regardless of format
- Paper records in filing systems covered
- Automated and manual processing both in scope
- Pseudonymized data covered; anonymous data excluded
Practical Implication
Scenario: HR records maintained partially on paper, partially digital
DPDP: Only digital records subject to Act
GDPR: Both paper and digital records covered
Compliance Gap: DPDP-compliant HR systems may not be GDPR-compliant
Section 2: Definitions Comparison
Personal Data
| Term | DPDP Definition | GDPR Definition |
|---|---|---|
| Personal Data | "Data about an individual who is identifiable by or in relation to such data" | "Any information relating to an identified or identifiable natural person" |
| Sensitive Data | Not separately defined | "Special categories" with explicit list (Art. 9) |
| Children's Data | Under 18 (default) | Under 16 (member states may lower to 13) |
Key Controller/Processor Terminology
| DPDP Term | GDPR Equivalent | Meaning |
|---|---|---|
| Data Fiduciary | Data Controller | Determines purpose and means |
| Data Processor | Data Processor | Processes on behalf of controller |
| Data Principal | Data Subject | Individual whose data is processed |
| Significant Data Fiduciary | N/A (no direct equivalent) | High-volume/sensitive processors |
| Consent Manager | N/A | Registered consent intermediary |
Implications
Sensitive Personal Data:
DPDP doesn't create a separate category for sensitive data with enhanced protections. GDPR explicitly prohibits processing of:
- Racial/ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Genetic/biometric data
- Health data
- Sexual orientation
Compliance Gap: Organizations must apply GDPR's sensitive data restrictions even where DPDP doesn't require them for EU residents.
Section 3: Lawful Bases for Processing
DPDP Act Bases
- Consent (Section 6) - Primary basis
- Legitimate Uses (Section 7):
- Specified purpose with prior consent
- State functions
- Legal obligations
- Medical emergencies
- Employment purposes
- Public interest (prescribed)
GDPR Bases (Article 6)
- Consent
- Contract performance
- Legal obligation
- Vital interests
- Public task
- Legitimate interests (with balancing test)
Critical Difference: Legitimate Interests
GDPR: Allows "legitimate interests" as standalone basis with required balancing against data subject rights.
DPDP: NO equivalent "legitimate interests" basis. Must rely on consent or enumerated legitimate uses.
Compliance Matrix
| Processing Activity | DPDP Basis | GDPR Basis |
|---|---|---|
| Marketing emails | Consent required | Legitimate interests (with opt-out) |
| Fraud prevention | Consent or legal obligation | Legitimate interests |
| Employee monitoring | Employment purposes | Legitimate interests + transparency |
| CCTV surveillance | Consent or public interest | Legitimate interests |
| Analytics cookies | Consent required | Consent required |
Key Takeaway: Activities permissible under GDPR legitimate interests may require explicit consent under DPDP.
Section 4: Consent Requirements
Consent Standards Comparison
| Requirement | DPDP | GDPR |
|---|---|---|
| Free | Yes | Yes |
| Specific | Yes | Yes |
| Informed | Yes | Yes |
| Unambiguous | Yes | Yes |
| Granular | Implied | Explicit (per purpose) |
| Withdrawable | Yes (easy as giving) | Yes (easy as giving) |
| Documentable | Yes | Yes |
| Bundling Prohibited | Implied | Explicit (Art. 7(4)) |
Consent Form Requirements
DPDP (Section 6 + Rules):
Required Elements:
├─ Itemized description of personal data
├─ Purpose of processing
├─ Contact details of Data Fiduciary
├─ Grievance officer details
├─ Right to withdraw
├─ Right to complain to Board
└─ Languages: English + 22 scheduled languages
GDPR (Article 7 + WP29 Guidelines):
Required Elements:
├─ Identity of controller
├─ Purpose(s) of processing
├─ Type of data collected
├─ Existence of withdrawal right
├─ Information about third-party sharing
├─ Information about cross-border transfers
└─ Automated decision-making information
Language Requirements
DPDP: Mandatory availability in 22 scheduled languages of India plus English.
GDPR: Clear and plain language; no specific language requirements but must be accessible to data subjects.
Section 5: Data Subject/Principal Rights
Rights Comparison Table
| Right | DPDP | GDPR |
|---|---|---|
| Right to Access | Yes (Section 11) | Yes (Art. 15) |
| Right to Correction | Yes (Section 12) | Yes (Art. 16) |
| Right to Erasure | Yes (Section 12) | Yes (Art. 17) |
| Right to Portability | NO | Yes (Art. 20) |
| Right to Restriction | NO | Yes (Art. 18) |
| Right to Object | NO (withdrawal only) | Yes (Art. 21) |
| Rights re: Automated Decisions | NO | Yes (Art. 22) |
| Right to Nominate | Yes (Section 14) | NO |
| Right to Complain | Yes (to Board) | Yes (to DPA) |
Missing Rights Under DPDP
Data Portability:
- GDPR allows data subjects to receive their data in structured, machine-readable format
- DPDP has no equivalent provision
- Significant gap for fintech, social media, healthcare
Right to Object:
- GDPR allows objection to processing based on legitimate interests
- DPDP only allows consent withdrawal (not applicable to legitimate uses)
Automated Decision-Making:
- GDPR provides right not to be subject to purely automated decisions with legal effects
- DPDP is silent on algorithmic decision-making rights
Unique DPDP Right: Nomination
Section 14: Data Principals can nominate another person to exercise rights in case of death or incapacity.
GDPR has no equivalent - rights generally don't survive death (varies by member state).
Section 6: Cross-Border Data Transfers
DPDP Approach: Negative List
Section 16:
- Transfers permitted to ALL countries EXCEPT those on "restricted" list
- Central Government to notify restricted territories
- No notification yet (as of January 2026)
- Result: Currently, transfers allowed everywhere
GDPR Approach: Adequacy + Safeguards
Chapter V (Articles 44-49):
Transfer Mechanisms:
├─ Adequacy Decision (Commission determination)
├─ Standard Contractual Clauses (SCCs)
├─ Binding Corporate Rules (BCRs)
├─ Codes of Conduct
├─ Certification Mechanisms
└─ Derogations (explicit consent, contract, etc.)
Comparison
| Aspect | DPDP | GDPR |
|---|---|---|
| Default Position | Transfer allowed | Transfer restricted |
| Approval Mechanism | Government negative list | Adequacy decisions |
| Contractual Safeguards | Not required | SCCs mandatory if no adequacy |
| BCRs | Not recognized | Recognized |
| US Transfers | Allowed (currently) | Requires specific safeguards |
Practical Implications
For India → EU Transfers:
- India not on EU adequacy list
- SCCs or BCRs required
- Transfer Impact Assessments needed
For EU → India Transfers:
- No adequacy decision for India
- SCCs required under GDPR
- DPDP imposes no additional restrictions (currently)
Section 7: Breach Notification
Comparison
| Aspect | DPDP | GDPR |
|---|---|---|
| Notify Authority | Yes - Data Protection Board | Yes - Supervisory Authority |
| Timeline | "As may be prescribed" (72 hours expected) | 72 hours (Art. 33) |
| Notify Data Subjects | Yes - affected individuals | Yes - if high risk (Art. 34) |
| Threshold | All breaches (no materiality threshold) | Risk to rights and freedoms |
| Content Requirements | Prescribed by Rules | Detailed in Art. 33(3) |
GDPR Breach Notification Content (Article 33(3))
Required Information:
├─ Nature of breach (categories, numbers affected)
├─ DPO/contact point details
├─ Likely consequences
├─ Measures taken/proposed
└─ Documentation of breach
DPDP Rules Requirements
Prescribed Elements:
├─ Description of breach
├─ Circumstances and cause
├─ Time of occurrence and discovery
├─ Potential impact
├─ Mitigation measures
└─ Contact information
Section 8: Penalties and Enforcement
Penalty Comparison
| Violation | DPDP Maximum | GDPR Maximum |
|---|---|---|
| Most Serious Violations | ₹250 crore (~€27M) | €20M or 4% global turnover |
| Other Violations | ₹50-200 crore | €10M or 2% global turnover |
| Breach Notification Failure | ₹200 crore | €10M or 2% |
| Children's Data Violations | ₹200 crore | €20M or 4% |
Enforcement Mechanism
DPDP:
- Data Protection Board of India
- Adjudicatory body (not regulatory)
- Complaint-driven primarily
- Appeals to Appellate Tribunal
GDPR:
- National Data Protection Authorities
- Proactive investigation powers
- European Data Protection Board coordination
- Administrative fines + court remedies
Key Difference: Turnover-Based Penalties
GDPR's 4% global turnover penalty can be devastating for large corporations:
- Google: €4.34 billion potential (€90B revenue × 4%)
- Meta: €4.8 billion potential
DPDP's ₹250 crore cap is significant but fixed - no turnover multiplier.
Section 9: Data Protection Officer Requirements
GDPR DPO Requirements (Articles 37-39)
Mandatory When:
- Public authority/body processing
- Core activities require large-scale regular monitoring
- Core activities involve large-scale sensitive data processing
DPO Qualifications:
- Expert knowledge of data protection law
- Independence required
- Direct reporting to highest management
- No conflict of interest
DPDP Approach
No explicit DPO requirement for most Data Fiduciaries.
For Significant Data Fiduciaries only:
- Must appoint "Data Protection Officer" based in India
- No detailed qualification requirements specified
- Board-facing role
Practical Implication
Organizations required to have GDPR DPO cannot assume same person satisfies DPDP requirements for Significant Data Fiduciaries - different roles, different jurisdictions.
Section 10: Documentation and Accountability
GDPR Accountability Principle (Article 5(2))
Documentation Requirements:
├─ Records of processing activities (Art. 30)
├─ Data Protection Impact Assessments (Art. 35)
├─ Prior consultation records
├─ DPO appointment documentation
├─ Consent records
├─ Breach records
├─ Transfer documentation (SCCs, BCRs)
└─ Processor agreements
DPDP Requirements
Documentation Requirements:
├─ Consent records
├─ Processing records (for SDF)
├─ Breach records
├─ Audit reports (for SDF)
└─ Grievance records
Gap Analysis
| Documentation | DPDP Required | GDPR Required |
|---|---|---|
| Records of Processing | SDF only | All controllers |
| DPIA | Not required | High-risk processing |
| Consent Records | Yes | Yes |
| Processor Agreements | Yes | Yes |
| Transfer Records | No | Yes |
| Training Records | Not specified | Best practice |
Section 10A: Supreme Court Precedents on Privacy and Personal Data Protection
The Supreme Court of India has developed significant jurisprudence on privacy and personal data protection that informs interpretation of both DPDP Act and its comparison with GDPR standards.
1. Canara Bank v. C.S. Shyam (2017)
| Aspect | Details |
|---|---|
| Citation | Civil Appeal No. 22 of 2009 |
| Bench | Justice Anil R. Dave, Justice L. Nageswara Rao |
| Date | 31-08-2017 |
Facts: An RTI application sought information about an employee's performance, promotions, and disciplinary proceedings from Canara Bank. The bank claimed exemption under Section 8(1)(j) of the RTI Act (personal information with no public interest relationship).
Holding: The Supreme Court upheld the exemption:
"Personal information relating to an employee's performance, promotions, transfers and disciplinary proceedings falls under exemption clause (j) of Section 8(1) of the RTI Act, as disclosure would cause unwarranted invasion of privacy without serving any public interest."
Key Principles:
- Employee performance data constitutes "personal information"
- Privacy protection extends to employment-related records
- Public interest test applies before disclosure
- Third parties cannot access another's personal data without compelling justification
DPDP/GDPR Relevance: This judgment establishes that employment data is personal data deserving protection - a principle embedded in both DPDP (Section 7(f) legitimate uses for employment) and GDPR (Recital 47 on employment context).
2. Girish Ramchandra Deshpande v. Central Information Commission (2022)
| Aspect | Details |
|---|---|
| Citation | Civil Appeal No. 27734 of 2012 |
| Bench | Justice B.R. Gavai, Justice B.V. Nagarathna |
| Date | 22-09-2022 |
Facts: A retired customs officer sought extensive personal information of other officers including their property returns, salary details, and postings. The Central Information Commission denied access citing privacy concerns.
Holding: The Supreme Court affirmed the denial:
"Personal information includes financial and service-related data when they have no direct nexus to public activity or discharge of official functions. The mere fact that information exists with a public authority does not automatically make it disclosable."
Key Principles:
- Financial information (salary, assets) is personal data
- Service records protected unless linked to public function discharge
- "Held by public authority" ≠ "public information"
- Purpose limitation applies to disclosure decisions
DPDP/GDPR Relevance: This judgment supports DPDP's purpose limitation principle (Section 5) and GDPR's data minimization requirement (Article 5(1)(c)). Personal data collected for one purpose cannot be disclosed for unrelated purposes.
3. R.K. Jain v. Union of India (2013)
| Aspect | Details |
|---|---|
| Citation | Civil Appeal No. 2013 |
| Bench | Justice R.M. Lodha, Justice Madan B. Lokur |
| Date | 16-04-2013 |
Facts: An RTI applicant sought Annual Confidential Reports (ACRs) of judges, arguing public interest in knowing judicial officer performance.
Holding: The Supreme Court protected ACR confidentiality:
"ACRs are personal information exempt under Section 8(1)(j) of the RTI Act unless larger public interest is established. The reporting system depends on candid assessments which would be compromised by routine disclosure."
Key Principles:
- Confidential assessments constitute personal data
- Expectation of confidentiality creates privacy interest
- System integrity justifies protection
- Public interest must be "larger" to override privacy
DPDP/GDPR Relevance: This judgment supports legitimate basis for confidential processing - relevant to GDPR's "legitimate interests" (Article 6(1)(f)) and DPDP's "legitimate uses" (Section 7). Confidential HR assessments can be processed without individual consent where system integrity requires it.
4. Justice K.S. Puttaswamy v. Union of India (2017)
| Aspect | Details |
|---|---|
| Citation | Writ Petition (Civil) No. 494 of 2012 |
| Bench | Nine-Judge Constitution Bench |
| Date | 24-08-2017 |
Facts: Challenge to Aadhaar scheme raised fundamental question of whether privacy is a constitutional right in India.
Holding: The nine-judge bench unanimously held:
"The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution."
Key Principles:
- Privacy is a fundamental right under Article 21
- Informational privacy (data protection) is a component of privacy
- Any restriction must satisfy proportionality test
- State must establish legitimate aim, necessity, and proportionality
DPDP/GDPR Relevance: This landmark judgment provides the constitutional foundation for DPDP Act. The proportionality framework mirrors GDPR's approach to balancing data protection against legitimate interests. Both frameworks now operate within a fundamental rights paradigm.
Summary: SC Privacy Principles and DPDP/GDPR Alignment
| Principle | SC Judgment | DPDP Provision | GDPR Provision |
|---|---|---|---|
| Privacy as Right | Puttaswamy (2017) | Preamble, Section 4 | Article 1, Charter Art. 8 |
| Purpose Limitation | Deshpande (2022) | Section 5 | Article 5(1)(b) |
| Employee Data Protection | Canara Bank (2017) | Section 7(f) | Article 6, Recital 47 |
| Confidentiality Justification | R.K. Jain (2013) | Section 7 | Article 6(1)(f) |
| Public Interest Balancing | All above cases | Section 17 exemptions | Article 6(1)(e), 23 |
Section 11: Compliance Checklist for Dual-Jurisdiction Operations
For Indian Companies Processing EU Data
□ Appoint EU Representative (if no establishment)
□ Implement GDPR-compliant consent mechanisms
□ Add data portability capability
□ Add right to object mechanisms
□ Conduct DPIAs for high-risk processing
□ Appoint DPO if required
□ Execute SCCs for transfers to India
□ Maintain Art. 30 records
□ 72-hour breach notification capability
□ Cookie consent (ePrivacy compliant)
For EU Companies Processing Indian Data
□ Register with Data Protection Board (when operational)
□ Implement DPDP-compliant consent (22 languages)
□ Appoint India-based Grievance Officer
□ Implement children's consent mechanisms (under-18)
□ No behavioral monitoring of children
□ Breach notification to Board
□ Data Principal access mechanisms
□ Consider Consent Manager integration
□ Review for restricted territory updates
For Multinational Unified Compliance
□ Map all processing activities by jurisdiction
□ Identify highest-standard requirement per activity
□ Implement unified consent platform
□ Single privacy notice with jurisdiction toggles
□ Unified breach response procedure
□ Global DPO with local deputies
□ Centralized records with local access
□ Regular cross-jurisdiction audits
Section 12: Practical Recommendations
Approach 1: GDPR-First Strategy
Rationale: GDPR is generally more comprehensive; DPDP compliance often follows.
Steps:
- Achieve full GDPR compliance
- Map DPDP-specific requirements
- Add India-specific elements:
- 22 language consent
- Under-18 children threshold
- India Grievance Officer
- Consent Manager readiness
Gaps to Address:
- Remove reliance on legitimate interests for India
- Ensure digital-only scope understanding
- Prepare for Data Protection Board registration
Approach 2: Unified Framework Strategy
Rationale: Build single framework meeting both requirements.
Steps:
- Create unified data inventory
- Apply stricter standard for each element
- Build modular consent with jurisdiction detection
- Maintain single set of comprehensive records
- Train teams on both frameworks
Example: Consent Module
IF user.location == "India":
show_dpdp_consent(languages=22, age_threshold=18)
ELIF user.location == "EU":
show_gdpr_consent(granular=true, portability_info=true)
ELSE:
show_unified_consent(highest_standard)
Key Integration Points
| Element | Recommendation |
|---|---|
| Consent | DPDP language requirements + GDPR granularity |
| Age Verification | Use 18 (DPDP stricter than GDPR's 16) |
| Breach Notification | 72 hours to both authorities |
| Documentation | GDPR Art. 30 standard (covers DPDP) |
| Rights Response | 30 days (GDPR standard, DPDP likely similar) |
| DPO | Appoint one meeting GDPR standards + India location |
Conclusion
DPDP and GDPR share philosophical roots but differ significantly in implementation. Key takeaways:
| Aspect | Winner for Compliance Burden | Notes |
|---|---|---|
| Scope | DPDP (narrower) | Digital only vs. all data |
| Consent | Similar | DPDP has language requirements |
| Rights | GDPR (more extensive) | Portability, objection absent in DPDP |
| Transfers | DPDP (easier currently) | Negative list vs. adequacy |
| Penalties | DPDP (capped) | ₹250Cr vs. 4% turnover |
| Documentation | DPDP (less prescribed) | GDPR more detailed |
Strategic Recommendation: Build GDPR-compliant infrastructure with DPDP-specific overlays for India operations. This future-proofs against potential DPDP amendments while ensuring current compliance with both frameworks.