COMPARATIVE GUIDE
DPDP Act 2023 vs GDPR: A Practitioner's Comparison for DPOs Operating Across India and the EU
In this article
Why this comparison matters
Lawful bases — side by side
Data subject rights
DPO appointment requirements
Breach notification timelines
Penalty framework
Children's data
Cross-border data transfers
Key things GDPR practitioners must unlearn
Where DPDP goes further than GDPR
Dual-jurisdiction checklist
Share this article
India's DPDP Act 2023 is not a copy of the GDPR. It shares a philosophy — individual rights, fiduciary accountability, purpose limitation — but differs materially in structure, rights, and obligations. For DPOs managing organisations that operate in both India and the EU, understanding these differences is essential to avoid transposing GDPR assumptions onto Indian compliance programmes.
This guide provides a structured comparison of the two frameworks at the level of detail a practitioner needs — not an academic survey.
Why This Comparison Matters
Three categories of organisations need this comparison most urgently:
- Indian companies with EU operations or EU customers: They face dual compliance — DPDP for Indian data subjects; GDPR for EU data subjects
- European companies operating in India: They cannot assume their GDPR programme satisfies DPDP — it does not
- GDPR-trained DPOs now leading Indian compliance: They carry assumptions about legitimate interest, data portability, and automated decision-making rights that do not exist in DPDP
Lawful Bases — Side by Side
This is the most critical difference. DPDP Act 2023 provides four lawful bases; GDPR provides six.
| Lawful Basis | DPDP Act 2023 | GDPR |
|---|---|---|
| Consent | ✓ §6 — specific, free, informed, unambiguous | ✓ Art. 6(1)(a) |
| Contract performance | Partially — subsumed under consent/legal obligation; no explicit standalone basis | ✓ Art. 6(1)(b) — explicit basis |
| Legal obligation | ✓ §7(b)–(e) — compliance with Indian law | ✓ Art. 6(1)(c) |
| Vital interests | ✓ §7(f) — emergency/life protection | ✓ Art. 6(1)(d) |
| Public task / State function | ✓ §7(a) — State and instrumentalities | ✓ Art. 6(1)(e) |
| Legitimate interest | ✗ DOES NOT EXIST IN DPDP | ✓ Art. 6(1)(f) — widely used in EU |
Critical implication: Many processing activities that GDPR organisations rely on legitimate interest for — fraud prevention analytics, direct marketing to existing customers, intra-group data transfers, employee monitoring — require either consent or a legal obligation basis under DPDP. Review every processing activity mapped to legitimate interest in your EU ROPA — each needs a DPDP-valid basis independently assessed.
Data Subject Rights
| Right | DPDP Act 2023 | GDPR |
|---|---|---|
| Right to access | ✓ §11 — summary of data and processing | ✓ Art. 15 — comprehensive access including categories, recipients, safeguards |
| Right to correction | ✓ §12 | ✓ Art. 16 (rectification) |
| Right to erasure | ✓ §12 — where purpose ceases | ✓ Art. 17 — broader grounds including objection |
| Right to restrict processing | ✗ Not explicitly provided | ✓ Art. 18 |
| Right to data portability | ✗ NOT IN DPDP | ✓ Art. 20 — machine-readable format to another controller |
| Right to object | Partial — via consent withdrawal; no general objection right | ✓ Art. 21 — includes right to object to legitimate interest processing |
| Rights re: automated decisions | ✗ No explicit right to contest automated decisions | ✓ Art. 22 — right not to be subject to solely automated decisions |
| Right to nominate | ✓ §14 — unique to DPDP; nominate someone to exercise rights posthumously | ✗ Not explicitly provided |
| Grievance redressal | ✓ §13 — mandatory grievance mechanism + Board escalation | ✓ Art. 77 — right to lodge complaint with supervisory authority |
Implication for DPO workflow: DSAR processes designed for GDPR need adaptation for DPDP. You must not promise data portability as a legal right. You cannot rely on a "right to restrict" as a holding mechanism. But you must provide a grievance pathway that leads to the Data Protection Board — which GDPR organisations often do not operationalise.
DPO Appointment Requirements
| Requirement | DPDP Act 2023 (SDF) | GDPR |
|---|---|---|
| Mandatory for | Significant Data Fiduciaries (formally designated) | Public authorities; large-scale systematic monitoring; large-scale special category processing |
| Internal vs external | Must be internal KMP (SDF) | Internal or external both permitted |
| Residency requirement | Must be based in India (SDF) | No residency requirement; can be in any EU/EEA country |
| Seniority level | Key Managerial Person (SDF) | No minimum seniority specified |
| Expertise requirement | Implied — must have knowledge of data protection law | Explicit — professional qualities and expert knowledge of data protection law |
| Published contact | Yes — accessible to Data Principals | Yes — published and notified to supervisory authority |
| Protection from dismissal | Not explicitly stated in Act/Rules | Art. 38(3) — explicit protection from penalties for performing tasks |
Breach Notification Timelines
| Notification | DPDP Act 2023 | GDPR |
|---|---|---|
| To supervisory authority | "As soon as possible" — specific timeline in Rules (not yet prescribed); treat as urgent | 72 hours of becoming aware (Art. 33) |
| To affected individuals | When the Board directs, or when likely to cause significant harm | Without undue delay when high risk to rights and freedoms (Art. 34) |
| Threshold for notification | All personal data breaches (no de minimis exception explicit in Act) | Only if likely to result in risk to rights and freedoms of individuals |
| Content of notification | To be prescribed in Rules; expect: nature, scope, individuals affected, measures taken | Art. 33(3) — specific mandatory content prescribed |
| Processor notification to controller | Data Fiduciary remains responsible; DPA should specify processor notification obligation | Art. 33(2) — processor must notify controller "without undue delay" |
Practical implication: Under DPDP, there is no explicit 72-hour clock in the current Rules, but "as soon as possible" must be treated as urgent. Operate on a 24–48 hour internal target to give yourself time to prepare the Board notification before submitting.
Penalty Framework
| Aspect | DPDP Act 2023 | GDPR |
|---|---|---|
| Maximum penalty | ₹250 crore (approx. €27M) per violation | €20M or 4% of global annual turnover — whichever is higher |
| Basis for calculation | Per violation — aggregate penalties possible for multiple violations | Per infringement — calculated as percentage of global turnover |
| Children's data violations | Up to ₹200 crore | Standard GDPR tiered penalties apply |
| SDF-specific violations | Up to ₹250 crore | No SDF equivalent — standard tiers apply |
| Enforcement body | Data Protection Board of India | National supervisory authority (ICO, CNIL, BfDI, etc.) |
| Right of appeal | High Court | National courts |
| Criminal liability | Not in current Act | Member state-specific criminal provisions possible |
Children's Data
| Aspect | DPDP Act 2023 | GDPR |
|---|---|---|
| Age threshold | Under 18 years | Under 16 years (member states may lower to 13) |
| Consent requirement | Verifiable parental consent for all processing — §9 | Parental consent for digital services (Art. 8) |
| Profiling/tracking | Prohibited for children without explicit SDF-level exception — §9(3) | Restricted but not uniformly prohibited |
| Targeted advertising | Prohibited to children — §9(3) | Restricted but member state implementation varies |
| Verification obligation | Data Fiduciary must verify parental consent — method not yet prescribed | Reasonable efforts to verify parental consent |
Cross-Border Data Transfers
| Aspect | DPDP Act 2023 | GDPR |
|---|---|---|
| Mechanism | Negative list — transfers prohibited to countries notified by Central Government (§16) | Positive adequacy — transfers permitted to adequate countries; SCCs/BCRs for others |
| Current status | Negative list not yet notified — transfers generally permissible pending notification | Adequacy decisions in place for ~15 countries; India not yet adequate |
| Safeguards required | Not explicitly mandated in Act; contractual safeguards remain best practice | SCCs, BCRs, or adequacy required for non-adequate countries |
| India ↔ EU data flows | Indian data to EU: no DPDP prohibition currently; EU data to India: GDPR SCCs required (India not adequate) | EU data to India requires SCCs or BCRs |
Key Things GDPR Practitioners Must Unlearn
- Legitimate interest does not exist in DPDP. Every processing activity relying on this must be re-evaluated for a valid DPDP basis — typically consent or legal obligation.
- There is no right to data portability under DPDP. Do not offer this as a statutory right in your Indian privacy notice.
- There is no explicit right to contest automated decisions under DPDP. AI/ML decision-making governance is a gap — address it contractually and through your own accountability framework, not by citing a DPDP right that does not exist.
- The 72-hour breach notification clock does not exist in DPDP Rules (yet). But "as soon as possible" means you should treat it as urgent — not treat the absence of a clock as permission to delay.
- The DPO for an SDF must be internal and India-based. A shared group DPO based in Europe does not satisfy DPDP Rules 2025.
- Contract performance is not an explicit standalone basis under DPDP. Carefully assess whether you need consent or legal obligation to cover processing that GDPR would map to Art. 6(1)(b).
Where DPDP Goes Further Than GDPR
- Children's data protection is stricter. The prohibition on tracking and targeted advertising to under-18s is broader than GDPR's approach.
- SDF obligations create a two-tier system with additional accountability. Annual Data Audits, mandatory DPIAs, KMP-level DPO requirements — GDPR has no equivalent SDF designation.
- Right to nominate (§14) is unique to DPDP — individuals can designate someone to exercise rights posthumously, a forward-thinking provision not in GDPR.
- Grievance redressal timelines are more operationally prescriptive in the DPDP Rules framework than GDPR's general right to complain to a supervisory authority.
Dual-Jurisdiction Checklist
For organisations operating under both DPDP and GDPR, validate these items:
- ☑ All processing activities mapped separately for DPDP (Indian data subjects) and GDPR (EU data subjects) in your ROPA
- ☑ Every instance of "legitimate interest" in your GDPR ROPA re-assessed for a valid DPDP basis
- ☑ Privacy notices for Indian customers do not reference data portability as a legal right
- ☑ DSAR process distinguishes between DPDP response obligations (access summary) and GDPR response obligations (comprehensive access)
- ☑ Breach response plan has separate notification tracks: GDPR (72 hours to supervisory authority) and DPDP (as soon as possible to Data Protection Board)
- ☑ DPO appointment structure: separate India-based KMP DPO for SDF status, plus GDPR-compliant DPO for EU operations
- ☑ Children's data consent mechanisms meet the stricter of the two frameworks (DPDP under-18 with verifiable parental consent)
- ☑ EU-to-India data transfers have SCCs or BCRs in place (GDPR requirement; India not yet adequate)
- ☑ India-to-EU data transfers assessed against DPDP negative list (not yet published) and contractual safeguards maintained
- ☑ Training programme updated to distinguish DPDP and GDPR for relevant staff
Share this article
Get DPDP compliance insights in your inbox
Practical guides for CISOs, DPOs, and compliance teams — no spam, unsubscribe anytime.
Ready to implement what you've read?
The CreativeCyber DPDP Assurance Platform puts every framework, workflow, and control referenced in this article into a single audit-ready platform — built specifically for BFSI.
Book a Live Demo →