The two laws rhyme — a fiduciary concept, individual rights, breach duties, a reach that follows the data abroad. But India re-writes the lawful basis, hardens children’s data, invents the Consent Manager and stands up its own regulator. This is where the two regimes meet, and exactly where they part.
Read the third column. The match and the scope are reassuring — but the value is in the gap: the specific thing India asks for that your GDPR programme does not already deliver.
| Dimension | EU GDPR | India DPDPA 2023 | What India adds (the gap) |
|---|---|---|---|
| Governing instrument | Regulation (EU) 2016/679, in force 25 May 2018, directly applicable across the EU/EEA. | Digital Personal Data Protection Act, 2023, with the DPDP Rules, 2025 operationalising it on a phased timeline. | Two separate statutes and two regulators. India compliance is not a sub-set of GDPR — it is a parallel obligation. |
| Roles | Controller and Processor. | Data Fiduciary and Data Processor (plus the elevated Significant Data Fiduciary). | Terminology differs and the SDF tier has no exact GDPR twin. Role mapping must be redone for India. |
| Material scope | Personal data, in automated or structured manual filing form. | Digital personal data only — collected digitally, or non-digital later digitised. | DPDPA is narrower (digital only) but the practical footprint for any tech business is effectively the same. |
| Territorial reach | Establishment in the EU, or targeting/monitoring of EU data subjects (Art 3). | Processing in India, or processing outside India connected to offering goods or services to people in India (Section 3(b)). | A GDPR-style extraterritorial trigger exists — so a foreign company already used to Art 3 logic faces the same analysis for India. |
| Lawful basis | Six bases incl. consent, contract, legal obligation, vital interests, public task, legitimate interests. | Consent, or a defined set of “legitimate uses” — a deliberately narrower, more consent-centric model. | The biggest practical gap. GDPR “legitimate interests” does NOT map cleanly to DPDPA. Lawful-basis mapping must be re-run. |
| Consent standard | Freely given, specific, informed, unambiguous; withdrawable. | Free, specific, informed, unconditional, unambiguous, with clear affirmative action; itemised notice; withdrawable as easily as given. | DPDPA introduces the Consent Manager construct — a registered intermediary with no GDPR equivalent. |
| Children’s data | Parental consent below 16 (Member States may lower to 13); risk-based. | Verifiable parental/guardian consent for anyone below 18; bar on tracking, behavioural monitoring and targeted ads to children. | India’s under-18 line and tracking ban are stricter than most GDPR implementations. EdTech, gaming and social must re-design. |
| Breach notification | To supervisory authority within 72 hours; to data subjects if high risk. | To the Data Protection Board of India and to affected Data Principals, in the form and manner under the Rules. | Notification thresholds and timelines follow the Indian Rules, not the GDPR 72-hour rule. A separate runbook is required. |
| Cross-border transfer | Adequacy decisions, SCCs, BCRs — a permission-based model. | Transfer permitted except to countries/territories the Government restricts by notification — a restriction-based (“blacklist”) model. | India is more permissive by default, but sectoral localisation (e.g. RBI payment data) can override. Each flow needs an India-specific sign-off. |
| Data Protection Officer | Mandatory for certain controllers/processors; may be EU-based or external. | Mandatory for a Significant Data Fiduciary; must be based in India and responsible to the board. | India requires an in-country, board-accountable DPO for SDFs — a function a foreign company must source locally. |
| Maximum penalty | Up to €20 million or 4% of global annual turnover, whichever is higher. | Up to ₹250 crore per instance for certain breaches, set by the Data Protection Board. | Different ceiling and a per-instance logic. The same incident can be quantified very differently under each regime. |
| Enforcement body | National Data Protection Authorities, coordinated by the EDPB. | The Data Protection Board of India, with appeals to the High Court. | A new Indian regulator with Indian procedure. Defence strategy and documentation must be built for the Board, not the DPA. |
This comparison is a practitioner overview for orientation, current to the DPDP Rules, 2025 as notified. It is not legal advice; specific obligations turn on your facts and the latest notifications. AMLEGALS provides a fact-specific gap analysis on engagement.
A mature GDPR programme usually carries 70% of the way. The remaining 30% is concentrated, predictable, and is exactly where the Data Protection Board will look.
Direct answers, on the record.
No. GDPR compliance is a strong head start but it is not DPDPA compliance. The two laws share architecture — a controller/fiduciary concept, data-subject/principal rights, breach notification and extraterritorial reach — but they diverge on lawful basis (DPDPA is far more consent-centric and does not recognise GDPR-style legitimate interests), children’s data (verifiable parental consent below 18 and a tracking ban), the Consent Manager construct, breach timelines, transfer model and the regulator. A GDPR-ready business still needs an India-specific gap analysis.
Lawful basis. GDPR offers six bases, including the flexible “legitimate interests” ground that many businesses rely on heavily. The DPDPA is built around consent, with only a narrow, defined set of “legitimate uses” as alternatives. Processing that a company justifies under GDPR legitimate interests often has no equivalent footing under the DPDPA, which means the lawful-basis mapping has to be redone from scratch for India.
GDPR caps fines at the higher of €20 million or 4% of global annual turnover. The DPDPA prescribes a maximum of ₹250 crore (approximately USD 30 million) per instance for certain breaches, imposed by the Data Protection Board of India. The ceilings, the basis of calculation (turnover-linked vs per-instance) and the imposing authority are all different, so the same incident can produce very different exposure under each regime.
Yes. Section 3(b) of the DPDPA extends the Act to processing of personal data outside India where it is connected with offering goods or services to Data Principals located in India — conceptually similar to the GDPR’s targeting trigger. A company already familiar with Article 3 analysis will recognise the logic, but must apply it afresh to its India-facing activities.
The DPDPA is stricter on the threshold. It requires verifiable parental or guardian consent for any Data Principal below 18, and bars tracking, behavioural monitoring and targeted advertising directed at children. GDPR generally sets the digital-consent age between 13 and 16 depending on the Member State. EdTech, gaming, streaming and social platforms typically need to re-engineer age-gating and consent flows for India.
If you are classified as a Significant Data Fiduciary under the DPDPA, you must appoint a Data Protection Officer who is based in India and responsible to your board. An EU-based or external GDPR DPO does not satisfy this India-presence requirement. AMLEGALS offers an India-based DPO-as-a-service so foreign businesses can meet the obligation without opening an India office.
Whether India’s data law reaches your business at all — Section 3(b) extraterritorial reach and the six-step stack for companies outside India.
The India-based, board-accountable DPO an SDF must appoint — delivered as a retained function without an India office.
The complete practitioner guide to the Act — obligations, consent, rights, penalties and the DPDP Rules, 2025 timeline.
We run a fixed-scope gap analysis against your existing GDPR documentation and hand you a prioritised India remediation plan — lawful basis, children’s data, transfers, DPO and Board readiness.