Comparison

DPDPA vs GDPR: A Practical Comparison for Indian Businesses

If your business serves customers in India and the EU — or you are adapting a GDPR-trained team to India's new privacy regime — you are operating under two overlapping but distinct laws. DPDPA and GDPR share DNA: both are consent-led, both give individuals enforceable rights, both punish careless data handling. But the differences are operational. GDPR penalties scale with global turnover; DPDPA uses fixed rupee ceilings. GDPR allows 'legitimate interest'; DPDPA does not. GDPR lets Member States set the children's age between 13 and 16; DPDPA fixes it at 18. This page walks media handlers, schools, corporates and healthcare providers through what actually changes.

At a glance

Governing law

Digital Personal Data Protection Act, 2023 (India)

Regulator

Data Protection Board of India (DPBI)

Individual term

Data Principal

Entity term

Data Fiduciary / Data Processor; Significant Data Fiduciary for high-risk

Scope of data

Digital personal data only (and non-digital later digitised)

Lawful bases

Consent + 'Legitimate Uses' (Section 7) — no broad 'legitimate interest' basis

Children's age

Under 18; verifiable parental consent mandatory; no tracking / targeted ads

Cross-border transfer

Section 16 — Govt notifies negative list of restricted countries (default allow)

Right to erasure

Section 12 — Right to Erasure (narrower, tied to purpose completion)

Maximum penalty

Fixed ceilings: INR 250 cr (security), 200 cr (children/SDF), 150 cr (breach notification), 50 cr (other)

Breach notification

To DPBI and every affected Data Principal — no fixed hours in Act; Rules specify without delay

DPO requirement

Only Significant Data Fiduciaries must appoint a DPO based in India

Notice language

Must be available in English or any language in the 8th Schedule of Indian Constitution (22 languages)

Data localisation

No blanket localisation; sectoral rules (RBI, IRDAI) still apply

Side by side

Consent and lawful basis

GDPR

Consent is the primary basis. Non-consent processing only under the closed 'Legitimate Uses' list in Section 7 — employment, state functions, medical emergencies, court orders. No general 'legitimate interest'.

Children's data

GDPR

Anyone under 18 is a child. Verifiable parental consent mandatory. Tracking, behavioural monitoring and targeted advertising to children are prohibited outright.

Cross-border transfers

GDPR

Negative list — Section 16 allows transfers to any country except those notified as restricted by the Central Government. Sectoral localisation (RBI, IRDAI) overrides.

Penalties

GDPR

Fixed rupee ceilings adjudicated by DPBI — INR 250 cr (security safeguards), 200 cr (children's data / SDF duties), 150 cr (breach notification), 50 cr (other). No turnover-linked formula.

Right to erasure

GDPR

Section 12 — narrower. Erasure on withdrawal of consent or when purpose is no longer being served, subject to retention obligations under other laws.

Breach notification

GDPR

To Data Protection Board of India and to every affected Data Principal — without delay. No 72-hour rule in the Act; the DPDP Rules prescribe form and timelines.

DPO and SDF

GDPR

Only Significant Data Fiduciaries — notified by government based on volume, sensitivity, risk to sovereignty, electoral democracy — must appoint a DPO based in India and conduct independent audits and DPIAs.

Notice and language

GDPR

Notice must be available in English or any language listed in the Eighth Schedule of the Indian Constitution — 22 languages including Hindi, Tamil, Bengali, Marathi, Telugu, Urdu, Kannada and Malayalam.

Jurisdiction differences

Terminology: GDPR's 'Data Subject' and 'Controller' become 'Data Principal' and 'Data Fiduciary' under DPDPA — your contracts, privacy notices and DPIAs need rewording, not just translation.
Lawful basis architecture: GDPR offers six bases including the flexible 'legitimate interest'; DPDPA recognises only consent plus a closed list of 'Legitimate Uses' under Section 7. Marketing analytics that ran on legitimate interest in the EU need explicit consent in India.
Children's data: GDPR sets the digital consent age between 13 and 16 per Member State. DPDPA fixes it at 18, requires verifiable parental consent, and prohibits tracking, behavioural monitoring and targeted advertising to children outright.
Cross-border transfers: GDPR uses a positive-list model (adequacy, SCCs, BCRs). DPDPA Section 16 uses a negative-list model — transfers are permitted unless the Central Government specifically restricts a destination country.
Penalty structure: GDPR caps at the higher of EUR 20 million or 4% of global annual turnover. DPDPA uses fixed ceilings — INR 250 cr (security safeguards), 200 cr (children's data / SDF duties), 150 cr (breach notification failure), 50 cr (other obligations).
Right to erasure: GDPR Article 17 'Right to be Forgotten' is broad and includes objection-based erasure. DPDPA Section 12 ties erasure more tightly to purpose completion and statutory retention.
Language of notice: GDPR requires plain language but no specific list. DPDPA requires the notice to be available in English or any of the 22 languages in the Eighth Schedule of the Indian Constitution.
Consent Managers: DPDPA introduces a registered 'Consent Manager' intermediary that lets Data Principals manage consents across Fiduciaries — a structural concept GDPR has no direct equivalent for.

Practical examples

A Mumbai wedding photographer shoots an Indian-EU couple's ceremony in Goa and posts a highlight reel on Instagram tagging guests.

GDPR — Faces of identifiable EU guests are personal data. Photographer needs a lawful basis — typically consent or legitimate interest with a clear opt-out at the venue. EU guests can request takedown under Art 17.

DPDPA — Each identifiable guest is a Data Principal. Explicit consent is required (no legitimate-interest fallback). Notice must be available in 8th Schedule languages. Any guests under 18 require verifiable parental consent before posting.

A Bengaluru CBSE school enrols an EU exchange student and shares photos and grades with the student's parents in Germany.

GDPR — School is a controller offering services to an EU data subject (Art 3(2) extraterritorial). Needs Art 13 notice, parental consent (German age threshold), and a transfer mechanism for any data sent back to Germany.

DPDPA — School is a Data Fiduciary. Verifiable parental consent required because student is under 18. Notice must be in English plus an 8th Schedule language. Cross-border transfer to Germany allowed under Section 16 unless India blacklists Germany.

A Gurugram hospital chain uses an EU-based AI vendor to analyse patient scans for early cancer detection.

GDPR — Health data is a special category (Art 9). Needs explicit consent or another Art 9 basis, a DPIA, and SCCs if the vendor processes data outside the EEA.

DPDPA — Hospital is likely a Significant Data Fiduciary given sensitivity and volume — must appoint a DPO based in India, conduct DPIAs, and obtain explicit consent. Sectoral health rules may further restrict the EU transfer.

An Indian SaaS company runs behavioural retargeting ads to EU and Indian users on its marketing site.

GDPR — Needs cookie consent (ePrivacy + GDPR), legitimate-interest balancing test if relied on, and honours objection rights under Art 21.

DPDPA — No 'legitimate interest' basis exists. Requires explicit, granular consent for tracking. If any visitor is under 18, behavioural tracking and targeted advertising are prohibited — even with parental consent.

A Delhi media house publishes a story naming a private individual using leaked WhatsApp chats.

GDPR — Journalistic exemption under Art 85 typically applies if balanced with privacy rights; subject can still seek erasure post-publication.

DPDPA — Section 17(2)(b) exempts processing for journalistic purposes if notified — but until notification, the standard consent and notice obligations apply. Penalties for misuse fall under the INR 50 cr ceiling.

Who should care

Indian SaaS, fintech and e-commerce companies with EU customers — you are dual-regulated and need a delta playbook, not a single policy.
Media houses, wedding photographers and event production firms handling identifiable faces, including foreign nationals at Indian venues.
CBSE / IB / international schools with foreign students or staff — children's data rules are the strictest delta between the two regimes.
Hospitals, diagnostic chains and HealthTech startups — health data is sensitive under both regimes and faces overlapping sectoral localisation rules.
HR and payroll teams in Indian subsidiaries of EU multinationals — employee data flows back to EU HQ trigger both DPDPA Section 16 and GDPR Chapter V.
Marketing, adtech and analytics vendors — 'legitimate interest' as a basis for tracking does not survive the move to DPDPA.
Law firms, consultants and Data Protection Officers building dual-compliance programs for Indian groups with EU exposure.
EdTech and gaming companies serving under-18 users — DPDPA's blanket ban on behavioural tracking of children is stricter than GDPR.

Frequently asked questions

If I already comply with GDPR, am I automatically DPDPA-compliant?

No. GDPR compliance gives you a strong base (consent records, DSR processes, breach playbooks) but DPDPA has India-specific gaps — 8th Schedule language notices, verifiable parental consent for under-18s, India-based DPO if you are an SDF, Consent Manager integration, and grievance redressal within prescribed timelines. Plan a delta-assessment, not a copy-paste.

Which law applies if I am an Indian school with EU exchange students?

Both. DPDPA applies because you process data in India. GDPR applies extraterritorially (Art 3(2)) because you offer services to data subjects in the EU. You need dual notices, the stricter of the two children's-age rules (verifiable parental consent up to 18), and a cross-border transfer mechanism for data flowing back to EU parents.

Can I transfer personal data from India to the EU under DPDPA?

Yes, by default. Section 16 of DPDPA uses a negative-list model — transfers are allowed unless the Central Government specifically restricts a country. This is the opposite of GDPR's adequacy approach. Sectoral localisation rules (RBI for payments, IRDAI for insurance, MoH&FW for health) still override.

What are the real penalty differences for a mid-size company?

GDPR can hit you with up to 4% of global annual turnover — uncapped in absolute terms for large groups. DPDPA caps the maximum at INR 250 crore per instance for the most serious failure (security safeguards). For a global group, GDPR exposure is usually larger; for an India-only business, DPDPA ceilings are the relevant ones.

Do I need a Data Protection Officer in India?

Only if you are notified as a Significant Data Fiduciary (SDF) — based on volume, sensitivity, risk to electoral democracy, sovereignty, etc. Otherwise, DPDPA requires a person to answer Data Principal queries, but not necessarily a formally titled DPO. GDPR's DPO triggers (Art 37) are different — large-scale monitoring or special-category processing.

How should photographers and event media handlers handle DPDPA vs GDPR?

Under GDPR, photographs of identifiable individuals are personal data; you typically rely on consent or legitimate interest with strong notice. Under DPDPA, you need explicit, informed consent (no 'legitimate interest' fallback) and the consent notice must be available in 8th Schedule languages. For under-18 subjects, verifiable parental consent is mandatory — stricter than most EU member states.

Need DPDPA-specific compliance, not retrofitted GDPR?

DPDPAReady ships consent forms, retention schedules, and breach playbooks designed for India's DPDPA 2023 — not adapted from GDPR.

Get your free audit →

VERIFIED • DPDPAReady Editorial Desk • 20 JUN 2026

Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.