DPDP Act vs GDPR
A side-by-side comparison of India's DPDP Act and the EU GDPR across scope, consent, rights, enforcement, penalties, transfers, breach reporting, and operational requirements.
India's Digital Personal Data Protection Act, 2023 and the European Union's General Data Protection Regulation are often discussed together because both regulate personal data, individual rights, business obligations, and enforcement exposure.
But they are not the same law in different jurisdictions.
The GDPR is a broad, mature, rights-heavy data protection framework that has shaped global privacy programs since 2018. The DPDP Act is India's newer digital personal data law, operationalised through the DPDP Rules, 2025, with a more focused structure around digital personal data, consent, notices, fiduciary duties, significant data fiduciaries, breach reporting, and penalties.
For organisations operating in both India and the EU, the practical question is not "Which law is stricter?" The better question is:
What does each law require us to prove, operate, and defend?
This guide compares the DPDP Act and GDPR side by side, with emphasis on enforcement and operational requirements.
Executive comparison
| Area | DPDP Act, 2023 | GDPR |
|---|---|---|
| Jurisdiction | India-focused law for digital personal data and certain overseas processing linked to offering goods or services to Data Principals in India | EU/EEA law with extra-territorial reach for organisations offering goods/services to, or monitoring, people in the EU |
| Core regulated entity | Data Fiduciary; Data Processor acting on behalf of fiduciary | Controller and Processor |
| Individual | Data Principal | Data Subject |
| Legal bases | Consent and certain "legitimate uses" under the Act | Multiple lawful bases, including consent, contract, legal obligation, vital interests, public task, and legitimate interests |
| Consent | Central operating model; must be free, specific, informed, unconditional, unambiguous, and affirmative | One of several lawful bases; must be freely given, specific, informed, and unambiguous, with explicit consent for some high-risk categories |
| Notice | Clear notice before or with consent, with required particulars under Rules | Detailed transparency obligations under Articles 12-14 |
| Rights | Access, correction, completion, updating, erasure, grievance redressal, nomination | Access, rectification, erasure, restriction, portability, objection, automated decision safeguards, complaint, compensation |
| Breach reporting | Report to Data Protection Board and affected Data Principals; Rules specify timing and content expectations | Notify supervisory authority within 72 hours where required; communicate to affected individuals where high risk |
| Special data categories | DPDP does not use a GDPR-style special category framework, but has specific treatment for children, persons with disabilities, and significant data fiduciaries | Special categories such as health, biometric, genetic, political, religious, and union data have heightened protections |
| Cross-border transfers | Allowed except to restricted countries/territories notified by the Indian government | Restricted unless adequacy, safeguards, derogations, or other transfer mechanisms apply |
| Regulator | Data Protection Board of India | Independent supervisory authorities in EU/EEA member states, coordinated by the European Data Protection Board |
| Penalties | Schedule-based monetary penalties, including up to INR 250 crore for specified failures | Two-tier administrative fines up to EUR 10 million/2% or EUR 20 million/4% of global annual turnover, whichever is higher |
| Private compensation | DPDP Act is primarily Board-led; it does not mirror GDPR's Article 82 compensation model | Data subjects can seek compensation for material or non-material damage |
1. Scope: digital personal data vs broad personal data
DPDP Act
The DPDP Act applies to digital personal data. It covers personal data collected in digital form, and personal data collected offline that is later digitised. It also applies to processing outside India if the processing is connected with offering goods or services to Data Principals in India.
The Act does not create the same category-by-category regulatory model used by GDPR. Instead, it is structured around obligations of Data Fiduciaries, rights and duties of Data Principals, consent, legitimate uses, children, significant data fiduciaries, and enforcement through the Data Protection Board.
GDPR
The GDPR applies to automated processing of personal data and to non-automated processing that forms part of a filing system. It applies to controllers and processors established in the EU, and also to non-EU organisations that offer goods or services to people in the EU or monitor their behaviour.
GDPR is broader in the types of processing it covers and more granular in its risk categories, including special category data and criminal offence data.
2. Roles: Data Fiduciary vs Controller
| Concept | DPDP Act | GDPR | Practical difference |
|---|---|---|---|
| Primary decision-maker | Data Fiduciary | Controller | Both decide purposes and means, but terminology and obligations differ |
| Service provider | Data Processor | Processor | Both process data on behalf of the primary entity |
| Individual | Data Principal | Data Subject | Both are the person to whom personal data relates |
| High-obligation entity | Significant Data Fiduciary | No exact equivalent, but GDPR has DPO, DPIA, high-risk processing, and representative obligations | DPDP uses formal notification-based designation; GDPR obligations arise from processing context |
The DPDP Act's "Significant Data Fiduciary" model is one of its most important differences from GDPR. The Indian government may designate a fiduciary as significant based on factors such as volume and sensitivity of personal data, risk to rights, security of the state, public order, and other statutory considerations.
Once designated, a Significant Data Fiduciary must meet additional requirements, including appointing a Data Protection Officer, appointing an independent data auditor, and undertaking periodic Data Protection Impact Assessments.
Under GDPR, similar governance outcomes may arise, but through different triggers: the need for a Data Protection Officer, Data Protection Impact Assessments, records of processing, prior consultation, and accountability obligations.
3. Lawful basis: consent is central under DPDP, one basis under GDPR
DPDP Act
The DPDP Act largely organises lawful processing around:
- consent from the Data Principal; and
- certain legitimate uses recognised by the Act.
This makes consent architecture especially important in India. A Data Fiduciary must be able to show that consent was obtained, that the notice was valid, that the stated purpose was specific, and that withdrawal can be honoured.
The DPDP Rules add operational detail around notices, consent managers, processing by the State, breach reporting, security safeguards, erasure, grievance mechanisms, children, and other compliance processes.
GDPR
GDPR has six lawful bases for ordinary personal data processing:
- consent;
- contract;
- legal obligation;
- vital interests;
- public task; and
- legitimate interests.
This means GDPR compliance is not always consent-first. In many business contexts, contract, legal obligation, or legitimate interests may be a better lawful basis than consent. However, where consent is used, it must be demonstrable, revocable, and separate from bundled or coercive terms.
Operational takeaway
For multinational systems, do not build a single "consent means lawful" flag. Build a lawful-basis layer.
For India, store consent and legitimate-use classification. For the EU, store the GDPR lawful basis, consent evidence where consent applies, legitimate-interest assessments where legitimate interest applies, and contract/legal obligation references where those are the basis.
4. Notice and transparency
| Requirement | DPDP Act and Rules | GDPR |
|---|---|---|
| Timing | Notice must be provided before or with request for consent | Information generally must be provided when data is collected or within defined timelines where obtained indirectly |
| Language | Must be clear, standalone, understandable, and accessible | Must be concise, transparent, intelligible, easily accessible, and in clear language |
| Required content | Personal data, purpose, rights, grievance redressal, withdrawal, complaint route, and Rule-specific particulars | Controller identity, purposes, lawful bases, recipients, transfers, retention, rights, complaints, statutory/contractual requirement, automated decision-making and more |
| Practical proof | Notice version, language, delivery channel, timestamp, and consent link should be retained | Privacy notice versioning and Article 13/14 proof are central to accountability |
The main difference is breadth. GDPR transparency notices are generally more expansive and tightly mapped to lawful bases, recipients, retention, international transfers, and rights. DPDP notices are shorter in concept but must be operationally precise because they anchor valid consent.
5. Rights: narrower under DPDP, broader under GDPR
DPDP rights
The DPDP Act gives Data Principals rights to:
- access information about personal data processing;
- correct, complete, update, and erase personal data;
- use grievance redressal;
- nominate another person to exercise rights after death or incapacity; and
- withdraw consent.
The Act also imposes duties on Data Principals, including not impersonating another person, not suppressing material information, and not filing false or frivolous complaints.
GDPR rights
GDPR rights include:
- access;
- rectification;
- erasure;
- restriction of processing;
- data portability;
- objection;
- rights relating to automated decision-making and profiling;
- complaint to a supervisory authority;
- judicial remedy; and
- compensation for damage.
Operational takeaway
A GDPR-grade rights portal will usually cover more workflows than a DPDP-only portal. If a company operates in both markets, design the rights engine with jurisdiction-specific routing:
- DPDP: access, correction, completion, update, erasure, withdrawal, grievance, nomination.
- GDPR: access, rectification, erasure, restriction, portability, objection, automated-decision safeguards, complaints, compensation-support evidence.
6. Breach reporting
DPDP Act and Rules
The DPDP framework requires breach reporting to the Data Protection Board and notification to affected Data Principals. The Rules specify content and timing expectations, including initial intimation and follow-up information.
This is significant because DPDP breach handling is not just a security function. It requires legal classification, affected-principal mapping, notification content, Board submission evidence, and proof that Data Principals were informed through an appropriate channel.
GDPR
GDPR requires controllers to notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. If the breach is likely to result in high risk, affected individuals must also be informed.
Processors must notify controllers without undue delay after becoming aware of a breach.
Operational takeaway
Both laws require a breach clock. GDPR's 72-hour supervisory authority clock is the better-known benchmark. DPDP requires an India-specific reporting workflow that can identify affected Data Principals, prepare Board notices, and preserve evidence of each communication.
7. Children and minors
| Area | DPDP Act | GDPR |
|---|---|---|
| Child threshold | Under 18 years | Member states may set consent age between 13 and 16 for information society services |
| Consent model | Verifiable parental consent required before processing children's personal data, subject to exceptions | Parental authorisation required below applicable member-state age where consent is the lawful basis for information society services |
| Restrictions | Tracking, behavioural monitoring, and targeted advertising directed at children are restricted | Additional protections apply; child transparency must be clear and age-appropriate |
DPDP is more categorical in setting the child threshold at 18. This can be operationally harder for consumer platforms, edtech, gaming, media, and fintech products that also operate in the EU, where age thresholds may vary by member state.
8. Significant Data Fiduciary vs GDPR governance obligations
DPDP Significant Data Fiduciary
A Significant Data Fiduciary may need to:
- appoint a Data Protection Officer based in India;
- appoint an independent data auditor;
- conduct periodic Data Protection Impact Assessments;
- undertake periodic audits; and
- comply with additional measures prescribed by the government.
GDPR governance
GDPR may require:
- a Data Protection Officer in specified cases;
- records of processing activities;
- Data Protection Impact Assessments for high-risk processing;
- privacy by design and default;
- processor contract controls;
- transfer impact assessments for international transfers;
- breach registers; and
- demonstrable accountability.
Operational takeaway
DPDP adds a formal designation model. GDPR relies more on role, scale, risk, and processing context. A mature privacy program should treat both as governance triggers, not as separate paper exercises.
9. Cross-border transfers
DPDP Act
The DPDP Act permits transfer of personal data outside India except to countries or territories restricted by government notification. The framework is therefore closer to a negative-list model.
This does not remove sectoral requirements. Financial services, telecom, health, government contracts, and regulated outsourcing may have additional localisation or transfer controls outside DPDP.
GDPR
GDPR restricts transfers of personal data outside the EU/EEA unless a lawful transfer mechanism applies. Common routes include adequacy decisions, standard contractual clauses, binding corporate rules, approved codes or certifications, and limited derogations.
After the Schrems II judgment, GDPR transfer compliance also requires practical assessment of destination-country access risks and supplementary measures where needed.
Operational takeaway
DPDP transfer governance starts with the Indian restricted list and sectoral rules. GDPR transfer governance starts with adequacy or safeguards. A global platform should maintain transfer inventory, destination mapping, sub-processor mapping, transfer mechanism, and country-risk review as separate fields.
10. Enforcement model
| Enforcement feature | DPDP Act | GDPR |
|---|---|---|
| Primary authority | Data Protection Board of India | National data protection supervisory authorities |
| Institutional model | Board-led inquiry and penalty model | Independent supervisory authorities with investigative, corrective, advisory, and authorisation powers |
| Cross-border coordination | Indian statutory process | EU cooperation and consistency mechanism, including lead supervisory authority for cross-border cases |
| Complaint path | Data Principal may approach Board after exhausting grievance redressal where applicable | Data subject may complain to supervisory authority and seek judicial remedy |
| Corrective powers | Penalties and directions through Board process | Warnings, reprimands, orders, processing bans, suspension of transfers, fines, and other corrective powers |
| Compensation | Not a GDPR-style statutory compensation article | Article 82 provides compensation route for material or non-material damage |
The GDPR enforcement ecosystem is distributed across EU/EEA supervisory authorities, with cross-border coordination mechanisms. DPDP enforcement is newer and centred on India's Data Protection Board.
For practical compliance, GDPR has more enforcement history and regulator guidance. DPDP has less case law and enforcement practice so far, which means organisations should preserve stronger evidence, not weaker evidence.
11. Penalties: schedule-based vs turnover-based
DPDP penalties
The DPDP Act uses a schedule of monetary penalties. Notable maximums include:
| DPDP failure | Maximum penalty |
|---|---|
| Failure to take reasonable security safeguards to prevent personal data breach | INR 250 crore |
| Failure to give breach notice to Board or affected Data Principals | INR 200 crore |
| Failure to comply with additional Significant Data Fiduciary obligations | INR 150 crore |
| Failure to comply with children's data obligations | INR 200 crore |
| Failure to comply with certain Data Principal duties | INR 10,000 |
The exact exposure depends on the statutory provision, the facts, and the Board's assessment.
GDPR penalties
GDPR administrative fines are commonly described in two tiers:
| GDPR tier | Maximum administrative fine |
|---|---|
| Certain controller/processor, certification, and monitoring-body obligations | EUR 10 million or 2% of total worldwide annual turnover, whichever is higher |
| Core principles, lawful basis, rights, transfers, and supervisory authority order violations | EUR 20 million or 4% of total worldwide annual turnover, whichever is higher |
GDPR also includes corrective powers beyond fines, including orders to stop processing or suspend transfers. In some cases, those operational restrictions can be more disruptive than the fine itself.
Operational takeaway
DPDP has high fixed statutory maxima. GDPR has revenue-linked exposure. For a large multinational, GDPR's turnover-based penalties can exceed DPDP's fixed caps. For an India-first company, DPDP penalties can still be material enough to require board-level governance.
12. Accountability and evidence
GDPR explicitly embeds accountability: controllers must be able to demonstrate compliance with data protection principles. DPDP does not copy GDPR's structure article by article, but it still requires evidence in practice.
Under DPDP, a fiduciary may need to prove:
- a valid notice was provided;
- consent was obtained for a specific purpose;
- withdrawal was enabled and honoured;
- personal data was erased when required;
- breach notices were sent;
- security safeguards were implemented;
- processor obligations were controlled; and
- significant fiduciary obligations were met where applicable.
Under GDPR, a controller may need to prove:
- the lawful basis for each processing activity;
- consent evidence where consent is used;
- legitimate-interest balancing where relied on;
- privacy notices and transparency compliance;
- records of processing;
- data protection by design and default;
- DPIAs for high-risk processing;
- processor contracts;
- transfer safeguards;
- breach decisions and notifications; and
- rights request handling.
13. What a common compliance architecture should include
Organisations subject to both laws should avoid maintaining separate, inconsistent privacy stacks. A common architecture should include jurisdiction-aware modules:
| Module | DPDP requirement supported | GDPR requirement supported |
|---|---|---|
| Data inventory | Personal data and purpose mapping | Records of processing and Article 30 support |
| Lawful basis registry | Consent and legitimate-use classification | Article 6 lawful basis mapping |
| Notice versioning | DPDP notice proof | Article 13/14 transparency proof |
| Consent ledger | Consent, withdrawal, purpose evidence | Consent proof where consent is the lawful basis |
| Rights workflow | Access, correction, erasure, grievance, nomination | Access, rectification, erasure, restriction, portability, objection |
| Breach workflow | Board and Data Principal notification | Supervisory authority and data subject notification |
| Processor governance | Data Processor control | Processor contracts and sub-processor management |
| Transfer register | Restricted-country and sectoral checks | Adequacy, SCCs, BCRs, transfer risk assessment |
| Audit evidence vault | Board inquiry support | Supervisory authority inquiry and litigation support |
14. Common mistakes when comparing DPDP and GDPR
Mistake 1: Treating DPDP as "GDPR-lite"
DPDP is narrower in some areas, but it has its own strict operational expectations, especially around consent, breach notice, children, and significant data fiduciaries.
Mistake 2: Using consent everywhere because DPDP emphasises consent
For GDPR, consent is not always the right lawful basis. If users cannot genuinely refuse or withdraw without detriment, another basis may be more appropriate.
Mistake 3: Ignoring India-specific proof requirements
DPDP enforcement will turn on evidence: notice, consent, withdrawal, breach notice, processor controls, and security safeguards. A GDPR program may provide useful foundations, but India-specific mapping is still needed.
Mistake 4: Assuming GDPR special category rules have a direct DPDP equivalent
DPDP does not use the same special-category taxonomy. Sensitive processing may still create risk through security obligations, SDF designation, sectoral rules, children's data restrictions, and harm analysis.
Mistake 5: Comparing only penalty numbers
Penalty caps matter, but operational orders, breach response costs, regulator scrutiny, loss of customer trust, and contractual consequences may be more expensive than the statutory fine.
15. Board-level summary
For leadership teams, the comparison is straightforward:
- GDPR is broader, older, and more mature in enforcement.
- DPDP is newer, India-specific, and consent-centred.
- GDPR uses revenue-linked administrative fine caps.
- DPDP uses high fixed monetary penalty caps.
- GDPR has wider individual-rights and compensation mechanisms.
- DPDP has a strong breach, consent, children, and significant fiduciary compliance focus.
- Both require evidence, not policy statements alone.
The right program is not a DPDP checklist pasted beside a GDPR checklist. It is a unified privacy operating model with jurisdiction-specific rules, evidence capture, workflow enforcement, and audit-ready reporting.
Where Vishwaas AI Fits
Vishwaas AI is designed for organisations that need to operationalise DPDP compliance while aligning with broader global privacy practices.
For DPDP and GDPR comparison work, the platform should help teams:
- map purposes, notices, and consent records;
- maintain jurisdiction-specific consent and lawful-basis logic;
- preserve withdrawal and rights evidence;
- track breach-response obligations;
- support audit-ready reporting;
- monitor processor and transfer obligations; and
- give legal, security, product, and operations teams one shared compliance record.
The practical value is not only knowing that DPDP and GDPR differ. It is making sure the system behaves correctly when a user withdraws consent, a regulator asks for proof, a breach clock starts, or a business team launches a new processing purpose.
Sources
- Ministry of Electronics and Information Technology: Digital Personal Data Protection Act, 2023
- Ministry of Electronics and Information Technology: Digital Personal Data Protection Rules, 2025
- EUR-Lex: Regulation (EU) 2016/679, General Data Protection Regulation
- European Commission: Information for individuals under GDPR