GDPR vs DPDPA 2023 — Key Differences Every Business Must Know

GDPR (EU)

Applies to processing of personal data of EU residents, regardless of where the processing organisation is located. Extraterritorial reach is a defining feature.

DPDPA 2023 (India)

Applies to processing of digital personal data within India, and to processing outside India where it involves offering goods or services to individuals in India.

GDPR (EU)

Recognises six legal bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Legitimate interests is a widely used basis for commercial processing.

DPDPA 2023 (India)

Primarily relies on consent and "legitimate uses" (a defined category including employment, medical emergencies, and compliance with law). No equivalent to GDPR's legitimate interests basis for general commercial processing.

GDPR (EU)

Comprehensive rights: access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making.

DPDPA 2023 (India)

Rights to access, correction, erasure, grievance redressal, and nomination. No explicit right to data portability or right to object to automated decision-making in the current text.

GDPR (EU)

Required for public authorities, organisations engaged in large-scale systematic monitoring, or large-scale processing of special categories of data.

DPDPA 2023 (India)

Required only for Significant Data Fiduciaries as designated by the Central Government. Not a universal requirement.

GDPR (EU)

Up to €20 million or 4% of global annual turnover, whichever is higher. Tiered penalty structure based on the nature of the violation.

DPDPA 2023 (India)

Up to ₹250 crore for failure to implement security safeguards. Penalties are fixed amounts per category of violation, not percentage-based.

GDPR (EU)

Requires an adequacy decision, standard contractual clauses, binding corporate rules, or other approved transfer mechanisms for transfers outside the EEA.

DPDPA 2023 (India)

Permits transfers to all countries except those specifically restricted by Government notification. A more permissive default position than GDPR.

GDPR (EU)

Requires parental consent for processing data of children under 16 (or lower age set by member states, minimum 13). Prohibits profiling of children.

DPDPA 2023 (India)

Requires verifiable parental consent for processing data of children under 18. Prohibits tracking, behavioural monitoring, and targeted advertising directed at children.