India’s DPDPA vs the EU’s GDPR: A Comparison

DPDPA

GDPR

Consent

The DPDPA requires consent to be ‘unconditional’.

While consent requirements for GDPR and DPDPA are highly similar, in the EU, where possible, organizations avoid relying on consent due to the GDPR’s stringent requirements.

Applicability

The DPDPA applies only to digital personal data and to personal data that is initially not digital and subsequently digitized.

The GDPR covers both digital and non-digital personal data that is processed within a filing system.

Personal Data Categorization

The DPDPA applies uniformly to all types of digital personal data, without imposing additional controls on the processing of sensitive or critical personal data.

The GDPR designates special categories of personal data that can only be processed for specific reasons.

Compensation

Under the DPDPA, data principals cannot claim compensation in the event of a data breach.

Under the GDPR, data subjects have the right to claim compensation from an organization if they have suffered damage as a result of it breaking data protection law.

Significant Data Fiduciary (SDF)

A SDF is designated by the Indian government and based on various factors, such as the risk to the rights of data principals, potential impacts on the sovereignty and integrity of India, the volume and sensitivity of personal data processed, and the security of the State.

Under the GDPR, there is no equivalent concept.

International Data Transfers

The DPDPA does not set specific restrictions or compliance requirements for international data transfers. However, it allows the government to restrict transfers to certain countries.

The GDPR allows international data transfers through these mechanisms: (i) an adequacy decision for the importing country; (ii) appropriate safeguards like Standard Contractual Clauses and Binding Corporate Rules; or (iii) specific derogations, such as obtaining explicit consent from the data subject.

Consent Manager

Consent managers, registered with the Data Protection Board under the DPDPA, act on behalf of data principals to manage, provide, review, and withdraw consent.

There is no equivalent concept under the GDPR.

Processing

Processing is considered to be any wholly or partially automated operation or set of operations performed on digital personal data, including activities such as collection, recording, organization, erasure, and destruction.

Processing refers to any operation carried out on personal data, whether automated or not, such as collection, recording, organization, structuring, storage, erasure, and destruction.

Privacy Policy Disclosures

Data principals must be given notice either during or before the collection of their personal data. This notice should include the personal data being processed and its purpose, how they can exercise their rights under the DPDPA regarding their personal data; and how they can file a complaint with the Data Protection Board (DPB) of India.

Data subjects must be given certain information when their personal data is collected, including but not limited to the name and contact details of the data controller, the categories of personal data collected, the contact details of the Data Protection Officer, and the purposes of processing.

Transfer Mechanism

The DPDPA permits the transfer of personal data to all countries, except those included on the Indian government’s restricted list for data transfers.

To transfer personal data from the EEA or the UK to a non-whitelisted jurisdiction, the controller must implement an appropriate transfer mechanism, conduct a transfer impact assessment (TIA), and implement supplementary measures based on the TIA results.

Contract

Processing personal data for the performance of a contract is not recognized as a “legal basis for processing” under the DPDPA, which instead refers to legitimate uses.

Processing is essential for fulfilling a contract to which the data subject is a party or for taking steps requested by the data subject before entering into a contract.

Lodging a Complaint with the Regulator

Before approaching the DPB, data principals must first exhaust the grievance redressal opportunities provided by the data fiduciary.

Under the GDPR, data subjects have the right to lodge a complaint with the relevant supervisory authority or ICO.

Notification to Affected Data Subjects

In case of a personal data breach, data fiduciaries must notify the data principal as prescribed.

Notification should be made to affected data subjects without undue delay if the breach is likely to result in a high risk to the rights and freedoms of the affected individuals.

Data Principal Rights

Data principal rights are limited to grievance redressal and the ability to correct, update, access, complete, and erase personal data. These rights are applicable only if the data is processed based on consent or voluntary provision.

Data principals can also appoint another individual to exercise their rights in case of their death or inability to do so due to physical or mental illness.

Unlike the GDPR, the DPDPA does not grant data subjects the right to data portability or the right to object to data processing.

The GDPR offers a more comprehensive range of rights, including access, rectification, erasure, portability, restriction, and objection to data processing, regardless of the lawful basis for processing.

Storage Limitation

Storage limitation rules apply only when processing is based on consent. In such cases, the data fiduciary must erase personal data if the data subject withdraws consent or fails to contact the data fiduciary for the purpose of data processing within a government-specified timeframe.

The GDPR imposes strict storage limitations, permitting personal data retention only as long as necessary for its processing purpose, with exceptions for historical, statistical, archiving, or scientific purposes.

Data Processors

Both the GDPR and the DPDPA require data fiduciaries to engage processors through valid contracts. The DPDPA does not specify the content of these contracts, but holds data fiduciaries responsible for their processors’ actions. Furthermore, SDFs are required to appoint a DPO.

The GDPR provides detailed guidelines on contractual information and imposes several obligations on data processors, including notifying controllers of data breaches, implementing appropriate measures, and, in certain cases, appointing a DPO.