GDPR

Applies to:

• Organizations that have an establishment in the EU and process personal data "in the context of" the EU establishment.

• Organizations that are not established in the EU but process personal data related to either offering goods or services in the EU or monitoring the behavior of individuals in the EU.

DPDPA

Applies to digital personal data processed:

• Within the territory of India.

• Outside India, in connection with the offering of goods or services in India.

Except data security requirements, offshore entities in India are exempt from the DPDPA when:

• The offshore entity processes personal data on behalf of a foreign data fiduciary.

• The personal data only relates to foreign data principals.

GDPR

Applies to:

• Personal data.

• Automated processing or nonautomated processing where personal data forms part of a filing system.

Does not apply to:

• Anonymous data.

• Personal data processed by natural persons for purely personal or household purposes.

• Processing by law enforcement and national security agencies.

DPDPA

Applies to:

• Automated and nonautomated processing of digital personal data.

• Automated and nonautomated processing of nondigitized personal data that is subsequently digitized.

Does not apply to:

• Anonymous personal data implicitly, since applicability is limited to personal data.

• Personal data processed by an individual for purely personal or domestic purposes.

• Personal data made publicly available, either by a data principal or another person, under an obligation of Indian law to publicize such data.

Except data security requirements, does not apply to processing pursuant to:

• Enforcing a legal right or claim.

• The performance of a judicial, regulatory or supervisory function.

• Prevention, detection or investigation of offences.

• Processing by an Indian data processor on behalf of a foreign data fiduciary, where the personal data only relates to foreign data principals.

• Certain mergers and acquisitions approved by a competent authority.

• Ascertaining the assets and liabilities of any person who has defaulted in payment of a loan or advance taken from a financial institution.

Also allows the government to additionally exempt from its scope:

• Classes of data fiduciaries, including startups, considering the nature and volume of personal data processed.

• Government agencies in the interest of national security, public order, investigation of offences, etc.

GDPR

Defines personal data as any information related to an identified or identifiable natural person, the data subject. An identifiable natural person is one who can be identified, directly or indirectly, taking "all of the means reasonably likely to be used" into account.

DPDPA

Defines personal data as information about a natural person identifiable by or in relation to such data.

GDPR

Defines "special categories of personal data" as personal data revealing:

• Racial or ethnic origin.

• Political opinions, religion or philosophical beliefs.

• Trade union membership.

• Genetic data.

• Biometric data, for the purpose of uniquely identifying a natural person.

• Health.

• Sex life or sexual orientation.

Personal data related to criminal convictions and offenses, while not special category data, is subject to distinct rules defined by EU or member state law.

DPDPA

Treats all personal data uniformly, without separately classifying special or sensitive categories of personal data.

GDPR

Controller: The natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor: A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

Data subject: An identified or identifiable natural person.

DPDPA

Data fiduciary: Any individual, company or juristic entity that alone, or in conjunction with another, determines the means and purposes of processing personal data.

Data processor: Any state, company, juristic entity or individual who processes personal data on behalf of a data fiduciary.

Data principal: The natural person to whom the personal data relates. In relation to children and persons with disabilities, the definition includes the parent or lawful guardian.

Consent manager: The DPDPA allows data principals to give, manage, review, or withdraw their consent through a "consent manager." Consent managers are accountable to the data principal and are to act on their behalf in such manner as is prescribed through rules.

Significant data fiduciaries: Classes of data fiduciaries notified by the government as considering certain factors. These include the nature and volume of personal data processed, the risk posed to data principals from their processing activities, risk to electoral democracy, threat to the country's sovereignty and integrity, and security of state. Significant data fiduciaries are subject to additional obligations under the DPDPA.

GDPR

Sets out seven principles in Article 5:

• Lawfulness, fairness and transparency.

• Purpose limitation.

• Data minimization.

• Accuracy.

• Storage limitation.

• Integrity and confidentiality.

• Accountability.

DPDPA

Reflects the following commonly accepted data protection principles in its various requirements:

Lawfulness: Personal data may be processed only pursuant to a lawful purpose.

Fairness: Consent must be free, specific, informed, unconditional and unambiguous. Consent should be provided through a clear affirmative act of the data principal, signifying an agreement to such processing.

Data minimisation: Where consent is the basis for processing, personal data collected should be limited to what is necessary for a specified purpose.
Storage limitation: Data collected should be retained only until necessary for the specified purpose unless further retention is required by an Indian law.

Purpose limitation: Where consent or voluntarily provided personal data is the basis for processing, personal data should only be processed pursuant to specified purposes. Integrity: Where personal data is likely to be disclosed to another data fiduciary or used to make decisions about a data principal, the data fiduciary must ensure the processing of such personal data ensures its completeness, accuracy and consistency.

Confidentiality: Data fiduciaries are required to protect the personal data in their possession, or control and implement reasonable security safeguards to prevent a personal data breach. Data fiduciaries are also required to implement appropriate technical and organisational measures.

Accountability: Data fiduciaries are required to, irrespective of an agreement to the contrary, ensure compliance with DPDPA provisions.

Significant data fiduciaries are required to carry out periodic audits through an independent data auditor, data protection impact assessments in accordance with the DPDPA and rules prescribed, etc.

GDPR

Includes six lawful bases for processing personal data, subject to additions by member states:

• Consent.

• Performance of a contract.

• Legal obligation.

• Legitimate interests.

• Life protection and vital interests.

• Public interest.

DPDPA

Prescribes nine additional grounds for processing personal data beyond consent, defined as legitimate uses, including the following:

• Use of voluntarily provided data by the data principal for a specified purpose, where the data principal has not objected to such use.

• Performance of a state function.

• Performance of legal obligation, or in the interests of the sovereignty and integrity of India.

• To fulfil any legal obligation.

• To comply with a judicial order.

• To respond to medical emergencies involving a threat to an individual's life.

• During a threat to public health.

• For undertaking measures to ensure public safety or provide assistance during a disaster or public order breakdown.

• For employment purposes, or to safeguard the employer from loss or liability such as corporate espionage, to maintain confidentiality of proprietary information or to provide any service or benefit sought by an employee.

GDPR

Imposes a number of requirements for obtaining valid consent:

• Consent must be freely given, specific and informed.

• It must be granted by an unambiguous affirmative action.

• Generally, the provision of a service cannot be made conditional on obtaining consent for processing that is not necessary for the service.

• A request for consent must be distinct from any other terms and conditions.

• Consent for separate processing purposes must be provided separately.

• Individuals have the right to withdraw consent at any time "without detriment" and it should be as easy to withdraw consent as it was to give it.

DPDPA

Requires consent to be:

• Freely given, specific and informed.

• Unconditional. This possibly implies the provision of a service cannot be conditioned on providing consent for collecting any unnecessary data.

• Unambiguous.

• Capable of being withdrawn with comparable ease to which consent was given.

• In clear and plain language.

• Accessible in English as well as in all the official languages as prescribed in the Indian Constitution.

GDPR

Processing is permitted without consent where it is necessary for the controller's or a third party's legitimate interests, provided such interests are not overridden by the rights and interests of the data subject.

It is the controller's responsibility to determine whether the interests it pursues under this basis are legitimate and proportionate. Controllers are expected to document these assessments.

GDPR

Includes 10 lawful bases for processing sensitive data, subject to additions by member states:

• Explicit consent.

• Compliance with obligations and exercising rights in the employment and social security context.

• Life protection and vital interests.

• Legitimate activities by foundation, associations or other not-for-profit bodies with political, philosophical, religious or trade union aims that process data about members.

• Establishment, exercise or defense in legal claims.

• Manifestly made public by the individual.

• Substantial public interest defined by law.

• Preventive or occupational medicine, assessment of the working capacity of the employee, medical diagnosis, and the provision of health or social care or treatment.

• Substantial public interest in health.

• Archiving, scientific or historical research purposes.

DPDPA

Treats all personal data uniformly, without creating special categories of personal data, so the grounds for processing all personal data remain the same.

GDPR

Imposes additional obligations when collecting consent from children under age 16 or at an age set between 13 and 16 by member state law.

Where providing certain electronic services at a distance, i.e., "information society services," directly to a child and where the processing is based on consent, consent must be provided by a parent or guardian.

Processing personal data of children is pertinent to other GDPR requirements, so notices must be tailored to children. The fact that data subjects are children could tip the balance of the legitimate interest test or trigger a DPIA.

One recital states significant automated decisions should not be taken concerning children.

DPDPA

Defines a child as an individual under age 18.

There is a general obligation to obtain "verifiable consent" from the parent or lawful guardian of children and persons with disabilities. The government can notify rules specifying the manner of obtaining such verifiable parental consent.

Data fiduciaries are prohibited from undertaking processing that:

• Is likely to have a detrimental effect on the wellbeing of a child.

• Involves tracking, behavioral monitoring of children or targeted advertising directed at children.

These restrictions would not apply for certain classes of data fiduciaries, or for certain purposes as prescribed through rules by the government.

The government may notify classes of data fiduciaries exempt from these restrictions upon satisfaction that their processing activities are verifiably safe.

GDPR

Requires information to be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Where personal data is collected directly from the individual, notice must be provided at or before the time of collection.

For personal data collected indirectly, i.e., from another source), notice must be provided within one month or upon first contact with the individual, if earlier, unless providing notice would be impossible or require disproportionate effort.

Detailed requirements for the content that must be included in notices.

DPDPA

Requires consent to be obtained using clear and plain language.

Requires a notice to be provided before or at the time of personal data collection, disclosing:

• Personal data processed and the purpose for such processing.

• The manner in which data principals may exercise the rights available under the DPDPA.

• The manner in which the data principal can make a complaint to the Data Protection Board of India in such manner as prescribed.

Requires the consent language to be accessible in English as well as all official languages set out in the Indian Constitution.

Data fiduciaries are required to publish the business contact information of a point of contact, and a data protection officer in the case of significant data fiduciaries, to answer data principals' questions regarding personal data processing.

GDPR

Gives individuals the right to receive information about how their personal data is processed and a copy of their personal data.

Personal data must be provided:

• Free of charge, except where requests are manifestly unfounded, excessive or for additional copies.

• In electronic form whe requested.

• Within one month unless an extension applies.

Exceptions apply when providing the information would adversely affect the rights and freedoms of others, including intellectual property rights.

DPDPA

Where consent or voluntary use is the basis for processing personal data, gives the data principal the right of access in the manner prescribed to:

• A summary of personal data processed by the data fiduciary and the processing activities undertaken by that data fiduciary with respect to such personal data.

• The identities of all other data fiduciaries and data processors with whom personal data has been shared, with a description of the personal data.

• Any other information related to the their personal data and its processing, as may be prescribed.

GDPR

• Grants data subjects the right to: Correct inaccurate personal data.

• Complete incomplete personal data.

When personal data is updated, it must be communicated to each recipient to which it was disclosed, unless this would involve disproportionate effort.

The controller must restrict processing where the accuracy of the data is disputed for the time needed to verify the request.

DPDPA

When consent or voluntary use is the basis for processing personal data, grants data principals the right to:

• Correct inaccurate or misleading personal data.

• Complete incomplete personal data.

• Update outdated personal data.

GDPR

Grants data subjects the right to request the deletion of personal data processed by the controller, when the data is no longer needed for the purpose of processing, when the data subject withdraws consent or objects, and when processing is unlawful or deletion is required by law.

If the controller grants a request for the deletion of data that was previously made public, the controller needs to "take reasonable steps" to inform any third parties that may be processing the data of the data subject's request.

There is also an obligation to communicate the request directly to any known recipients of the data unless it would be impossible or would require disproportionate effort.

Controllers may rely on a number of exceptions, including establishing, exercising or defending legal claims, conducting research that meets certain conditions, and other compelling legitimate interests to override a request.

DPDPA

Does not expressly recognize a right to be forgotten.

However, it allows data principals to withdraw their consent related to personal data processing.

Where consent is the basis for processing personal data, and such consent is withdrawn, the data fiduciary would be required to cease the processing of personal data, including its retention or public disclosure, within a reasonable time, unless the data is required to be retained under an Indian law. Additionally, the data principal may exercise the right to erasure of their personal data where its further retention is not necessary for the specified purpose, and is not required by law.

GDPR

Gives data subjects the right not to be subject to solely automated decisions, including profiling, that produce legal or significant effects, unless certain conditions are met.

Where such decisions are permitted, data subjects have a right to obtain human intervention and contest the decision.

Controllers must also provide meaningful information about the logic of decisions and take reasonable steps to prevent bias, error or discrimination.

DPDPA

Does not include an overarching right not to be subject to profiling or significant decisions, except the restriction against behavioral monitoring, tracking or offering targeted ads to children.

GDPR

Requires controllers and processors not established in the EU, that are subject to the GDPR, to appoint a representative in the EU, except if processing is occasional and does not involve large scale processing of sensitive data.
Requires private entities to appoint a DPO only when a "core activity" of the controller or processor involves either the regular and systematic monitoring of data subjects on a large scale or the large-scale processing of sensitive data.

The DPO must have sufficient independence and skill to carry out its functions and must be able to report to the highest levels of management within the organization.

DPOs may be outsourced.

Guidance from EU regulators recommend DPOs should be based in the EU.

DPDPA

Requires all significant data fiduciaries to appoint DPOs based out of India. Significant data fiduciaries are classes of data fiduciaries notified by the government considering the nature and volume of personal data processed, the risk posed to the rights of data principals, risk to electoral democracy, potential impact on the sovereignty and integrity of India, security of the state, etc.

The DPO must represent the significant data fiduciary and be accountable to the board of directors or governing body of the significant data fiduciary.

There are no express skill requirements for DPOs. Guidance on terms for appointing DPOs may be provided through rules under the DPDPA.

GDPR

Requires controllers and processors to retain detailed records of their processing activities unless very narrow exceptions apply.

DPDPA

Does not require data fiduciaries to maintain a record of processing activities. However, data fiduciaries may practically be required to maintain records of their processing activities when demonstrating compliance with the DPDPA.

Notably, during any proceeding, the data fiduciary should be able to prove a notice was given to the data principal and consent was obtained in accordance with DPDPA provisions

GDPR

Requires controllers to conduct a DPIA for certain "high risk" activities, including:

• Systematic and extensive profiling.

• Large-scale processing of sensitive data.

• Systematic monitoring of a publicly accessible area on a large scale.

In cases where the risks cannot be mitigated, the controller must consult with the data protection authority before engaging in the processing.

DPDPA

Requires significant data fiduciaries to carry out DPIAs. Such assessment should consider the impact of processing on data principals' rights, the purpose of processing, the assessment and management of risks to data principals' rights, and other prescribed matters.

GDPR

Includes a requirement to implement appropriate compliance processes through the lifecycle of any product, service or activity.

By default, only personal data necessary for a purpose should be processed and personal data should not be publicly disclosed without an individual's affirmative action.

DPDPA

Notably, does not require data fiduciaries to implement privacy by design.

Where consent or voluntary use is the basis for processing personal data, ensuring personal data collected is limited to what is necessary for a specified purpose is required.

Like the GDPR, the DPDPA requires all data fiduciaries to implement appropriate technical and organizational measures.

GDPR

Does not include audit requirement that are applicable to controllers.

Processors must agree to audit provisions in contracts with controllers.

DPDPA

Requires significant data fiduciaries to appoint an independent data auditor and carry out periodic audits.

GDPR

Subjects processing by processors to detailed contracts, with requirements set out in Article 28.

DPDPA

Requires data fiduciaries to be responsible for compliance, without any provision being applicable directly to data processors. However, data fiduciaries are required to engage data processors only pursuant to a valid contract.

GDPR

Requires controllers and processors to implement appropriate technical and organizational measures to protect the security of personal data.

DPDPA

Requires data fiduciaries to protect the personal data under their control or possession, including involving any processing undertaken by or on its behalf, and implement necessary security safeguards to prevent a personal data breach. This requirement is likely to be passed on to data processors.

GDPR

Requires controllers to notify the DPA of a breach within 72 hours unless the breach is unlikely to result in a risk to individuals.

Notification may be made in stages as information becomes available.

Controllers must notify individuals of a breach without undue delay only if it is likely to result in a "high risk" to individuals.

Processors must notify a controller of a breach without undue delay.

DPDPA

Requires data fiduciaries to notify the board and the affected data principals in the event of a personal data breach, in a manner prescribed through rules.

The time period for notifying breaches may be established by rules.

GDPR

Does not require localization unless international data transfer requirements are not met.

DPDPA

Does not generally require data localization. However, the government may impose restrictions on transfers of personal data to specific countries through notification. Additionally, any stricter law such as sector-specific data localization requirements, e.g., in respect of payment data, insurance data, or telecommunications subscriber data, will continue to apply.

GDPR

Only permits the transfer of personal data outside the European Economic Area when:

• The recipient is in a territory considered by the European Commission to offer an adequate level of protection for personal data after an assessment of its privacy laws and law enforcement access regime.

• Appropriate safeguards are put in place, such as European Commission-approved standard contractual clauses or binding corporate rules approved by DPAs.

• A derogation applies, such as where data subjects provide explicit consent, the transfer is necessary to fulfil a contract, or there is a public interest founded in EU or member state law, among others.

DPDPA

Generally permits international data transfers. The government may restrict transfers of personal data to specific countries notified through rules under the act. The rules will also specify the nature of such restrictions.

GDPR

Does not stipulate criminal liability, but permits member states to impose criminal penalties for violations of the regulation and applicable national rules.

Administrative fines up to 20 million euros or 4% of annual global revenue.

DPAs may also issue injunctive penalties, which include the ability to block processing, restrict international transfers and require the deletion of personal data.

Individuals may bring claims in court for compensation and mechanisms exist for representative actions on behalf of a class of individuals.

DPDPA

Does not impose any criminal penalties, but imposes monetary penalties for "significant" breaches. In calculating the amount of penalty, relevant factors to be considered include:

• The nature, gravity and duration of the breach.

• The type and nature of personal data affected by the breach.

• The repetitive nature of the breach.

• Whether, as a result of the breach, the data fiduciary realized a gain or avoided any loss.

• Whether the monetary penalty imposed is proportionate and effective.

• The likely impact of the imposition of the monetary penalty on such data fiduciary.

During any stage of a proceeding for compliance with the DPDPA, the board may accept a voluntary undertaking by a data fiduciary. This may include a commitment to take appropriate action within a stipulated timeframe determined by the board. The board's acceptance would bar all proceedings under the DPDPA against the data fiduciary.

In addition to monetary penalties, the Central Government may direct any of its agencies or any online intermediary to block access to any information which enables a data fiduciary to offer goods or services in India, based on a written reference from the board intimating that the data fiduciary has been subject to a monetary penalty in two or more cases, and advising the Central Government that blocking access to the data fiduciary's offerings is in the public's general interests.

GDPR

Does not define anonymous data, which cannot identify an individual by means reasonably likely to be used, falls outside of the scope of the law (reasonable steps to re-identify). In practice, anonymization is a high standard to meet.

DPDPA

Does not define anonymized personal data.

GDPR

Permits a number of exemptions for scientific or historical research, archiving in the public interest, and statistical purposes, including:

• Further processing for such purposes may be considered "compatible."

• EU or member state law may permit controllers to process sensitive data for such purposes.

• EU or member state law may provide derogations from certain individual rights.

For the research exemptions to apply, controllers must implement appropriate safeguards, which may be specified by law, such as pseudonymization.

DPDPA

Does not apply its provisions of to the processing personal data for research, archiving or statistical purposes, if such processing is:

• Not used to make a decision about a data principal.

• Carried out in accordance with the standards prescribed by the government.

GDPR

Gives rulemaking authority to national DPAs and the EU Data Protection Board to issue nonbinding guidance clarifying the application of its provisions.

Some limited areas are left to national law, such as clarifying the conditions for processing criminal-record data or adopting additional derogations from certain provisions.

DPDPA

Either permits the Central Government to promulgate additional rules or regulations that may clarify its requirements and/or specifies additional requirements.

GDPR

Applies to public entities, subject to narrow exemptions:

• Law enforcement and other "competent authorities" are subject to a separate, but similar framework when they proces personal data for law enforcement purposes.

• EU institutions are subject to a separate but similar framework.

• Activities that fall outside the scope of EU law, such as national security and intelligence services, are subject only to national law.

DPDPA

Generally applies to public agencies, as well as private parties.

However, the Central Government has the broad authority to exempt any government agency from any or all provisions in the interest of sovereignty, security, public order, integrity of the state and friendly relations with foreign states, or for preventing incitement of identifiable offenses.