We are GDPR compliant.
Does that mean we’re
DPDPA compliant?

We are GDPR compliant.

Not necessarily.

While India’s new data privacy law shares similarities with the GDPR, it’s the differences that often catch organizations off guard.

Not necessarily.
Dots Dots

Here's the gist.

DPDPA (India)

GDPR (EU)

Data coverage

DPDPA (India)

Applies to digital personal data collected in digital form or in non-digital form that has been digitised subsequently

GDPR (EU)

Covers both digital and offline personal data and imposes stricter protections on special categories such as health and racial data

Basis for data processing

DPDPA (India)

Places a significant emphasis on consent for most processing activities

GDPR (EU)

Processing can rely on six lawful bases, not consent alone

Legal use

DPDPA (India)

Allows processing without consent for specific, defined, legitimate uses

GDPR (EU)

Allows legitimate interest as a lawful basis, provided it does not override individual rights

Individual rights

DPDPA (India)

Focuses on core control rights such as access, correction, erasure, grievance redressal, and nomination

GDPR (EU)

Provides expanded rights, including objections, restrictions, profiling controls, and automation safeguards

Data portability

DPDPA (India)

No right to receive or transfer data between service providers

GDPR (EU)

Grants the right to obtain personal data in a machine-readable format and transfer it

Automated decision-making

DPDPA (India)

No explicit restrictions or safeguards defined in the act, unlike the GDPR

GDPR (EU)

Explicit rights related to automated decisions and profiling, including human intervention

Consent manager

DPDPA (India)

Introduces consent managers, enabling individuals to manage and withdraw consent across multiple platforms through a single interface

GDPR (EU)

No equivalent consent manager framework

Nomination

DPDPA (India)

Allows individuals to nominate a representative, including for exercising rights after death

GDPR (EU)

No explicit concept of nomination; post-death data rights are not explicitly addressed, leaving member states free to legislate in this area

Children's rights

DPDPA (India)

Subjected to enhanced protection, requiring verifiable parental consent and banning tracking or targeted advertising

GDPR (EU)

Applies parental consent only in specific online contexts, with age thresholds varying by country

Response timelines

DPDPA (India)

Organizations must respond to grievances within a reasonable timeframe, which cannot exceed 90 days

GDPR (EU)

Organizations must respond to data subject requests within 30 days

X

Schedule a call

Please enter the name
Please enter the valid email
Please enter the phone number
Please select the date
Please select the time

#Subject to availability of our solution expert.

Please mention your IT requirements

By clicking ‘Submit’, you agree to processing of personal data according to the Privacy Policy.