Practical reference tools built from primary texts. Use them, print them, share them.
Checklist
A structured checklist covering consent, data principal rights, data fiduciary obligations, breach response, and cross-border transfer requirements under the Digital Personal Data Protection Act 2023.
Comparison Table
Side-by-side comparison of 16 key dimensions across GDPR and India's DPDPA 2023 — consent standards, data subject rights, breach timelines, cross-border rules, and penalty exposure.
1. Consent and Notice
2. Data Principal Rights
3. Data Fiduciary Obligations
4. Data Breach Response
5. Cross-Border Transfers
Prepared by Adv. Sanket Shah · Law stated as of April 2026 · For reference only, not legal advice
| Dimension | GDPR (EU) | DPDPA 2023 (India) |
|---|---|---|
| Scope | Personal data of EU residents; extraterritorial reach for data processed outside EU | Digital personal data processed in India, or data processed outside India offering goods/services to Indian residents |
| Legal bases for processing | 6 bases: consent, contract, legal obligation, vital interests, public task, legitimate interests | 2 primary bases: consent; legitimate use (includes employment, state functions, emergencies, research) |
| Consent standard | Freely given, specific, informed, unambiguous affirmative act | Free, specific, informed consent with right to withdraw; notice required before or at collection |
| Children's data | Parental consent required below 16 (member states can lower to 13) | Parental consent required below 18; no processing for behavioural monitoring of children |
| Data subject rights | Access, rectification, erasure, restriction, portability, objection, automated decision rights | Access, correction, erasure, grievance redressal, nomination right; no portability right yet |
| Data portability | Yes | No (not yet) |
| DPO requirement | Mandatory for certain controllers (public bodies, large-scale processing) | Significant Data Fiduciaries must appoint a DPO based in India |
| Data breach notification | 72 hours to supervisory authority; without undue delay to data subjects (if high risk) | Promptly to Data Protection Board and affected data principals (timeline to be prescribed by rules) |
| Cross-border transfers | Adequacy decision, SCCs, BCRs, or derogations | Permitted except to countries/territories restricted by Central Government notification |
| Data localisation | No general requirement | Possible for SDFs (to be prescribed) |
| DPIA / risk assessment | Mandatory for high-risk processing | Required for SDFs; general obligation to implement reasonable safeguards |
| Supervisory authority | National DPA in each member state; one-stop-shop for cross-border cases | Data Protection Board of India (DPB) |
| Max penalty (financial) | Higher of €20M or 4% of global annual turnover | Up to INR 250 crore per instance; up to INR 200 crore for breach of child data obligations |
| Processor obligations | Direct obligations under GDPR; mandatory written DPA with controller | Data processors bound by contract with fiduciary; no direct statutory obligations on processors |
| Sensitive data category | Special categories: health, race, religion, biometric, genetic, political, sexual orientation, etc. | No separate sensitive data category in the Act; rules may prescribe additional obligations |
| Rules / implementing legislation | Directly applicable; member state derogations where permitted | DPDP Rules (draft published Nov 2024); final rules not yet notified as of Apr 2026 |