DPDPA vs GDPR — What Actually Changed

Digital personal data only (Section 2(n)). Paper/manual records are excluded.

All personal data — digital, paper, automated, and manual filing systems (Art. 2).

Binary model — Consent (Section 6) or Deemed Consent/Legitimate Uses (Section 7). No separate "legitimate interest" basis.

Six lawful bases including legitimate interest, contractual necessity, vital interest (Art. 6).

Free, specific, informed, unambiguous, with Section 5 notice. Must be as easy to withdraw as to give (Section 6(4)). Consent Managers registered under Rule 3-4.

Free, specific, informed, unambiguous (Art. 7). No formal "Consent Manager" concept.

Under 18 requires verifiable parental consent. Tracking, behavioural monitoring, and targeted advertising directed at children prohibited (Section 9). Rule 12 exemptions for prescribed categories.

Under 16 (or 13 in some member states). Parental consent required. No blanket advertising prohibition (Art. 8).

Permissive-with-exception model — transfers allowed except to notified restricted territories (Section 16 "negative list"). Sectoral regulators (RBI, IRDAI, SEBI) impose additional localisation.

Restrictive-with-exception — transfers prohibited unless adequacy decision, SCCs, BCRs, or derogation (Art. 44-50).

No mandatory DPO for all fiduciaries. Significant Data Fiduciaries must appoint a DPO in India (Section 10, Rule 11). Contact person required otherwise.

Mandatory DPO for public authorities, large-scale special category processing, and systematic monitoring (Art. 37-39).

Fixed-slab penalties in Schedule — up to ₹250 crore for specified contraventions. Board-determined quantum.

Up to €20 million or 4% of global annual turnover, whichever is higher (Art. 83).

Data Protection Board of India — quasi-judicial body, digital-by-design, not a regulator in the supervisory sense.

Supervisory Authorities in each member state + European Data Protection Board for cross-border cases.

Not included in DPDPA. Data Principals have correction and erasure rights (Section 12) but cannot demand data in portable format.

Explicit right to receive data in structured, commonly used, machine-readable format (Art. 20).

No explicit right to object to processing or restrict processing. Withdrawal of consent is the primary mechanism.

Right to object (Art. 21) and right to restriction (Art. 18) provide granular control beyond consent withdrawal.

Mandatory notification to Data Protection Board under Section 8(6). Form and manner prescribed by Rule 7. No statutory 72-hour deadline — timeline per rules.

Notification to supervisory authority within 72 hours (Art. 33). Data subject notification if high risk (Art. 34).

Required only for Significant Data Fiduciaries under Rule 14. Not a universal obligation.

Required when processing is likely to result in high risk (Art. 35). Applies to all controllers meeting threshold.

Applies to processing of digital personal data within India, and processing outside India if offering goods/services to data principals in India (Section 3).

Applies to processing by EU establishments and monitoring/offering to EU data subjects (Art. 3).

Central Government can exempt any government instrumentality from all or any DPDPA provisions in the interest of sovereignty, security, or public order (Section 17).

National security exemptions exist but are narrower. Member states cannot blanket-exempt government bodies.

SDFs required to complete Algorithmic Risk Assessment and Data Protection Impact Assessment under Rules 14-15.

Right not to be subject to solely automated decision-making (Art. 22). DPIA for automated profiling.