DPDP Act 2023 · DPDP vs GDPR
DPDP Act vs
GDPR
Comprehensive comparison between India's Digital Personal Data Protection Act 2023 and the EU General Data Protection Regulation. Essential guidance for organizations operating in both jurisdictions.
The DPDP Act allows penalties up to ₹250 crore per instance; the GDPR up to €20 million or 4% of global turnover — and the lawful-basis models differ fundamentally.
DPDP Act 2023 · EU GDPR · Last reviewed June 2026
Direct Answer
How does the DPDP Act differ from the GDPR?
India’s DPDP Act 2023 and the EU’s GDPR share the same goal — protecting personal data — but differ in important ways: the DPDP Act is consent-centric with no general legitimate-interest basis, covers only digital personal data, treats anyone under 18 as a child, and uses a negative-list model for cross-border transfers. The GDPR offers six lawful bases, covers all personal data, sets a lower children’s-age threshold, and grants broader rights such as data portability and the right to object.
At a Glance
The Two Laws at a Glance
DPDP Act 2023
- Applies to digital personal data in India
- 44 sections across 9 chapters
- Penalties up to ₹250 Crores
- Enforced by Data Protection Board of India
GDPR
- Applies to all personal data in EU
- 99 articles across 11 chapters
- Penalties up to €20M or 4% global turnover
- Enforced by national supervisory authorities
Side by Side
Detailed Comparison
Territorial Scope
Applies to processing of digital personal data within India and outside India if related to offering goods/services to Data Principals in India
Applies to processing in EU and outside EU if offering goods/services to or monitoring behavior of EU data subjects
Personal Data Definition
Data about an individual who is identifiable by or in relation to such data (only digital personal data)
Any information relating to an identified or identifiable natural person (includes offline data)
Consent Requirements
Must be free, specific, informed, unconditional, and unambiguous with clear affirmative action
Must be freely given, specific, informed, and unambiguous indication of wishes
Lawful Basis for Processing
Consent or legitimate uses under Section 7 (limited grounds)
Six lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests
Data Principal / Subject Rights
Right to access, correction, erasure, grievance redressal, nomination
Right to access, rectification, erasure, restriction, portability, object, automated decision-making
Children's Data
Under 18 years - verifiable parental consent required, no tracking/profiling
Under 16 years (or 13-16 per member state) - parental consent for information society services
Data Protection Officer
Mandatory only for Significant Data Fiduciaries (SDFs)
Mandatory for public authorities, large-scale monitoring, or special category data processing
Data Protection Impact Assessment
Required for Significant Data Fiduciaries
Required for high-risk processing activities
Cross-Border Transfer
Allowed to countries notified by Central Government (restricted countries list)
Allowed to adequate countries or with appropriate safeguards (SCCs, BCRs)
Breach Notification
To Data Protection Board and affected Data Principals (timeline in rules)
72 hours to supervisory authority, without undue delay to data subjects if high risk
Maximum Penalties
Up to ₹250 Crores (~€27 million) for serious violations
Up to €20 million or 4% of global annual turnover, whichever is higher
Regulatory Authority
Data Protection Board of India
Supervisory authorities in each EU member state + European Data Protection Board
Compliance Deltas
Key Differences & Impact
Scope of Data
Only digital personal data
All personal data (digital and offline)
DPDP does not cover paper records or offline data processing
Lawful Basis
Primarily consent-based with limited legitimate uses
Six lawful bases including legitimate interests
DPDP requires consent more frequently than GDPR
Data Portability
Not explicitly provided
Explicit right to data portability
GDPR provides stronger data portability rights
Right to Object
Not explicitly provided
Explicit right to object to processing
GDPR provides additional rights for data subjects
Automated Decision-Making
Not explicitly addressed
Right not to be subject to solely automated decisions
GDPR provides specific protections for automated profiling
Dual Compliance
Practical Guidance for Dual Compliance
Leverage GDPR for DPDP
- GDPR compliance provides strong foundation for DPDP
- Existing consent mechanisms can be adapted for DPDP
- GDPR's stricter requirements often satisfy DPDP
- Data mapping and ROPA can be reused with modifications
Watch Out For
- DPDP requires consent more frequently than GDPR
- Different age thresholds for children (18 vs 16)
- DPDP only covers digital data, GDPR covers all data
- Different breach notification timelines and procedures
Frequently Asked Questions
Common questions on how the DPDP Act and the GDPR differ and how to comply with both.
What is the main difference between the DPDP Act and the GDPR?
The biggest difference is the lawful basis for processing. The GDPR offers six bases — including legitimate interests — whereas the DPDP Act 2023 is consent-centric, relying on consent plus a short list of legitimate uses with no general legitimate-interest ground. As a result, organizations typically need consent more often under DPDP. The DPDP Act also covers only digital personal data, while the GDPR covers all personal data, including paper records.
Does GDPR compliance make me DPDP compliant?
Not automatically, but it is a strong head start. A mature GDPR program gives you data mapping, consent mechanics, breach processes, and a rights framework you can adapt. You still need to close DPDP-specific gaps: re-base processing on consent where you relied on legitimate interest, adopt the under-18 children’s-data rules, integrate Consent Managers, and meet Significant Data Fiduciary obligations where they apply.
How do DPDP and GDPR penalties compare?
The DPDP Act allows penalties of up to ₹250 crore per instance (roughly €27 million) for the most serious defaults, such as inadequate security safeguards. The GDPR allows up to €20 million or 4% of global annual turnover, whichever is higher. GDPR fines are turnover-linked, so for large multinationals the GDPR ceiling can be substantially higher.
What rights does the GDPR grant that the DPDP Act does not?
The GDPR includes a right to data portability, a right to object to processing, a right to restriction, and rights concerning solely automated decision-making — none of which appear explicitly in the DPDP Act. DPDP focuses on access, correction and erasure, grievance redressal, and nomination, making its rights set narrower than the GDPR’s.
What is the age of consent for children under each law?
The DPDP Act treats anyone under 18 as a child and requires verifiable parental consent, with a prohibition on tracking, behavioural monitoring, and targeted advertising to children. The GDPR sets the threshold at 16 for information-society services, allowing member states to lower it to as young as 13. The DPDP Act’s higher age threshold is a key compliance delta for India.
Continue your DPDP research
- DPDP Act compliance hub — the full guide to the Act and Rules 2025.
- DPDP compliance consulting in India — close the gaps between your GDPR program and DPDP.
- DPDP penalty calculator — model your exposure under the Act.
- Tranquility Cybersecurity credentials & proof.
Written By Expert Auditors
Keep Exploring
Related Reading
DPDP Knowledge Hub
Rules 2025, penalties, SDF obligations and 14 deep-dive guides.
Read moreGDPR Compliance
The EU's data protection regulation for any company with EU users.
Read moreDPDP Cross-Border Transfers
Rules on transferring personal data outside India under the DPDP Act.
Read moreDPDP Consent Management
Lawful consent collection, withdrawal and record-keeping under the DPDP Act.
Read moreISO 27701 (PIMS)
The privacy extension to ISO 27001 — one audit, two certificates.
Read morePDPL vs GDPR
Key differences between the Saudi/UAE PDPL and EU GDPR.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours