DPDP Act vs GDPR

Applies to processing of digital personal data within India and outside India if related to offering goods/services to Data Principals in India

Applies to processing in EU and outside EU if offering goods/services to or monitoring behavior of EU data subjects

Data about an individual who is identifiable by or in relation to such data (only digital personal data)

Any information relating to an identified or identifiable natural person (includes offline data)

Must be free, specific, informed, unconditional, and unambiguous with clear affirmative action

Must be freely given, specific, informed, and unambiguous indication of wishes

Consent or legitimate uses under Section 7 (limited grounds)

Six lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests

Right to access, correction, erasure, grievance redressal, nomination

Right to access, rectification, erasure, restriction, portability, object, automated decision-making

Under 18 years - verifiable parental consent required, no tracking/profiling

Under 16 years (or 13-16 per member state) - parental consent for information society services

Mandatory only for Significant Data Fiduciaries (SDFs)

Mandatory for public authorities, large-scale monitoring, or special category data processing

Required for Significant Data Fiduciaries

Required for high-risk processing activities

Allowed to countries notified by Central Government (restricted countries list)

Allowed to adequate countries or with appropriate safeguards (SCCs, BCRs)

To Data Protection Board and affected Data Principals (timeline in rules)

72 hours to supervisory authority, without undue delay to data subjects if high risk

Up to ₹250 Crores (~€27 million) for serious violations

Up to €20 million or 4% of global annual turnover, whichever is higher

Data Protection Board of India

Supervisory authorities in each EU member state + European Data Protection Board