Comparison Between DPDPA and GDPR

Scope

Applies to processing of digital personal data within India where the personal data is collected:1. In digital form; or2. In non-digital form and subsequently digitized.

Applies to processing of personal data in the EU, wholly or partly by automated means, and to non-automated processing of personal data that form part of a filing system or are intended to form one.

Legitimate Use

Allows certain “legitimate uses” without specific consent, including:1. Data provided voluntarily.2. Data required for compliance with law.3. Employment-related purposes.

Under GDPR, legitimate interest is one of six lawful bases for processing (consent, contract, legal obligation, vital interest, public tasks, or legitimate interest).

Notice Language

Every consent request must be accessible in English or any of the 22 languages listed in the Eighth Schedule to the Indian Constitution.

No requirement to provide notice in regional languages.

Consent Managers

Consent Managers, registered with the Data Protection Board, act on behalf of Data Principals to review, provide, manage, and withdraw consent.

No equivalent concept under the GDPR.

Data Breach Communication Timeline

Timeline not yet specified in the Act for notifying Data Principal and Data Protection Board of data breaches.

Breaches must be notified to the Supervisory Authority within 72 hours and possibly to affected Data Subjects.

Personal Data of Children

Consent from a parent/guardian required for processing personal data of children under 18.

Parental consent required for minors under age 16. EU Member States may lower this age to 13.

DPIA (Data Privacy Impact Assessment)

Only Significant Data Fiduciaries are required to conduct periodic DPIAs.

Data Controllers must conduct DPIAs for high-risk processing activities.

Nomination

Includes an additional right to nominate a person to exercise rights on behalf of the Data Principal. The Act omits the right to portability. The timeline to respond is not specified.

No right to nominate. GDPR provides the right to data portability. Organizations must respond to Data Subject requests within 30 days.

Cross-border Data Transfers

No mechanisms yet identified for transfers of personal data to other countries.

Specific mechanisms exist, including standard contractual clauses and binding corporate rules for transferring data outside the EU.

Significant Data Fiduciary

Designation based on factors like volume/sensitivity of data, risk to rights, sovereignty/integrity of India, electoral democracy, security of state, and public order.

No direct equivalent. However, entities performing high-risk processing may need DPIAs, a DPO, and stricter security measures under the GDPR.

DPO (Data Protection Officer)

Only Significant Data Fiduciaries must appoint a DPO as a point of contact for the Data Protection Board.

A DPO is mandatory if the organization is a public authority, conducts large-scale systematic monitoring, or processes special categories of data or criminal data on a large scale.

Penalties

Penalties can extend up to INR 250 crores.

Penalties can be up to €20 million or 4% of the firm’s worldwide annual revenue, whichever is higher.

Records

No explicit obligation to maintain Records of Processing Activities (ROPA) under the Act as of now. This may be clarified in future rules.

Data Controllers and Processors must maintain ROPA.