GDPR applies in India when an Indian organisation processes the personal data of EU/EEA residents, regardless of where the processing happens (GDPR Article 3 extraterritorial scope). India's own law — the Digital Personal Data Protection Act 2023 (DPDP) — applies in parallel for Indian residents. The two laws share the same skeleton (lawful basis, purpose limitation, security, breach notification, data subject rights) but differ sharply on consent mechanics, cross-border transfers, and regulatory penalties. If your AI processes both Indian and EU users, you must comply with both — and the practical bar is GDPR, not DPDP.
- GDPR vs DPDP — short version
- GDPR is the EU regulation that protects EU/EEA personal data globally. DPDP is the Indian Act that protects digital personal data of Indians. Both can apply simultaneously to the same AI system. GDPR is more prescriptive; DPDP is more consent-centric and lighter on data-subject rights.
- If your Indian AI startup touches any EU user data, GDPR applies — DPDP does not exempt you.
- GDPR has six lawful bases. DPDP has effectively two: consent and "legitimate use".
- DPDP fines cap at ₹250 crore per instance. GDPR caps at 4% of global annual turnover (uncapped in absolute terms).
- Cross-border transfer: GDPR is restrictive by default. DPDP is permissive by default (Section 16 negative-list model).
- If you design to GDPR, you will pass DPDP. The reverse is not true.
The clause-by-clause comparison
| Dimension | GDPR (EU 2016/679) | DPDP Act 2023 (India) |
|---|---|---|
| Territorial scope | Anyone processing EU personal data globally (Art. 3) | Processing of Indian digital personal data, in India or abroad if for offering goods/services to Indians |
| Lawful bases | 6: consent, contract, legal obligation, vital interests, public task, legitimate interests (Art. 6) | 2: consent and 'certain legitimate uses' (Sec. 4 + Sec. 7) |
| Consent standard | Freely given, specific, informed, unambiguous; affirmative action | Free, specific, informed, unconditional, unambiguous; with clear affirmative action — and a request in plain language |
| Data subject rights | Access, rectification, erasure, restriction, portability, objection, automated-decision rights (Art. 15–22) | Access, correction, erasure, grievance redressal, nomination (Sec. 11–14). NO portability, NO right against automated decisions |
| Cross-border transfer | Restricted; needs adequacy decision, SCCs, BCRs, or derogation (Ch. V) | Permitted unless to a country on the Central Government negative list (Sec. 16) |
| Breach notification | Within 72 hours to supervisory authority (Art. 33) | To Data Protection Board, no fixed timeline in Act (rules forthcoming) |
| DPIA / impact assessment | Mandatory for high-risk processing (Art. 35) | Mandatory only for Significant Data Fiduciaries (Sec. 10) |
| Penalty ceiling | €20M or 4% of global annual turnover, whichever higher (Art. 83) | ₹250 crore per instance (Schedule, Sec. 33) |
| Regulator | National DPAs + EDPB | Data Protection Board of India (DPBI) |
| Children's data | Under 16 (member states can lower to 13) needs parental consent | Under 18 — strict parental consent + no behavioural tracking or targeted advertising |
Where Indian AI teams get tripped up
1. Assuming DPDP is "GDPR Lite"
It is — except where it isn't. DPDP's children's-data rule (under 18, no behavioural tracking, no targeted ads) is stricter than GDPR. An Indian AI product that targets college students with personalised recommendations is far easier to defend under GDPR than under DPDP.
2. Treating "legitimate interests" as a free pass
GDPR Article 6(1)(f) requires a three-part balancing test — purpose, necessity, and the data subject's rights. DPDP does not have a true "legitimate interests" basis; Section 7 lists a closed set of "certain legitimate uses" (employment, state functions, medical emergency, etc.). You cannot use Section 7 the way EU controllers use Article 6(1)(f).
3. Cross-border transfer assumptions in both directions
Indian AI startups often assume "DPDP is permissive, so we can train on global data". True for Indian personal data going outbound — but if that pipeline ingests EU data, GDPR Chapter V applies the moment EU data lands. Conversely, EU-based teams using Indian data sub-processors should not assume DPDP's permissive transfer regime works in reverse.
4. Automated-decision rights
DPDP has no equivalent of GDPR Article 22 (right not to be subject to solely-automated decisions). An Indian credit-scoring AI that would be legally constrained under GDPR can run more freely under DPDP — but RBI's Responsible AI Framework 2024 imposes parallel constraints in the financial-services sector specifically.
The single-stack design pattern
For any AI product serving both Indian and EU users (which is most India-built SaaS in 2026), the working pattern is: design to GDPR, document for DPDP.
- Pick consent as the lawful basis universally — it works under both.
- Implement portability and automated-decision objection even though DPDP doesn't require it. It's the cheapest way to future-proof, and the draft DIA is likely to add similar rights.
- Treat 72-hour breach notification as universal policy.
- Adopt the EU's high-risk DPIA template — it satisfies DPDP's Significant Data Fiduciary obligation.
- Layer in ISO 27701 (privacy information management) — it operationalises both regimes.
What changes if your AI is a foundation model fine-tune
Both regimes get interesting when training data is the question. GDPR's recital 26 plus the EDPB 2024 opinion on AI models has effectively made unconsented scraping of EU personal data for training indefensible. DPDP's Section 17(2)(b) exempts "publicly available" personal data — which on a plain reading is permissive for training, but Indian commentators expect rules to narrow this. Conservative recommendation: do not assume Section 17(2)(b) covers your training corpus long-term.
Frequently asked
- Does GDPR apply to Indian companies?
- Yes, when an Indian organisation processes personal data of EU/EEA residents — regardless of where the processing happens. Article 3 of the GDPR gives it extraterritorial scope.
- Is DPDP a copy of GDPR?
- No. DPDP shares the same skeleton (lawful basis, purpose limitation, security, breach notification, data subject rights) but is significantly lighter — only consent and a closed list of 'certain legitimate uses' as lawful bases, no portability, no automated-decision rights, permissive cross-border transfer by default.
- What is the maximum fine under DPDP vs GDPR?
- DPDP caps at ₹250 crore per instance under its Schedule. GDPR caps at €20 million or 4% of global annual turnover, whichever is higher — uncapped in absolute terms.
- If I comply with GDPR, am I automatically DPDP compliant?
- Largely yes for the data-protection skeleton, but not for DPDP's stricter children's-data rule (under 18, no behavioural tracking) and not automatically for India-specific obligations like the breach notification timelines once notified.
- Which lawful basis works for AI under both regimes?
- Consent is the only lawful basis that works cleanly under both GDPR and DPDP. Build to consent universally; the design overhead is worth the regulatory simplicity.
One audit. GDPR and DPDP both, side by side.
Our audit maps your AI to GDPR Articles 5–32 and DPDP Sections 4–17 in a single PDF — designed for procurement teams that ask for both.
Bharat NeuroTech offers self-serve AI audits across 12 global and Indian standards from ₹799, with Dr. Sodhi personally signing engagements under ISO/IEC 42001, 27001 and 27701.
— Bharat NeuroTech · /ai-audit