admissions@cyberlawacademy.com | +91-XXXXXXXXXX
DPDPA ResourcesLegal Services
Part 2 of 6

GDPR Compliance for Indian Corporates

Understand when the EU General Data Protection Regulation applies to Indian companies, lawful bases for processing, data subject rights, and a comprehensive comparison between GDPR and DPDPA 2023.

Duration: ~100 minutes Sections: 4 Quiz: 12 Questions

2.1 When GDPR Applies to Indian Companies

The GDPR has extraterritorial reach under Article 3. Indian companies can fall under GDPR scope even without any physical presence in the EU. Understanding this applicability is critical for compliance planning.

Article 3(1): Establishment in the Union

Establishment Criterion
GDPR applies to processing of personal data in the context of activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not.

For Indian companies, this applies if:

  • EU subsidiary: Indian parent company has a subsidiary in EU
  • Branch office: Indian company operates a branch in EU member state
  • Representative office: Any form of stable presence in EU

Article 3(2): Targeting Criterion

Extraterritorial Application

GDPR applies to Indian companies (without EU establishment) if they process personal data of individuals in the EU when offering goods/services to them OR monitoring their behavior within the EU.

Offering Goods or Services [Article 3(2)(a)]

Factors indicating intent to offer goods/services to EU residents:

  • Language: Website available in EU languages (German, French, etc.)
  • Currency: Prices displayed in Euros or EU member currencies
  • Marketing: Advertising campaigns targeted at EU audiences
  • Domain: Use of EU country-specific domains (.de, .fr, .nl)
  • Shipping: Delivery options to EU countries
  • References: Mentioning EU customers or users
Critical Distinction

Mere accessibility of a website from the EU is NOT sufficient to trigger GDPR. There must be evidence of intent to target EU individuals. An Indian e-commerce site in English with INR prices that happens to be accessible from EU is likely NOT covered.

Monitoring Behavior [Article 3(2)(b)]

Processing involving monitoring of data subjects' behavior within the EU:

  • Tracking cookies: Analyzing browsing behavior of EU visitors
  • Profiling: Creating profiles of EU individuals for targeted advertising
  • Behavioral analytics: Processing location data, preferences, activities
  • Health monitoring: Wearable devices tracking EU users' health data

Practical Scenarios for Indian Companies

ScenarioGDPR Applicable?Reasoning
Indian IT company with office in IrelandYesEstablishment in EU (Article 3(1))
Indian SaaS serving EU enterprisesYesOffering services to EU (Article 3(2)(a))
Indian hotel booking EU touristsMaybeDepends on whether actively targeting EU
Indian pharma with EU clinical trialsYesProcessing EU patient data
Indian BPO processing EU customer dataYes (processor)Processing on behalf of EU controller
Indian news site accessible from EUNoMere accessibility insufficient

2.2 Lawful Bases for Processing

Under Article 6, every processing activity must have a valid lawful basis. Unlike DPDPA's consent-centric approach, GDPR provides six equally valid bases. Choosing the right basis is crucial and should be documented before processing begins.

The Six Lawful Bases [Article 6(1)]

1. Consent [Article 6(1)(a)]
Data subject has given consent to processing for one or more specific purposes. Must be freely given, specific, informed, and unambiguous. Can be withdrawn at any time.
2. Contract [Article 6(1)(b)]
Processing necessary for performance of a contract with the data subject OR to take pre-contractual steps at their request. Common for employment, sales, service contracts.
3. Legal Obligation [Article 6(1)(c)]
Processing necessary for compliance with a legal obligation to which the controller is subject. Must be EU or member state law (not third country law like Indian law).
4. Vital Interests [Article 6(1)(d)]
Processing necessary to protect vital interests (life or death) of data subject or another person. Narrow application - medical emergencies, disaster situations.
5. Public Task [Article 6(1)(e)]
Processing necessary for performance of task in public interest or exercise of official authority. Primarily for public authorities. Limited relevance for Indian private sector.
6. Legitimate Interests [Article 6(1)(f)]
Processing necessary for legitimate interests of controller or third party, unless overridden by data subject's rights. Requires balancing test. NOT available to public authorities.

Legitimate Interest Assessment (LIA)

Three-Part Test

1. Purpose Test: Identify the legitimate interest being pursued
2. Necessity Test: Is processing actually necessary for that purpose?
3. Balancing Test: Do data subject rights override the interest?

Special Categories of Data [Article 9]

Processing of sensitive data is prohibited unless specific exemptions apply:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (for identification purposes)
  • Health data
  • Sex life or sexual orientation
Explicit Consent Required

Processing special category data requires explicit consent OR another Article 9(2) exemption. Standard consent under Article 6(1)(a) is insufficient. Indian companies processing EU health data (e.g., in pharma trials) must ensure explicit consent mechanisms.

2.3 Data Subject Rights

GDPR grants comprehensive rights to data subjects. Indian companies subject to GDPR must implement processes to handle Data Subject Access Requests (DSARs) within strict timelines.

Overview of Rights

RightArticleResponse TimeKey Requirements
Right to be Informed13-14At collectionPrivacy notice with mandatory information
Right of Access151 monthCopy of data + supplementary information
Right to Rectification161 monthCorrect inaccurate data without delay
Right to Erasure171 monthDelete data in specified circumstances
Right to Restriction181 monthLimit processing in certain cases
Right to Data Portability201 monthReceive data in machine-readable format
Right to Object21Without delayObject to processing based on LI/public task
Automated Decision-Making22VariableRight not to be subject to solely automated decisions

Handling DSARs: Best Practices

  1. Verify identity: Confirm requester is the data subject (avoid data breach by disclosure to wrong person)
  2. Log the request: Document receipt date to track the 1-month deadline
  3. Locate all data: Search across all systems including backups, emails, third-party processors
  4. Apply exemptions: Identify if any exemptions apply (e.g., third-party data, legal privilege)
  5. Respond comprehensively: Provide data and supplementary information per Article 15
Compliance Tip

The 1-month deadline can be extended by 2 months for complex requests, but you must inform the data subject within the first month. Document reasons for any extension.

Right to Erasure (Right to be Forgotten)

Data subjects can request erasure when:

  • Data no longer necessary for original purpose
  • Consent withdrawn and no other legal basis exists
  • Data subject objects and no overriding legitimate grounds
  • Data processed unlawfully
  • Legal obligation to erase
  • Data collected in relation to offer of information society services to a child
Erasure Exceptions

Right to erasure does not apply if processing is necessary for: exercising freedom of expression, legal compliance, public health, archiving/research purposes, or legal claims. Document your basis if refusing erasure.

2.4 GDPR vs DPDPA Comparison

For Indian companies operating under both regimes, understanding the differences is crucial for developing a harmonized compliance framework. While both laws share core principles, significant variations exist.

AspectGDPRDPDPA 2023
ScopeAll personal data (digital and non-digital)Digital personal data only
Territorial ReachEU + targeting/monitoring EU individualsIndia + offering goods/services to India
Lawful Bases6 equal bases including legitimate interestConsent + limited legitimate uses
Sensitive DataSpecial category with enhanced protectionsNo separate category (yet)
Data Subject DutiesNoneYes - duties with Rs. 10,000 penalty
DPO RequirementConditional (large scale, sensitive data, public authority)Only for Significant Data Fiduciaries
Breach Notification72 hours to supervisory authorityTimeline to be prescribed
Cross-Border TransfersAdequacy/SCCs/BCRs requiredAllowed unless country restricted
Maximum Penalty20 million EUR or 4% global turnoverRs. 250 Crore (fixed amounts)
Consent ManagerNo equivalentRegistered consent management platforms
Right to PortabilityYesNot explicitly provided
Right to ObjectYes (to LI/public task processing)Not explicitly provided
Automated DecisionsRight to human intervention (Article 22)Not addressed

Key Differences Explained

Legitimate Interest

  • GDPR: Full legitimate interest basis with balancing test
  • DPDPA: No general legitimate interest; only specific "legitimate uses" in Section 7
  • Impact: Many GDPR-compliant activities may require consent under DPDPA

Cross-Border Transfers

  • GDPR: Requires adequacy decision, SCCs, BCRs, or derogations
  • DPDPA: Allowed by default; only restricted countries blocked
  • Impact: Easier India-to-world transfers; harder world-to-India without India adequacy

Penalty Structure

  • GDPR: Percentage-based (up to 4% global turnover)
  • DPDPA: Fixed maximum amounts (up to Rs. 250 Cr)
  • Impact: GDPR potentially more punitive for large multinationals

Enforcement Body

  • GDPR: National supervisory authorities (DPAs) in each EU member state
  • DPDPA: Single Data Protection Board of India
  • Impact: GDPR may face multiple regulators; DPDPA has centralized enforcement
Harmonization Strategy

For Indian companies subject to both: (1) Map all processing activities, (2) Apply the stricter requirement for each element, (3) Maintain separate documentation for each jurisdiction, (4) Implement GDPR-standard DSR processes (which will exceed DPDPA requirements), (5) Consider GDPR-compliant cross-border transfer mechanisms proactively.

Key Takeaways

  • GDPR applies to Indian companies targeting EU individuals or monitoring their behavior, even without EU presence
  • Six lawful bases exist under GDPR - legitimate interest is powerful but requires documented balancing test
  • Special category data needs explicit consent or specific Article 9(2) exemption
  • DSARs must be responded to within 1 month (extendable to 3 months for complex requests)
  • DPDPA is consent-centric while GDPR allows more flexible bases including legitimate interest
  • Cross-border transfers easier under DPDPA but may need GDPR mechanisms for data coming from EU

Part 2 Assessment Quiz

Test Your Knowledge

12 questions covering GDPR compliance for Indian corporates

0/12
Questions Correct