Records of Processing (RoPA)
Mandated by GDPR Article 30 above the small-org threshold; counts as Section 33(2) mitigation evidence under DPDP. Build one document, satisfy both.
DPDP vs GDPR
India's DPDP Act 2023 vs Europe's GDPR — the practical map.
What is shared, where they diverge, and where one privacy programme can serve both. Written for Indian startups serving both Indian and EU users — not a legal abstract, an operational map.
Last reviewed by checkDPDP editorial ·
Side-by-side comparison
Eighteen dimensions where the two regimes either align, overlap with rough edges, or genuinely diverge. The Practical column tells you what to do, not just what the law says.
| Dimension | DPDP Act 2023 (India) | GDPR (EU) | Practical implication |
|---|---|---|---|
| Year & geography | India · Act assented 11 Aug 2023 · Rules notified 13–14 Nov 2025 | European Union · in force 25 May 2018 | GDPR is the mature regime; DPDP is the operational launch of an Indian-adapted version. |
| Extraterritorial reach | Applies to processing of personal data of people in India, even by Fiduciaries outside India | Applies to processing of personal data of people in the EU/EEA, even by controllers outside | Both laws reach you wherever you are, if you target users in their territory. |
| Role names | Data Fiduciary / Data Processor / Data Principal / Consent Manager | Data Controller / Data Processor / Data Subject | Same architecture, different vocabulary. Consent Manager is a DPDP-only role. |
| Legal bases for processing | Consent (Section 6) or a narrow list of "legitimate uses" (Section 7) | Six bases (consent, contract, legal obligation, vital interests, public interest, legitimate interests) | No general legitimate-interest ground in DPDP — Indian-user data needs consent for most non-essential processing. |
| Cross-border transfers | Permissive default with a "negative list" of restricted countries (Section 16) | Restrictive default unlocked by adequacy decisions, SCCs or BCRs (Chapter V) | AWS us-east-1 is fine for Indian-user data today; the same flow for EU-user data needs SCCs. |
| Children threshold | Under 18 — verifiable parental consent required (Section 9) | Under 16 by default; Member States can lower to 13 | A 17-year-old in Bengaluru is a child; the same 17-year-old in Berlin is an adult. |
| Targeted ads to children | Banned outright — Section 9, no consent exception | Permitted with verifiable parental consent below the age threshold | Indian edtech, gaming and social products must ad-gate by verified age status. |
| Consent UX | Free, specific, informed, unconditional, unambiguous, clear affirmative action; withdrawal as easy as giving (Section 6(4)) | Same five qualifiers + freely given (Article 4(11), Article 7) | DPDP statutorily codifies the "as easy to withdraw" rule — EU enforces it via case law and DPA guidance. |
| Breach notification clock | Early intimation on awareness + detailed report to the Board within 72 hours (Rules) | Notify supervisory authority within 72 hours of becoming aware (Article 33) | Both clocks start when your team becomes aware — a pre-written playbook is mandatory under either regime. |
| Notification to affected individuals | Required — must include nature of breach, data categories, steps taken, contact (Section 8(6)) | Required when high risk to rights and freedoms (Article 34) | DPDP notification to Data Principals is mandatory; GDPR is risk-conditional. |
| Penalty ceiling | Fixed bands: ₹250 cr (Section 8(5)), ₹200 cr (breach / children), ₹150 cr (SDF), ₹50 cr (other) | €20m or 4% of global annual turnover, whichever is higher (Article 83(5)) | DPDP is not turnover-linked. A small Indian startup's ceiling is fixed; the GDPR ceiling scales with revenue. |
| Mitigation factors | Section 33(2) — gravity, repetition, deliberate vs negligent, mitigation, cooperation (6 factors) | Article 83(2) — similar 11-factor framework | Documented compliance evidence reduces penalty under both regimes; same evidence pack works for both. |
| DPO requirement | Only for Significant Data Fiduciaries (Section 10); must be India-resident, senior, reporting to Board | Required for large-scale monitoring or large-scale special-category processing (Article 37) | Indian SDF DPO cannot be a foreign-resident "global privacy lead" — must be India-resident. |
| Right to erasure | Section 12 — erasure when purpose is met, consent withdrawn, or no longer needed | Article 17 — right to be forgotten with explicit grounds | Same operational artefact: a working /rights intake page that routes deletions to your Grievance Officer. |
| Right to data portability | Not explicit in the Act | Yes — Article 20 (structured, commonly used format) | EU-user data needs a portability flow; Indian-user data does not (yet). |
| Right to object | Not explicit; withdrawal of consent is the closest mechanism | Yes — Article 21 | A unified rights flow that handles both is the cleanest dual-regime implementation. |
| Records of Processing (RoPA) | Not mandated, but Section 33(2) mitigation effectively requires one | Mandated by Article 30 above the small-org threshold | Maintain one RoPA. It satisfies GDPR and proves due diligence for DPDP. |
| Regulator | Data Protection Board of India (constituted; enforcement phased to 13 May 2027) | National DPAs coordinated by the EDPB | India has one central Board; the EU has 30+ DPAs. Cross-border enforcement is simpler under DPDP. |
Section references are to the DPDP Act, 2023 and the Rules notified by MeitY on 13–14 November 2025. Article references are to the General Data Protection Regulation (EU) 2016/679.
Where one programme works for both
The artefacts a dual-regime Indian startup can build once and reuse across both laws.
Processor inventory + DPAs
Both regimes require a signed Data Processing Addendum on file for every external service that touches user data. One contract template citing both DPDP Section 8 and GDPR Article 28 works.
Breach playbook
The 72-hour clock is the binding constraint under both regimes. One pre-written incident-response runbook with named roles serves both — use the DPDP timer (it's the shorter one).
Rights-request intake
A single /rights page with one form covering access, correction, erasure, nomination and grievance satisfies DPDP Sections 11–14 and GDPR Articles 12–22 simultaneously.
Security baseline
The seven HTTP security headers + HTTPS + HSTS + 2FA + encrypted backups + patching cadence pass both Section 8(5) reasonable safeguards and GDPR Article 32.
Consent banner UX
Equal-weight Accept and Reject, default non-essential OFF, persistent 'Manage cookies' link, no dark patterns. The DPDP bar is higher than the EU median implementation, so the DPDP-compliant banner also passes GDPR.
Where region-specific logic is unavoidable
Two places where one flow cannot serve both regimes — engineering work that branches by user region.
Children threshold
DPDP fixes the child threshold at 18 with no lowering allowed. GDPR sets it at 16, lowered to 13 in some Member States. A 17-year-old in Bengaluru is a child under DPDP; the same 17-year-old in Berlin is an adult under most Member-State implementations. You cannot run one consent flow — you need region-routed verification logic with different age gates.
Cross-border transfers
DPDP's permissive default means Indian-user data ships freely to AWS us-east-1, GCP europe-west, Cloudflare global. GDPR locks EU-user data inside the EEA by default and requires SCCs or an adequacy decision to unlock destinations. Build region-aware data routing once, document the rationale in your DPIA, then forget about it.
Common questions
What dual-regime Indian startups ask us most often.
If I am already GDPR-compliant, am I DPDP-compliant?
Roughly 60% of the way. A GDPR programme gives you the architecture (consent, rights, breach playbook, DPA contracts) but four DPDP-specific gaps remain: Section 6(4) statutory withdrawal symmetry, Section 9 children-data rules at the 18-year threshold, the absence of a general legitimate-interest carve-out, and the India-resident Grievance Officer publication. Close those and you cross the line.
Can I run one cookie banner for both DPDP and GDPR?
Yes, with region-routed copy and category logic. Default non-essential to OFF, give Accept and Reject equal visual weight, expose a persistent 'Manage cookies' link, and route the consent state through a Consent Mode that honours both DPDP Section 6 and GDPR Article 7. The age gate is the place where region-specific branching is unavoidable — DPDP fixes the child threshold at 18, GDPR at 13–16 depending on the Member State.
Does DPDP have anything like the GDPR right to data portability?
Not explicitly. The DPDP Act does not include a stand-alone portability right; it covers access (Section 11) and correction/erasure (Section 12). For dual-regime startups, build a portability flow once to satisfy GDPR Article 20 — it adds zero overhead under DPDP and may be picked up later by amendments to the Rules.
How do DPDP penalties compare to GDPR fines for the same breach?
Different math. GDPR fines scale with global annual turnover (up to 4%), so a large multinational's exposure is uncapped in absolute terms. DPDP fines are fixed bands per default: ₹250 crore for Section 8(5) security failures is the headline ceiling. For a small Indian startup, DPDP exposure is bounded; for a multinational with significant EU revenue, GDPR remains the larger exposure even though the headline DPDP number is bigger.
Do I need a Data Protection Officer under DPDP if I have one under GDPR?
Possibly not. DPDP only requires a DPO once you are designated as a Significant Data Fiduciary under Section 10 — and even then, the DPO must be India-resident, senior, and reporting to the Board of Directors. Your existing GDPR DPO can advise but cannot fill the DPDP role unless they are India-resident and senior. Plan for a separate India-resident appointment if you expect SDF designation.
Can I transfer Indian-user data to AWS us-east-1?
Yes, today. Section 16 of the DPDP Act takes a permissive default — transfers are allowed unless the Central Government notifies the destination as restricted. The US is not on any restricted list and is unlikely to be added in the near term. Sector regulators (RBI, IRDAI) may still impose stricter localisation for specific data categories (payment data, insurance data), so check the sector overlay before relying solely on Section 16.
Run the scan, then read the deep guide.
The fastest way to find your DPDP gaps is to scan your live site. The deepest reading is the full DPDP Act guide and the dual-regime blog post.