GDPR · EU & UK · Updated June 2026

Complete guide to GDPR for Indian organisations

General Data Protection Regulation — EU Regulation 2016/679. What it covers, when it reaches Indian businesses, the six lawful bases, individual rights, DPIAs, international transfers, breach notification, and how DPDP 2023 compares. A practical manual for Indian SaaS, BPO, and IT-services teams processing EU residents' data.

4% global
Max fine (or €20M)
72 hours
Breach notification
6 bases
Lawful processing
EEA transfer
SCCs / adequacy required

01What GDPR is

GDPR is the EU regulation governing personal data processing of EU and EEA residents. It applies directly in all EU member states (self-executing regulation, not a directive) and has been replicated via the UK GDPR for the UK post-Brexit. It replaced the 1995 Data Protection Directive and came into force 25 May 2018. Enforcement is by national supervisory authorities (DPAs) with meaningful teeth: fines up to €20M or 4% of global annual turnover, whichever is higher.

GDPR is not just about fines. It is a customer-trust framework. Many enterprise procurement teams now require evidence of GDPR-compliant controls before signing — especially in fintech, health, and SaaS — making it a commercial necessity for Indian vendors serving EU customers.

02Does GDPR apply to me?

GDPR applies on an extra-territorial basis under Article 3. An Indian organisation is subject to GDPR if:

  • Establishment criterion — you have a stable arrangement in the EU/EEA (office, subsidiary, a sole contractor who acts on your behalf in the EU).
  • Targeting criterion — you offer goods/services to individuals in the EU/EEA (including free services); or you monitor their behaviour.
Practical Indian-business test: If your SaaS is in English with EUR pricing, or if your BPO is processing records of EU residents on behalf of a European client, GDPR applies to you. "We're based in India" is not a valid exemption.

03Controller vs Processor

  • Controller — determines the purposes and means of processing personal data. Bears primary compliance responsibility. If you collect data from EU users for your own product, you are a controller.
  • Processor — processes data only on behalf of and under the instructions of a controller. Indian BPO, SaaS sub-processors, and IT-services vendors acting for a European controller are processors. Controllers must use only compliant processors; processors may not sub-process without controller authorisation.
  • Joint Controllers — two or more controllers jointly determine purposes and means. Each bears responsibility; a joint controller arrangement document is required (Article 26).
  • Sub-processor — processor who processes on behalf of another processor. Your cloud provider, analytics tool, or support platform is typically a sub-processor. Must be authorised by the top-level controller, directly or generically.

04Six lawful bases for processing

Every processing activity needs a lawful basis from Article 6. For sensitive data (health, biometric, etc.), Article 9 applies additional restrictions.

  • Consent — freely given, specific, informed, unambiguous. Withdrawable. Not the easiest to rely on for B2B.
  • Contract — processing necessary to perform a contract with the data subject, or to take pre-contractual steps at their request.
  • Legal obligation — processing necessary to comply with EU/member-state law.
  • Vital interests — processing necessary to protect life. Narrow; last resort.
  • Public task — processing in the public interest or exercise of official authority. Mainly for government.
  • Legitimate interests — processing necessary for your (or a third party's) legitimate interests, unless overridden by data subject's interests and rights. Requires a balancing test; widely used by B2B SaaS for fraud prevention, security, analytics.

05Individual rights

  • Right of access (Art.15) — confirmation of processing, copy of data, supplementary information. Response within one month.
  • Right to rectification (Art.16) — correct inaccurate or complete incomplete personal data.
  • Right to erasure "right to be forgotten" (Art.17) — erasure when no longer necessary, consent withdrawn, no overriding legitimate ground.
  • Right to restriction (Art.18) — restrict processing during a dispute or when processing is unlawful but erasure not desired.
  • Right to portability (Art.20) — receive data in structured, commonly used, machine-readable format; transmit to another controller.
  • Right to object (Art.21) — object to processing based on legitimate interests or public task; absolute right to object to direct marketing.
  • Rights re automated decision-making (Art.22) — not to be subject to solely automated decisions with legal or similarly significant effects.

Processors must assist controllers in fulfilling these rights (Art.28). Build intake mechanisms early — retrofitting is expensive.

06DPIA — when and how

A Data Protection Impact Assessment (Article 35) is mandatory when processing is "likely to result in a high risk" to individuals. Mandatory triggers include:

  • Systematic large-scale profiling with significant effects.
  • Large-scale processing of sensitive data categories.
  • Systematic monitoring of a publicly accessible area (CCTV, web analytics at scale).
  • Activities on a supervisory authority's "must-do-DPIA" list.

A DPIA must describe: the processing and its purposes; necessity and proportionality assessment; risks to individuals; measures to address risks; where residual risk is high and cannot be mitigated — must consult the supervisory authority before processing.

07Data Processing Agreement

Article 28 requires a binding contract between controller and processor. Mandatory elements:

  • Subject matter, duration, nature, and purpose of processing.
  • Type of data and categories of data subjects.
  • Processor shall process only on documented controller instructions.
  • Confidentiality obligations on authorised persons.
  • Security measures (Art.32 — appropriate technical and organisational measures).
  • Sub-processor authorisation and requirements.
  • Assistance to controller for rights requests, security incidents, DPIAs, notifications.
  • Deletion or return on contract termination.
  • Audit access.

Indian processors routinely sign DPAs presented by European customers. Review them carefully — many default to EU law / local arbitration and commit to Art.32 security standards that require documented controls.

08International transfers — data leaving the EEA

Personal data can only leave the EEA if adequate protection exists (Chapter V):

  • Adequacy decision — European Commission has determined the destination country provides adequate protection. India does not yet have an adequacy decision.
  • Standard Contractual Clauses (SCCs) — the primary mechanism for India. 2021 SCCs issued by the European Commission are the current standard. Must be implemented unchanged; local law addenda are permissible if they don't conflict.
  • Binding Corporate Rules (BCRs) — for intra-group transfers within a multinational. Requires supervisory authority approval; complex and expensive.
  • Codes of Conduct / Certifications — approved industry codes; limited use so far.
  • Derogations (Art.49) — explicit consent, performance of contract, public interest, legal claims, vital interests, important public register. Last resort; narrow.

Most Indian SaaS and BPO operating under European contracts use SCCs. Implement a Transfer Impact Assessment (TIA) alongside SCCs — it documents your assessment of Indian law (including IT Act, DPDP Act) relative to EU data protection.

09Breach notification

Who notifiesNotifyWindowThreshold
ControllerSupervisory authorityWithin 72 hours of becoming awareUnless unlikely to result in risk to individuals
ControllerAffected individualsWithout undue delayWhere likely to result in high risk
ProcessorControllerWithout undue delay (contract should specify; typically 24–48h)All breaches — controller decides if notification needed

Notification to the authority is not optional if the threshold is met — it cannot be deferred pending full investigation. Notify based on what is known at 72 hours; supplement later. The "72-hour clock" starts when any employee becomes aware, not when the security team is notified.

10EU Representative

Article 27 requires a non-EU controller or processor subject to GDPR (and not established in the EU) to designate an EU representative in writing — in each member state where data subjects are located, or typically in one member state as a single point of contact.

The representative is a contact point for supervisory authorities and data subjects. They do not take on liability but can be subject to enforcement. Designation must be in writing (often a contract) and disclosed in your Privacy Notice. Services like DataRep, VeraSafe, and Bird & Bird's Rep Service offer this for approximately ₹1–3 lakh per year. If you have a single significant EU customer, a DPA with them may incorporate an agreed representative.

11GDPR vs DPDP Act 2023

India's Digital Personal Data Protection Act 2023 (DPDP) broadly follows GDPR's structure. Key differences relevant to Indian organisations handling both EU and Indian data:

  • DPDP basis of processing: consent or "legitimate uses" (narrower than GDPR's six bases; no explicit "legitimate interests" balancing test).
  • Rights: both have access, correction, and erasure rights. DPDP does not have portability or a right not to be subject to automated decisions.
  • Data localisation: DPDP grants central government authority to restrict cross-border transfers to specific countries; likely to allow most responsible countries. GDPR restricts outbound transfers from the EEA.
  • DPO: GDPR requires a DPO for certain controllers/processors (large-scale, sensitive data, public authority). DPDP does not explicitly require a DPO but the CG may mandate it via rules for "significant data fiduciaries."
  • Breach notification: DPDP requires notification to the Data Protection Board and data principals "as soon as possible" — no 72-hour statutory window, rules will specify the period.
  • Penalties: GDPR €20M / 4% global turnover; DPDP ₹250 crore per breach of data security obligation, ₹50 crore for not notifying. Directionally comparable for mid-size enterprises.

If you've built GDPR compliance, DPDP will require relatively few additions — the major gap is building the consent record-keeping and data principal rights infrastructure for Indian-origin personal data.

12Common mistakes

  • Assuming GDPR doesn't apply because you're India-based.
  • Treating consent as the default lawful basis — it's often the least suitable for B2B.
  • No records of processing activities (RoPA) under Art.30. Mandatory for organisations with 250+ employees, or processing likely to result in risks, or processing special categories.
  • DPA with European customer not executed — or signed but never reviewed.
  • No EU Representative designated despite clear applicability.
  • SCCs missing or using the pre-2021 versions (invalidated by Schrems II ruling).
  • Breach notification deferred pending full forensic investigation — 72 hours doesn't wait for that.
  • Privacy notice missing lawful basis, data retention periods, or transfer safeguards.
  • Sub-processors onboarded without controller authorisation or SCCs in place.

1390-day roadmap

  • Days 1–15. Scoping — does GDPR apply? If yes, what data flows are in scope? Identify all personal data you collect, process, or receive relating to EU residents.
  • Days 15–30. Records of Processing Activities (RoPA) — document every processing activity, purpose, lawful basis, retention period, recipients.
  • Days 30–45. DPAs — inventory all processors and sub-processors; execute Art.28 DPAs with each. Update Privacy Notice to reflect current practices.
  • Days 45–60. Transfer safeguards — identify all data flows from EEA to India; implement 2021 SCCs + Transfer Impact Assessments. Designate EU Representative if required.
  • Days 60–75. Rights request process — intake mechanism for access/erasure/portability requests; documented procedure with 30-day response SLA.
  • Days 75–85. Breach response — document detection, internal escalation, and 72-hour supervisor notification procedure. Tabletop exercise.
  • Days 85–90. DPIA for high-risk activities; data minimisation review; workforce training on GDPR obligations; DPO assessment (needed?).
If you remember nothing else: the two things that trigger most GDPR enforcement actions are missing breach notifications and ignoring data subject access requests. Build those two workflows first; everything else can follow.

From "are we even in scope?" to GDPR-defensible

A 30-minute consultation. We scope your applicability, map your EU data flows, and give you a 90-day plan covering SCCs, DPA review, rights requests, and breach notification.

Book free consultation Indian Compliance Hub