Key Takeaways
- GDPR applies extra-territorially: Indian companies processing EU personal data must comply even with no EU presence.
- Lawful basis: six options including consent, contract, legal obligation, vital interests, public task, legitimate interests.
- Data subject rights: access, rectification, erasure (right to be forgotten), restriction, portability, objection.
- Breach notification within 72 hours to the supervisory authority. Data subject notification where high risk to rights and freedoms.
- Fines up to 4 percent of global annual turnover or EUR 20 million, whichever is higher. The 4 percent ceiling has been applied at material scale in EU enforcement.
GDPR Scope for Indian Companies
Article 3(2) of GDPR establishes extra-territorial scope. GDPR applies to processing of personal data of individuals in the EU by a controller or processor not established in the EU, where the processing relates to (a) offering goods or services to individuals in the EU, or (b) monitoring the behaviour of individuals in the EU.
Practical implications for Indian companies: any Indian SaaS, e-commerce, IT services, BPO, KPO, marketing analytics or consumer service that has EU customers or users is in scope. Having no physical EU office does not exempt; in fact, it triggers the Article 27 representative requirement.
Lawful Basis for Processing
Article 6 sets out six lawful bases for processing personal data. The Data Controller must identify and document the lawful basis for each processing activity:
Consent: freely given, specific, informed, unambiguous. Higher bar than DPDP and many local laws.
Contract: processing necessary to perform a contract with the data subject.
Legal obligation: processing required by EU or member state law.
Vital interests: processing necessary to protect life.
Public task: processing in exercise of official authority.
Legitimate interests: processing necessary for legitimate interests pursued by the Controller, balanced against data subject rights and interests. Requires documented balancing test.
Most Indian B2C uses consent or contract. Most B2B uses contract or legitimate interests. The choice affects what rights apply (right to be forgotten varies, portability varies).
Need Compliance Programme Help?
Codesecure delivers ISO 27001, SOC 2, PCI DSS, DPDP, HIPAA, GDPR, RBI, SEBI and NIST CSF programmes for Indian businesses. ISO/IEC 27001:2022 certified delivery, named ISO 27001 LA consultants, fixed-price proposals.
See Compliance Services →Data Subject Rights
GDPR data subject rights are broader than DPDP and must be operationalised. Access: provide a copy of personal data being processed plus information about the processing. Rectification: correct inaccurate personal data. Erasure: delete personal data where lawful basis no longer applies (right to be forgotten, subject to exceptions). Restriction: limit processing during dispute. Portability: receive personal data in structured machine-readable format for transfer to another controller (applies for consent or contract basis). Objection: object to processing based on legitimate interests or for direct marketing.
Response timeline: one month from request, extendable to three months for complex requests. Free of charge unless manifestly unfounded. Indian companies serving EU customers must build response capability into product or process.
Breach Notification (72 Hours)
Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach (unless the breach is unlikely to result in risk to rights and freedoms of natural persons). The notification must include the nature of the breach, categories and approximate number of data subjects, likely consequences, measures taken.
Article 34 requires notification to data subjects without undue delay where the breach is likely to result in high risk to their rights and freedoms.
72 hours is short. Indian companies subject to GDPR must have an IR plan that can produce a structured notification quickly. The clock starts from awareness, not from breach occurrence. Slow detection compresses the response time.
International Data Transfers
Data transfer from the EU to a third country (including India) requires a legal mechanism. India is not on the European Commission's adequacy list, so transfers to India require Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or explicit consent.
SCCs are the dominant mechanism. The 2021 revised SCCs are the current version. Indian Data Processors handling EU data on behalf of EU Data Controllers typically sign SCCs as Module 2 (Controller to Processor) or Module 3 (Processor to Processor). Transfer Impact Assessment (TIA) is increasingly expected since Schrems II to demonstrate that local law in India does not undermine SCC protections.
Audit Pressure or Customer Questionnaire?
Whether you need a gap assessment, an internal audit, a customer security questionnaire response or a board-ready compliance status, our compliance lead is available for a 30-minute free scoping call.
Talk to a Compliance Lead →Article 27 Representative
Indian Data Controllers and Processors with no EU establishment must appoint an EU representative under Article 27. The representative acts as the contact point for supervisory authorities and data subjects within the EU.
Several specialised firms offer Article 27 representative services for non-EU companies (typically based in Ireland, Germany, Netherlands or Luxembourg). Cost is modest (EUR 500 to 5000 per year depending on data volume and risk profile).
DPO Requirements and Fines
A Data Protection Officer is required where the controller or processor is a public authority, where core activities require regular and systematic monitoring of data subjects on a large scale, or where core activities involve large-scale processing of special categories of data. The DPO can be in-house or outsourced and must be independent, reporting to the highest management level.
Fines are tiered. Lower tier: up to EUR 10 million or 2 percent of global annual turnover (records, security, breach notification, DPO appointment). Higher tier: up to EUR 20 million or 4 percent of global annual turnover (basic processing principles, consent, data subject rights, transfers, supervisory authority orders). The higher of the two ceilings applies.
EU regulators have applied multi-million-euro fines at scale. The risk for Indian companies is meaningful, especially as enforcement matures and complaints from EU data subjects against non-EU processors become more common.
GDPR vs DPDP Act: Key Differences
Scope: GDPR covers all personal data; DPDP covers digital personal data only. Penalties: GDPR percentage of turnover; DPDP fixed-ceiling per-incident. Consent: DPDP relies more heavily on consent; GDPR has six lawful bases. Sensitive data: GDPR has explicit special categories with additional protections; DPDP does not yet distinguish sensitive data category. DPO: GDPR required in specified cases; DPDP required only for SDFs. Cross-border: GDPR restrictive (adequacy or SCC); DPDP permissive (except restricted countries).
Most Indian SaaS subject to both run unified programmes that meet GDPR (the stricter standard for most controls) and document DPDP-specific overlays. Codesecure delivers integrated GDPR plus DPDP programmes.
Frequently Asked Questions
Do we need GDPR compliance if we only have a few EU customers?
Yes. GDPR applies regardless of customer count. The volume affects practical risk and audit attention but not the legal obligation.
Is Indian DPDP compliance sufficient for GDPR?
No. GDPR is stricter on most points (consent, data subject rights, cross-border transfers, supervisory authority engagement, breach notification timing). DPDP alone does not satisfy GDPR. A unified programme that meets GDPR also meets DPDP.
Do we need an EU representative?
If you process EU personal data and have no EU establishment, yes. Outsource to a specialist firm; cost is modest. Most Indian companies have not done this and are in low-grade non-compliance.
What about Schrems II and TIA?
Transfer Impact Assessment is now expected to accompany SCCs for non-EU transfers. The TIA documents legal protections in the destination country and supplementary measures (encryption, access controls) that reduce risk.
Are there GDPR fines against Indian companies?
Direct enforcement against non-EU companies has been limited so far but increasing. Indirect enforcement (EU customer terminates the contract, EU partner refuses to share data) is already common at material scale.
Can Codesecure help with GDPR compliance?
Yes. Codesecure delivers GDPR gap assessment, programme design, DPO support, SCC implementation, breach response, and integrated GDPR plus DPDP programmes for Indian businesses serving EU customers.
Be GDPR Ready Without Adding Friction To Your Business
Codesecure delivers GDPR compliance and integrated GDPR plus DPDP programmes for Indian SaaS, IT services, BPO and KPO firms serving EU customers. ISO/IEC 27001:2022 certified delivery, named consultants, fixed-price engagements.
