India DPDP Act vs GDPR: What EU Buyers Are Asking Indian IT Companies

India's Digital Personal Data Protection Act (DPDP) 2023 is being operationalised through implementing rules and the Data Protection Board of India. EU buyers of Indian IT services are responding with specific questions about DPDP implications for GDPR-compliant data transfers.

The key questions EU buyers are asking:

Q1: Does DPDP provide equivalent data protection to GDPR? A: DPDP and GDPR share core principles (purpose limitation, data minimisation, storage limitation, accuracy) but differ in enforcement, data subject rights scope, and cross-border transfer mechanisms. EU Commission has not yet granted India an adequacy decision. Standard Contractual Clauses remain required for EU-to-India personal data transfers.

Q2: Does DPDP affect our Standard Contractual Clauses? A: SCCs between EU data controllers and Indian data processors remain legally valid and required for GDPR compliance. DPDP does not replace SCCs — it creates additional obligations on Indian data processors that layer on top of SCC commitments.

Q3: Does DPDP require data localisation that would prevent EU data being processed in India? A: DPDP's data localisation provisions apply to specific "significant data fiduciaries" to be specified by the government. Most Indian IT service providers will not be classified as significant data fiduciaries and will not face blanket data localisation requirements.

What Indian IT companies should communicate to EU buyers: DPDP compliance demonstrates India's commitment to data protection. SCCs remain in place for GDPR compliance. India is engaging with EU Commission on adequacy decision discussions. Provide EU buyers with a legal opinion on DPDP-GDPR interaction from EU privacy counsel for major client relationships.