countries · sectors · sub-national hubs · trade bodies · FTAs · tools · academy · essays
GDPR applies to any organisation processing personal data of EU residents regardless of where the organisation is located. An Indian software company in Bengaluru processing EU customer data for its German client is subject to GDPR. Fines for serious violations: up to EUR 20 million or 4% of global annual turnover — whichever is higher.
The 6 essential GDPR obligations for Indian IT companies:
1. Data Processing Agreement (DPA). When processing EU personal data on behalf of an EU client (as a data processor), a DPA must be in place specifying what data is processed, purposes, security measures, sub-processing arrangements, and obligations of both parties. EU clients will not engage Indian IT vendors without a signed DPA.
2. Standard Contractual Clauses (SCCs). Data transfers from EU to India require SCCs — standard contractual terms approved by the EU Commission. Include Module 2 SCCs (Controller-to-Processor) in all India-EU contracts.
3. Data Protection Officer. Indian IT companies processing EU personal data at large scale should appoint a DPO who monitors compliance, conducts Data Protection Impact Assessments, and serves as the contact point for EU supervisory authorities.
4. Records of Processing Activities. Maintain a record of all personal data processing: what data, what purpose, where stored, who has access, retention period. Mandatory for organisations with 250+ employees.
5. Data breach notification. Notify EU client within 24 hours (contractual) and relevant supervisory authority within 72 hours if breach poses risk to individuals. Have a breach response plan ready.
6. Technical security measures. Implement: encryption at rest and in transit, role-based access controls, multi-factor authentication, regular penetration testing, and security awareness training. Document for client audits.
Explore
Every page in the AJG platform cross-links to these primary entities. Click any pill to explore that branch of the knowledge graph.