General Data Protection Regulation

No Coupler.io data-integration skill applies to a content-writing task. Proceeding directly with the blog regeneration.

General Data Protection Regulation: A 2026 Compliance Guide for Indian Businesses

The General Data Protection Regulation (GDPR) has been enforceable since 25 May 2018. In 2026, it applies to every Indian business that processes personal data of individuals in the European Union — your registered address in Bengaluru or Mumbai changes nothing. If your SaaS platform has a German subscriber, your BPO handles EU employee payroll, or your website accepts Euro payments from Amsterdam, you are in scope. The 72-hour breach notification clock, eight data subject rights, and fines reaching €20 million or 4 % of global annual turnover are live obligations today, and regulators are now actively pursuing non-EU exporters.

Who GDPR Applies to — Including Indian Businesses

GDPR's reach flows from Article 3, which contains two independent jurisdictional hooks.

The establishment principle catches any controller or processor with an "establishment" in the EU — a branch, subsidiary, or even a single employee based in an EU Member State. If your Indian company has a business development manager working from Frankfurt, you have an EU establishment.

The targeting principle catches organisations outside the EU that either offer goods or services to EU data subjects or monitor their behaviour. Indicators of offering include: EU-language interfaces, Euro-denominated pricing, .eu domain names, EU-specific marketing campaigns, or accepting payment methods predominantly used in the EU. Monitoring includes behavioural analytics, ad-conversion tracking, and user-session profiling.

The following Indian business categories are in scope under the targeting principle, even without any EU office:

• IT services and BPO firms processing HR, payroll, or customer data on behalf of EU clients
• SaaS companies with EU subscribers, including free-tier users
• E-commerce platforms shipping to, or accepting payments from, the EU
• Healthcare organisations handling EU patient data, clinical trial records, or genomic data
• Recruiters and staffing platforms attracting EU job-seekers
• Freelancers providing consulting, design, or legal services to EU clients
• Mobile app developers whose apps are downloadable in EU app stores and used by EU residents

One immediate obligation for companies using the targeting principle: Article 27 requires you to appoint a written representative located in an EU Member State — a named person or entity who can be contacted by supervisory authorities and data subjects. This representative is not a DPO substitute; it is an independent requirement. Failure to appoint one is itself a compliance breach.

The Six Lawful Bases: Choosing Before You Start

Article 6 lists six lawful bases for processing personal data. You must identify and document the applicable basis before processing begins — not retroactively. Switching bases mid-process is prohibited (Recital 40). Processing without a documented lawful basis is per se unlawful.

1. Consent (Article 6(1)(a)) — Freely given, specific, informed, and unambiguous. Pre-ticked boxes, implied consent, and consent bundled into general T&Cs are all invalid. You must be able to demonstrate when and how consent was obtained (timestamped records with the version of the notice shown).

1. Contract (Article 6(1)(b)) — Processing necessary to perform a contract with the data subject, or to take pre-contractual steps at their request. Classic example: storing a customer's delivery address to fulfil an order.

1. Legal obligation (Article 6(1)(c)) — Required by EU or Member State law. Example: PAYE reporting obligations under employment law.

1. Vital interests (Article 6(1)(d)) — Protecting life in an emergency. Narrow, rarely applicable to commercial activity.

1. Public task (Article 6(1)(e)) — Applicable primarily to public authorities and bodies exercising official powers. Private businesses cannot generally rely on this.

1. Legitimate interests (Article 6(1)(f)) — The most flexible commercial basis, but it requires a documented three-part test: (a) identify a genuine legitimate interest; (b) show the processing is necessary for it; and (c) perform a balancing test — do your interests override the data subject's rights and freedoms? If data subjects would not reasonably expect the processing, or if it causes disproportionate harm, this basis fails. Keep the balancing test on file.

Practical selector: For marketing to existing customers, legitimate interests is usually defensible with a documented balancing test. For marketing to new prospects, consent is safer. For HR data, a mix of contract (performance) and legal obligation applies. For website analytics and behavioural tracking, consent is typically required because the processing involves monitoring individuals who have not yet entered a contractual relationship with you.

Data Subject Rights and the Response Deadlines You Must Meet

GDPR Articles 12–22 grant eight rights to individuals (called "data subjects"). As a controller, you need a mechanism to receive, verify the identity of, and respond to each type of request.

The one-month response clock starts on the day you receive the request — not the day you verify the person's identity. You may extend by two further months for complex or numerous requests, but you must notify the data subject of the extension within the first month, stating the reason.

Access is free unless the request is "manifestly unfounded or excessive." Charging a blanket administrative fee upfront is a breach. Charging with documented justification for a second copy within a short period may be defensible, but should be the exception, not the rule.

Your Core GDPR Compliance Obligations

Record of Processing Activities (Article 30)

Maintain a written ROPA documenting: your identity and contact details; the purposes of each processing activity; categories of data subjects and personal data; recipients and sub-processors; transfers to third countries and the transfer mechanism used; retention periods; and a description of technical and organisational security measures.

Organisations with fewer than 250 employees are nominally exempt — unless processing is non-occasional, involves special categories (health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, trade union membership, sex life or sexual orientation), or poses a risk to individuals' rights and freedoms. Almost all commercial EU data processing by an Indian business is "non-occasional." Maintain the ROPA regardless of headcount. It is your first line of evidence in a regulatory audit.

Data Protection Impact Assessments (Article 35)

A DPIA is mandatory before commencing any processing "likely to result in a high risk" to individuals. Mandatory triggers include: large-scale processing of Article 9 special categories; systematic monitoring of public areas; processing children's data at scale; profiling with significant legal effects; deploying new technology (AI, biometrics, IoT). Document the risks, their likelihood and severity, the mitigations applied, and the residual risk. If high residual risk remains after mitigation, you must consult the supervisory authority under Article 36 before going live.

Data Protection Officer (Article 37)

A DPO is mandatory if you are: a public authority; engaged in large-scale, regular, and systematic monitoring of individuals as a core activity; or engaged in large-scale processing of special categories as a core activity. The DPO must report to the highest level of management, have no conflict of interest, and be provided with adequate resources. For most Indian IT and SaaS companies processing EU data under processor contracts, a DPO is not technically mandatory — but EU clients expect one in RFP questionnaires and vendor due-diligence reviews.

Data Processing Agreements (Article 28)

Every engagement of a "processor" — a cloud host, payroll vendor, email marketing tool, sub-contractor BPO, or analytics platform — requires a written, signed DPA before processing begins. The DPA must specify: subject matter and duration, nature and purpose of processing, types of personal data and categories of data subjects, and the obligations and rights of the controller. AWS, Azure, Google Cloud, and Salesforce publish standard DPAs. Accept them only after verifying they cover your actual data categories. Processors of special category data frequently require an addendum.

Breach Notification (Article 33)

Report personal data breaches to the relevant supervisory authority within 72 hours of becoming aware. This is 72 calendar hours — weekends and public holidays are not excluded. A partial notification filed on time is better than a complete notification filed late — Article 33(4) expressly permits phased notification where full information is not yet available. Where the breach is likely to result in high risk to individuals, you must also notify affected data subjects "without undue delay" under Article 34.

Cross-Border Data Transfers: The Post-Schrems II Reality for Indian Companies

Chapter V of GDPR prohibits transferring EU personal data to a third country unless an adequate level of protection is guaranteed. As of May 2026, India has no adequacy decision from the European Commission. Every transfer of EU personal data to an Indian entity therefore requires a valid transfer mechanism.

Standard Contractual Clauses (SCCs) are the practical default. The European Commission replaced the old SCCs with updated clauses on 4 June 2021 (Decision 2021/914). Four modules apply depending on the role each party plays:

• Module 1: Controller → Controller (e.g., two independent companies sharing customer data)
• Module 2: Controller → Processor (most common for Indian IT companies — your EU client is controller; you are processor)
• Module 3: Processor → Processor (sub-processing chains in BPO or cloud arrangements)
• Module 4: Processor → Controller (less common; data flows back to the EU importer as controller)

Contracts referencing the pre-2021 SCCs are now out of date. If your DPA still cites Commission Decision 2004/915/EC or 2010/87/EU, replace them immediately.

Transfer Impact Assessment (TIA): Post the Schrems II ruling (CJEU, 16 July 2020), SCCs alone are insufficient. You must assess whether Indian law impairs the protections the SCCs provide. Document: the nature and volume of data being transferred; the relevant provisions of Indian surveillance and intercept law (e.g., Section 69 of the IT Act, 2000); and whether supplementary technical measures (end-to-end encryption, pseudonymisation, access controls keyed only to the EU client) are necessary. Keep this assessment on file.

Binding Corporate Rules (BCRs) are an option for multinationals transferring data intra-group, but BCR approval requires supervisory authority sign-off — typically a multi-year process, rarely practical for mid-sized Indian businesses.

Worked Example: An Indian SaaS Company's GDPR and DPDP Exposure

Scenario: Techforge Analytics Pvt. Ltd., a Bengaluru-based B2B SaaS company, provides marketing-attribution software. EU customers contribute 40% of its ₹180 crore (~€20 million) annual global revenue. Techforge processes names, email addresses, and IP logs of EU website visitors on behalf of its EU clients (Techforge is a processor) and also processes Indian visitors' data on its own marketing site (Techforge is a controller for that).

Incident: A database misconfiguration on 15 January 2026 at 9:00 AM IST exposes records of 45,000 EU data subjects. The security team discovers and contains the breach by 17 January 2026. Techforge formally notifies the competent supervisory authority on 23 January 2026.

GDPR breach notification window:

GDPR fine exposure: Late notification is a Tier 1 violation under Article 83(4). Maximum = greater of €10 million or 2% of global annual turnover. At €20 million global turnover: max(€10M, 2% × €20M) = max(€10M, €400K) = €10 million (~₹90 crore at ₹90/€). The actual regulatory fine would be reduced for cooperation and absence of prior violations, but the ceiling is real.

DPDP Act 2023 exposure: Indian residents' data was also in the breached database. Failure to notify the Data Protection Board promptly under Section 8(6): up to ₹200 crore per instance (DPDP Act Schedule, Item 2).

Combined worst-case exposure: ₹90 crore (GDPR) + ₹200 crore (DPDP) = ₹290 crore.

A 72-hour breach response protocol that Techforge should have had:

1. T = 0: Breach flagged. Data protection lead notified immediately via a pre-agreed escalation chain (not just a ticket in the help-desk queue).
2. T + 4 hours: Triage team establishes scope — categories of data, number of EU data subjects affected, whether special categories are involved.
3. T + 12 hours: Technical containment complete — misconfiguration patched, access revoked, logs preserved.
4. T + 24 hours: Draft initial notification to supervisory authority — even if information is incomplete. GDPR Article 33(4) permits phased notification; an early partial filing stops the clock.
5. T + 48 hours: Legal review of notification draft. Decision on whether to notify data subjects directly under Article 34 (required when high risk to individuals is likely).
6. T + 71 hours: Notification submitted. Internal breach register updated with all details.

The cost of designing this protocol in advance: a two-day internal workshop and a template notification form. The cost of not having it: as demonstrated above.

GDPR vs India's DPDP Act 2023: Differences That Matter in Practice

India's Digital Personal Data Protection Act, 2023 (DPDP) received Presidential assent on 11 August 2023. Substantive Rules remain pending as of May 2026, but the parent Act is law. Indian businesses serving both EU and Indian users cannot treat the two regimes as identical.

The most operationally significant difference: GDPR's legitimate interests basis (Article 6(1)(f)) is flexible — you write the balancing test, document it, and rely on it for many commercial-processing activities. DPDP's Legitimate Uses under Section 7 are a closed list (employment obligations, medical emergencies, certain public-interest functions, etc.). If you rely on legitimate interests under GDPR for processing Indian users' data — say, for fraud detection or direct marketing — there may be no matching DPDP basis. That activity requires either explicit consent under DPDP or a redesign of purpose and processing scope.

A unified compliance programme is still achievable — and preferable to two parallel siloed programmes. Design consent UX to meet GDPR's stricter standard (it satisfies DPDP by default), maintain one ROPA with jurisdiction-tagged data flows, run DPIAs for high-risk projects (they double as the assessments expected under DPDP), and train staff once with module-level customisation for the two regimes.

Common Mistakes Indian Businesses Make — and How to Fix Them

Mistake 1: Believing GDPR Does Not Apply to an India-Registered Entity

The fix: Read Article 3(2). If you intentionally target EU users — accepting Euros, displaying EU language, operating a .eu TLD — you are in scope. Even failing to geo-block EU users when you have substantial EU traffic can constitute implicit targeting. Conduct a scope assessment annually.

Mistake 2: Cookie Walls and "Scrolling Equals Consent"

The fix: Consent must be an unambiguous, affirmative act. A cookie wall — blocking access to content unless a user accepts all cookies — is invalid consent per EDPB Guidelines 05/2020. A user scrolling or continuing to browse has not actively consented. Build a banner that presents accept and reject with equal visual prominence and equal click effort. Store a consent record per user (timestamp, choice, notice version shown).

Mistake 3: Outdated Standard Contractual Clauses

The fix: The 2021 SCCs (Commission Implementing Decision 2021/914) were mandatory for all new contracts from 27 September 2021 and for all legacy contracts by 27 December 2022. If your DPA cites the 2004 or 2010 SCCs, it is legally deficient. Audit every DPA you have signed as either controller or processor. Replace old SCCs with the correct 2021 module.

Mistake 4: No Written DPAs with Cloud Providers

The fix: You almost certainly use AWS, Azure, Google Cloud, Salesforce, Mailchimp, or a similar platform. Each of these is a "processor" under GDPR. Article 28 requires a signed DPA before data is shared. Download the current version of their DPA and ensure it covers the specific data categories you are processing. Health data or children's data often requires a separate addendum.

Mistake 5: No Breach Response Drill

The fix: The 72-hour window is shorter than most organisations' internal approval cycles. A real breach is a bad time to discover that your legal team needs five business days to review a notification draft. Run a tabletop exercise: simulate a breach discovery, time the response, and identify the bottleneck (technical triage, DPA notification obligations to your EU clients, or supervisory authority communication). Fix the bottleneck before a real breach occurs.

Mistake 6: Ignoring the ROPA Exemption Misunderstanding

The fix: The Article 30 exemption for sub-250-employee organisations does not apply if processing is non-occasional, involves special categories, or poses a risk to data subjects' rights. Almost every Indian company commercially processing EU data fails the "non-occasional" test. Maintain a ROPA regardless of headcount. An up-to-date ROPA also dramatically accelerates your DPDP Rules compliance once the Rules are notified.

Mistake 7: Not Appointing an EU Representative

The fix: Article 27 requires in-scope companies without an EU establishment to appoint a representative in an EU Member State in writing. This person or entity receives communications from supervisory authorities and data subjects. Several specialist services provide EU representative services for a modest annual fee — far less than the cost of a regulatory contact going unanswered because no representative existed.

Key Takeaways

• GDPR applies to you if any EU resident's personal data flows through your systems — incorporation in India is irrelevant. The targeting principle in Article 3(2) is the key test.
• Document your lawful basis before processing starts. Article 6 does not allow retroactive selection. Record the basis in your ROPA against each processing activity.
• The 72-hour breach notification window is calendar hours, not business hours. A protocol that has been tested in a drill is the only reliable defence against a late notification fine.
• India has no EU adequacy decision. Every transfer of EU personal data to India requires the 2021 SCCs (correct module) plus a Transfer Impact Assessment on file.
• DPDP Act 2023 and GDPR share architecture but differ critically on lawful bases. GDPR's open-ended legitimate interests has no direct DPDP equivalent — check every legitimate-interests processing activity against DPDP's closed Legitimate Uses list.
• The four non-negotiable foundations for an Indian business subject to GDPR are: an up-to-date ROPA, signed Article 28 DPAs (with 2021 SCCs embedded), a tested 72-hour breach response plan, and compliant consent mechanisms covering both cookie consent and data subject request workflows.
• In a combined GDPR + DPDP worst-case breach, fine exposure can exceed ₹290 crore for a mid-sized company. First-year compliance — data mapping, DPA reviews, breach-response training, updated SCCs — typically costs a fraction of a single regulatory enforcement action.