GDPR vs India DPDP for SaaS teams

GDPR Article 3 reaches non-EU organisations when they offer goods or services to people in the Union or monitor behaviour there. The DPDP Act applies to digital personal data processed in India and also to processing outside India when it is connected with offering goods or services to people in India.

That means a SaaS team selling into the EU still has to run a GDPR analysis even if it is already thinking about DPDP obligations at home.

GDPR Article 6 allows several lawful bases, including consent, contract, legal obligation, vital interests, public task, and legitimate interests. DPDP section 4 instead frames processing around consent or certain legitimate uses listed in section 7.

DPDP also puts strong emphasis on notice quality, clear consent language, and ease of withdrawal. The result is that a SaaS team cannot assume a DPDP consent flow is a full substitute for a GDPR lawful-basis analysis.

GDPR Article 8 sets the default age for a child's consent in information society services at 16, while allowing Member States to lower it to 13. DPDP defines a child as anyone under 18 and restricts tracking, behavioural monitoring, and targeted advertising directed at children.

DPDP also creates extra obligations for Significant Data Fiduciaries, including a Data Protection Officer based in India, periodic data protection impact assessments, and audits. GDPR uses its own accountability tools such as RoPAs, processor contracts, and risk-based obligations throughout the Regulation.