A Comparative Guide To The GDPR And The PDPB


The Personal Data Protection Bill, 2018 (“PDPB”) is a draft law submitted in July 2018 by a committee of experts on data protection constituted by the Indian Government. The PDPB is conceptually similar to the European Union’s General Data Protection Regulation (“GDPR”). The table below provides an easy-to-read and digestible comparison of the key provisions of both, the GDPR and the PDPB, and highlights certain differences in approach.

REGULATORY AUTHORITY The European Data Protection Board Data Protection Authority
ACTORS Controller Data Fiduciary
Processor Data Processor
Data Subject Data Principal
MATERIAL APPLICABILITY The GDPR applies to partial or whole processing of personal data either by automated means; or processing other than by automated means (for example, by manual means), where the personal data are contained, or are intended to be contained, in a filing system. The PDPB applies to the processing of personal data, which is defined as data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute, or any other feature of the identity of such person, or any combination of such features, or any combination of such features with any other information.
processing in
the context of
an establishment of
a controller
or processor in
the European Union;
The PDPB applies:
to processing of personal data
that is collected, disclosed, shared, or
otherwise processed by
within India;

  processing of data subjects within the European Union where the processing is regarding either the offering of goods and services or for monitoring behavior; or processing by a controller outside the European Union but where the law of a member country applies through public international law. to processing by the state or any entity that is incorporated or created under Indian law; or if the processing of personal data is in connection with either any business or any profiling activity of data principals within Indian territory.
EXCEPTIONS TO APPLICABILITY Both, the GDPR and PDPB carve out certain exemptions. The scope of these carve-outs vary:
Manual Processing by Small Entities N/A Manual processing by small entities (that have a turnover of less than INR 25,00,000, do not collect data of more than 100 data principals, and do not allow disclosures to third-parties) are allowed limited exemptions under the PDPB.
Security and with respect to Criminal
Exempted While exempted under the PDPB, processing must still comply with fair and reasonable processing principles and should adopt security safeguards.
allows member countries to carve out exceptions.
Regardless of exceptions, the PDPB requires compliance with fair and reasonable processing principles and security safeguards.
The GDPR allows member countries to carve out exceptions. Regardless of exceptions, the PDPB requires compliance with fair and reasonable processing principles and security safeguards.

    Further, it requires compliance with provisions relating to the transfer of personal data outside India.
Personal or Domestic Use
Exempted Regardless of exceptions, the PDPB requires compliance with fair and reasonable processing principles and security safeguards.
Scientific Research, Historical, Archiving or Statistical
There are certain exemptions allowed with respect to the rights of data principals. However, the GDPR requires compliance with safeguards such as technical and organizational measures. The PDPB allows this exception, subject to processing being fair and reasonable, ensuring security safeguards, and undertaking data protection impact assessments.
Interest Purposes
The rights of a data principal may be restricted by the law of a member country under the GDPR. Under the PDPB, the exemption applies with respect to the processing of personal data in the interests of the security of the state.
PSEUDONYMISATION AND ANONYMISATION The GDPR does not apply to anonymized data. Pseudonymisation of data is encouraged to be employed where processing is done: by virtue of the law of a member country; or when implementing privacy by design; or when implementing appropriate technical and organizational measures. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct with regards to pseudonymization. The PDPB does not apply to anonymized data.De-identification of data is included in the mandatory security safeguards that must be implemented by data fiduciaries and processors. The DPA may issue a code of conduct on methods of de-identification. Any attempt to decrypt de-identified data without the consent of the data fiduciary or data processor will attract a fine of up to INR 200,000 or imprisonment for up to 3 years or both.

DATA PROCESSING IN RELATION TO CHILDREN Processing of personal data of a child (i.e., someone below the age of 16 years) with respect to information society services is only valid if the consent to process the personal data is given or authorized by the holder of parental responsibility for the child. Processing the personal data of a child (i.e., someone below the age of 18 years) must be done in a manner that protects and advances the best interests of the child.
The controller should employ technological measures and make reasonable efforts to verify parental consent. The PDPB lays down factors on which age verification mechanisms should be based on, which include the volume of personal data processed, the proportion of such data likely to be that of children, the possibility of such processing being harmful to children, and other factors specified by the DPA.
on Certain Types
of Processing with
respect to Children
N/A Data fiduciaries who process large volumes of personal data of children or operate commercial websites or online services directed at children are notified by the DPA as guardian data fiduciaries and such fiduciaries are prohibited from profiling, tracking, or behavioral monitoring of, or targeted advertising directed at, or any other processing that is harmful to, children. This may apply to data fiduciaries offering counseling or child protection services to children.
PROCESS OF SEEKING CONSENT The data subject has the right to seek from the controller a restriction of processing due to inaccuracy, unlawfulness or non-existence of purpose. N/A

of Proof
N/A The burden of proving if the consent of a data principal has been sought, vests with the data fiduciary.
The data subject has the right to confirm that the controller has obtained personal data in addition to the right to access all information regarding such personal data. While the PDPB recognizes the right to access information from a data fiduciary, the right of confirmation of obtaining personal data is not recognized.
RIGHT TO BE FORGOTTEN The right to be forgotten includes the right of erasure. The right to be forgotten does not include the right of erasure.
AUTOMATED DECISION MAKING Data subjects have the right to object at any time to the processing of personal data, including profiling. Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling. The right to object to processing including when based solely on automated processing is not recognized.
PRIVACY BY DESIGN AND DEFAULT A requirement under the GDPR. A requirement under the PDPB.
CROSS-BORDER TRANSFERS OF DATA Cross-border data transfers must be done
in accordance with:
Cross-border data transfers must be done in accordance with standard contractual clauses approved by the DPA;

  an adequacy decision by the European Commission (the “EC”); appropriate safeguards such as a legally binding and enforceable instrument between public authorities; binding corporate rules or standard clauses adopted and approved by the EC; or approved codes of conduct or certification mechanisms.   Cross-border transfers other than in accordance with any of the above requirements are prohibited except if made by consent of the data subject, in pursuance of a contract, public interest, legal claims, vital interests, or in legitimate interest. intra-group schemes (similar to binding corporate rules) approved by the DPA; adequacy decisions made by the central government in consultation with the DPA; consent of the data principal in addition to any of the two previous two requirements; or permitted by the DPA out of necessity.     Sensitive personal data may only be transferred either by an adequacy decision or for health or emergency services for a particular person.
NOTIFICATION OF BREACH MandatoryBreaches must be reported to the supervisory authority and the data subject within 72 hours. MandatoryPresently, the PDPB does not prescribe a time period for reporting breaches to the supervisory authority and data principals. The DPA will have the authority to prescribe timelines.
DATA PROTECTION OFFICER A data protection officer should be appointed if the processing is
undertaken by a public authority or if the
core activities include regular and systematic monitoring
All data fiduciaries should appoint a data protection officer based in India. The PDPB mandates the appointment of a data protection

  of data subjects on a large scale or processing on a large scale of special categories of data and personal data relating to criminal convictions and offenses. The officer even if the core activities of an entity are not the processing of data.
SECURITY PRACTICES The GDPR prescribes the following:   maintaining security of processing including incorporation of pseudonymization and encryption of data; ability to maintain data confidentiality and integrity; data restoration; review processes; codes of conduct and certification mechanisms; and any natural person undertaking processing under the authority of the controller or the processor must do so only under specific instructions. The PDPB prescribes the following:   de-identification and encryption; the ability to protect the integrity of personal data and to prevent its misuse, unauthorized access to, modification, disclosure or destruction; and a review process of such safeguards should also be undertaken periodically.   Restoration of availability and access to data in case of a physical or technical event, codes of conduct, certification mechanisms, and the practice of a natural person acting on only specific instructions from the data fiduciary or data processor are not mandated as security safeguards, unlike the GDPR.
DATA LOCALISATION N/A At least one copy of the personal data is to be stored on a server or data center located in India. Further, data classified by the central government as critical personal data should only be processed in a server or data center located in India.

    Financial data is required to be stored in India in its entirety in accordance with the Reserve Bank of India’s requirements.
DATA AUDITS N/A Applicable
COMPLIANCE CERTIFICATION MECHANISMS Code of conduct may be prepared by associations and other bodies representing categories of controllers or processors and approved by the respective supervisory authority of the member country. Data protection certification mechanisms and corresponding data protection seals and marks are granted by designated certification bodies. The PDPB contemplates a “data trust score”, which is assigned by a data auditor on the completion of a data audit to a data fiduciary. The criteria for determining this data trust score is specified by the DPA.
GRIEVANCE REDRESSAL The individual may approach the respective DPAs of their member countries and such decisions are subject to judicial review in that country. Grievances may be raised with the data protection officer. Appeals may be made to an adjudicating officer appointed by the adjudication wing of the DPA and further appeals may be made to the Appellate Tribunal that is set up under the PDPB.

PENALTIES The maximum fine is the greater of EUR 200,000,000 or 4% of an undertaking’s worldwide turnover for the preceding financial year. Member countries may provide their own rules on criminal sanctions. The maximum penalty stipulated may extend up to INR 150,000,000 or 4% of the penalized entity’s total worldwide turnover of the preceding financial year, whichever is higher.

For any comments or queries, do reach out to us

Leave a Comment

Your email address will not be published. Required fields are marked *