The European Union's General Data Protection Regulation (GDPR) does not stop at the EU's borders — it follows the data. Any Indian enterprise that processes personal data of individuals residing in the EU, whether as a software exporter, BPO, e-commerce business, or manufacturer with European distributors, is directly subject to the GDPR. With EU data protection authorities issuing record fines exceeding €1.3 billion in 2023 alone, and the Indian government itself embedding GDPR-aligned principles in the DPDP Act 2023, understanding GDPR has become a board-level priority for Indian organisations.
Does GDPR Apply to Your Indian Organisation?
GDPR's extraterritorial scope under Article 3 catches organisations in two scenarios:
- Establishment principle: If you have any establishment (office, subsidiary, branch, or even a single employee) in the EU, GDPR applies to all your processing activities — including processing done in India.
- Targeting / Monitoring principle: Even without an EU establishment, GDPR applies if you (a) offer goods or services to EU residents (accepting EUR, showing EU language options, EU shipping options), or (b) monitor behaviour of EU residents (analytics, cookies, profiling).
Practically, this means Indian IT services companies handling EU client data, Indian e-commerce businesses with European customers, Indian healthcare companies in clinical trials with EU participants, and Indian BPOs processing EU employee data are all GDPR-covered controllers or processors.
Penalties That Indian CFOs Should Know
GDPR tier-1 infringements (inadequate technical measures, no processor agreement) attract fines up to €10 million or 2% of global annual turnover — whichever is higher. Tier-2 infringements (unlawful processing, violation of data subject rights) attract up to €20 million or 4% of global turnover. For a ₹500 Cr Indian company, that is up to ₹16.6 Cr in fines, plus reputational damage and client attrition.
GDPR vs DPDP Act 2023: Key Comparison
| Aspect | GDPR (EU) | DPDP Act 2023 (India) |
|---|---|---|
| Territorial Scope | EU residents' data, wherever processed | Digital processing of Indian residents' data |
| Legal Basis for Processing | 6 bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) | Consent + 8 legitimate uses defined in law |
| Data Subject Rights | Access, rectification, erasure, portability, restriction, objection, no automated decisions | Access, correction, erasure, grievance, nomination |
| Data Localisation | Transfers outside EEA restricted; SCCs/BCRs required | Govt may restrict transfers to specific countries |
| DPO Requirement | Mandatory for certain controllers | No DPO requirement; Consent Manager role |
| Breach Notification | 72 hours to supervisory authority | Prescribed timeline (Rules pending) |
| Maximum Penalty | €20M or 4% global turnover | ₹250 crore per breach category |
The Six Lawful Bases for Processing Under GDPR
Every processing activity in your organisation must be mapped to one of these six lawful bases — and the chosen basis must be documented in your Record of Processing Activities (RoPA):
- Consent (Art. 6(1)(a)): Freely given, specific, informed, unambiguous indication of agreement. Withdrawal must be as easy as giving. Cannot be the default or bundled with T&Cs.
- Contract (Art. 6(1)(b)): Processing necessary to perform a contract with the data subject, or to take steps at their request prior to entering a contract.
- Legal Obligation (Art. 6(1)(c)): Processing required to comply with a legal obligation under EU or Member State law (or equivalent foreign law in some interpretations).
- Vital Interests (Art. 6(1)(d)): Processing to protect someone's life — typically applies in medical emergencies.
- Public Task (Art. 6(1)(e)): Processing in the exercise of official authority or for a task in the public interest. Primarily for government bodies.
- Legitimate Interests (Art. 6(1)(f)): Processing necessary for the legitimate interests of the controller or a third party, provided these are not overridden by the data subject's interests or rights. Must pass the three-part legitimate interests assessment (LIA).
Data Subject Rights: Obligations for Indian Organisations
EU residents whose data you process retain seven core rights under GDPR. Your DMS and data infrastructure must be capable of responding to each within defined timelines:
Technical Safeguards Required by GDPR
Article 25 (data protection by design and by default) and Article 32 (security of processing) impose technical obligations that map directly onto DMS capabilities:
- Encryption of personal data at rest and in transit (AES-256, TLS 1.3 minimum)
- Pseudonymisation of datasets where possible
- Ongoing confidentiality, integrity, availability, and resilience of systems
- Ability to restore access to data in a timely manner following an incident
- Regular testing, assessment, and evaluation of security measures (VAPT, penetration testing)
- Access controls — role-based, least privilege principle
- Complete audit trail of who accessed, modified, or deleted personal data
Data Breach Response: The 72-Hour Clock
If a personal data breach is discovered, you have 72 hours to notify the relevant EU supervisory authority (e.g., CNIL in France, ICO in UK, BfDI in Germany). This clock runs from the moment you become "aware" — which has been interpreted broadly by authorities. Your DMS must have breach detection, impact assessment, and notification workflows pre-built and rehearsed.
The Role of DMS in GDPR Compliance
A Document Management System is the operational hub of GDPR compliance for document-intensive organisations. Here is how Sarthi DMS addresses each key GDPR obligation:
Sarthi DMS provides AI-powered data discovery to locate personal data across all repositories, automated data mapping to populate your RoPA, and integrated data subject rights management workflows that track SAR requests through to closure within the 30-day deadline. The system also generates documented legitimate interests assessments (LIAs) and Data Protection Impact Assessments (DPIAs) from templated workflows.