GDPR Compliance Guide for Indian Companies Serving EU Customers

If your Indian company sells to EU residents, processes their personal data, or tracks their online behaviour, GDPR applies to you — regardless of where your servers sit. The EU General Data Protection Regulation (Regulation (EU) 2016/679) has explicit extraterritorial reach under Article 3(2). Non-compliance exposes your company to enforcement by EU data protection authorities, who can impose fines proportionate to global annual turnover. This guide covers when GDPR applies to an Indian business, what it requires, how it compares to India's own DPDP Act 2023, and a practical compliance roadmap.

Does GDPR Apply to Your Indian Company?

GDPR's territorial scope is defined in Article 3. An Indian company falls under GDPR if it meets either of two triggers — even with no EU establishment.

graph TD
    A[Indian Company Processes Data] --> B{EU establishment?}
    B -- Yes --> C[GDPR applies — Article 3-1]
    B -- No --> D{Offering goods or services
to EU residents?}
    D -- Yes --> E[GDPR applies — Article 3-2a]
    D -- No --> F{Monitoring behaviour
of EU residents?}
    F -- Yes --> G[GDPR applies — Article 3-2b]
    F -- No --> H[GDPR does not apply
Document this conclusion]

    style C fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style E fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style G fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style H fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style F fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0

Trigger 1 — Offering goods or services (Article 3(2)(a)): Indicators include pricing in EUR, shipping to EU addresses, EU-language websites, accepting EU payment methods, or running ads targeted at EU Member States. A free SaaS product available to EU users also qualifies.

Trigger 2 — Monitoring behaviour (Article 3(2)(b)): If you deploy analytics, cookies, tracking pixels, or any profiling mechanism that follows EU residents' online behaviour, GDPR applies even if you never intend to sell to them directly.

Key GDPR Obligations for Indian Controllers

Once GDPR applies, you take on the role of data controller (or processor if you act on instructions from an EU controller). The core obligations are:

1. Lawful Basis for Processing

Article 6 requires a lawful basis before processing any personal data. The six bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests. For most Indian B2C companies serving EU customers, the practical choices are:

1. Consent — must be freely given, specific, informed, and unambiguous. Pre-ticked boxes are invalid.
2. Contract — processing is necessary to fulfil a contract with the data subject (e.g., processing a customer's shipping address to deliver an order).
3. Legitimate interests — permitted when your interest is not overridden by the individual's rights. Requires a documented Legitimate Interests Assessment (LIA).

2. Consent Standards

Where consent is your lawful basis, GDPR sets a high bar. Consent must be granular (one tick per purpose), withdrawable at any time, and as easy to withdraw as to give. Keep timestamped consent records; you must demonstrate consent was obtained lawfully if challenged.

3. Data Subject Rights

EU residents can exercise eight rights against your company. You have one calendar month to respond to most requests.

4. Data Protection Officer

A DPO is mandatory under Article 37 if your core activities involve large-scale systematic monitoring of individuals or large-scale processing of special category data (health, biometrics, political opinions, etc.). Many Indian SaaS companies will not meet this threshold, but should document the reasoning. Where required, the DPO must be independent, expert in data protection law, and their contact details published.

5. Breach Notification

Article 33 requires notifying the competent EU supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in risk to individuals. If the breach is high-risk to the individuals themselves, you must also notify them directly under Article 34. Document all breaches — even low-risk ones — in an internal breach register.

6. Records of Processing Activities

Article 30 requires a written Record of Processing Activities (RoPA). This is a structured internal document listing every processing activity: purpose, categories of data subjects and data, recipients, retention periods, and transfers to third countries. Companies with fewer than 250 employees are partially exempt unless processing is high-risk, non-occasional, or involves special categories.

Cross-Border Data Transfers to India

India does not currently hold an EU adequacy decision (as of mid-2026). This means transferring EU personal data to India requires a transfer mechanism under Chapter V of GDPR:

1. Standard Contractual Clauses (SCCs): The most practical mechanism. The European Commission updated SCCs in June 2021. You must use the current 2021 version and conduct a Transfer Impact Assessment (TIA) to evaluate Indian legal protections against EU standards.
2. Binding Corporate Rules (BCRs): For multinational groups — expensive and time-consuming to obtain.
3. Derogations under Article 49: Limited exceptions (explicit consent for specific transfer, contract performance, vital interests). Not suitable for routine commercial transfers.

GDPR vs DPDP Act 2023 — Key Differences

India's Digital Personal Data Protection Act 2023 (DPDP) shares GDPR's spirit but differs in important ways. If you are building a compliance programme for both, understanding the gaps saves significant rework. Visit our DPDP compliance guide for the India-specific framework.

xychart-beta
    title "GDPR vs DPDP — Obligation Strength Score (1-5)"
    x-axis ["Consent Rules", "Data Subject Rights", "DPO Mandate", "Breach Notification", "Cross-Border Rules", "Penalty Regime"]
    y-axis "Score" 1 --> 5
    bar [5, 5, 4, 5, 5, 5]
    bar [4, 3, 2, 3, 3, 4]

Bar 1 = GDPR | Bar 2 = DPDP Act 2023 (based on enacted text; Rules pending as of mid-2026)

Practical GDPR Compliance Path for an Indian Company

A realistic six-step programme for a small to mid-size Indian B2B or B2C company:

Step 1 — Scope Assessment (Week 1–2) Map every data flow involving EU residents. Answer three questions: Which EU countries do we serve? What personal data do we collect? On what legal basis? Document this before anything else.

Step 2 — Legal Basis and Consent Infrastructure (Week 2–4) Update your privacy notice to GDPR standard (Articles 13/14 requirements). Implement a compliant consent management platform (CMP) for cookies and marketing. Draft your legitimate interests assessments where applicable.

Step 3 — Records of Processing and DPO Decision (Week 3–5) Build your RoPA. Determine whether a DPO is required. If not required, designate a privacy point-of-contact internally. Appoint an EU Representative (Article 27) — a legal entity or individual resident in an EU Member State who can be contacted by supervisory authorities.

Step 4 — Data Subject Rights Workflow (Week 4–6) Build a verifiable intake process for DSARs (Data Subject Access Requests). Define a 30-day response SLA. Train your customer support and engineering teams on erasure and portability procedures.

Step 5 — Transfer Mechanism (Week 5–7) Execute updated 2021 SCCs with all EU-based customers and sub-processors. Complete Transfer Impact Assessments for data flowing to India. Maintain copies in your contract repository.

Step 6 — Incident Response Integration (Ongoing) Integrate GDPR's 72-hour breach notification requirement into your existing incident response plan. If you do not yet have a formal IR plan, a free VAPT scan is a practical first step to identify the vulnerabilities most likely to cause a breach.

Bachao.AI and GDPR-Adjacent Security

Regulatory compliance and security posture are inseparable under GDPR. Article 32 requires implementing "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk. Bachao.AI, built by Dhisattva AI Pvt Ltd, automates vulnerability assessments that directly map to Article 32 obligations — identifying misconfigurations, exposed endpoints, and data-leakage vectors before a regulator or adversary does. GDPR-mandated penetration testing evidence is also increasingly requested during due diligence and by enterprise EU customers as a procurement requirement.

Sources: Regulation (EU) 2016/679 (GDPR) full text at eur-lex.europa.eu; European Data Protection Board Guidelines 3/2018 on Territorial Scope at edpb.europa.eu; Digital Personal Data Protection Act 2023 (India) at meity.gov.in; European Commission Standard Contractual Clauses (June 2021) at ec.europa.eu.