In the complex world of data protection and privacy laws, understanding the principles that govern the lawfulness of processing personal data is crucial for compliance and ethical management of information. This blog provides a detailed comparison between the European Union’s General Data Protection Regulation (GDPR) and India’s Data Protection and Digital Personal Data Protection Act (DPDPA), focusing on their general principles, legal bases for processing personal data, conditions related to consent, legitimate interests, and the processing of sensitive data. Whether you’re a business leader, data protection officer, or just someone keen on privacy laws, this comparison sheds light on how these two major regulations approach the critical aspects of data processing lawfulness, offering insights into the global landscape of data protection.
General Principles:
| GDPR Principles | DPDPA Principles |
| The GDPR, in Article 5, outlines seven key principles: Lawfulness, Fairness, and Transparency: Processing must be lawful, fair, and transparent to the data subject. Purpose Limitation: Data must be collected for specified, explicit, and legitimate purposes. Data Minimization: Only data that is necessary for the purposes specified should be collected. Accuracy: Data must be accurate and kept up to date. Storage Limitation: Data should be retained only for as long as necessary for the specified purpose. Integrity and Confidentiality: Data should be processed in a manner that ensures security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Accountability: Data controllers are responsible for and must be able to demonstrate compliance with the other six principles. | DPDPA lays down following principles: Lawfulness: Personal data must be processed for a lawful purpose. Fairness: Consent should be freely given, informed, and specific. Data Minimization: Collect only necessary data for a specified purpose. Storage Limitation: Retain data only as long as needed, unless mandated by law. Purpose Limitation: Process data only for specified purposes. Integrity: Ensure completeness, accuracy, and consistency of processed data. Confidentiality: Protect personal data with security measures. Accountability: Comply with DPDPA provisions, conduct audits, and impact assessments when required. |
| GDPR | DPDPA |
| Includes six lawful bases for processing personal data, subject to additions by member states: • Consent. • Performance of a contract. • Legal obligation. • Legitimate interests. • Life protection and vital interests. • Public interest. | • Use of voluntarily provided data by the data principal for a specified purpose, where the data principal has not objected to such use. • Performance of a state function. • Performance of legal obligation, or in the interests of the sovereignty and integrity of India. • To fulfil any legal obligation. • To comply with a judicial order. • To respond to medical emergencies involving a threat to an individual’s life. • During a threat to public health. • For undertaking measures to ensure public safety or provide assistance during a disaster or public order breakdown. • For employment purposes, or to safeguard the employer from loss or liability such as corporate espionage, to maintain confidentiality of proprietary information or to provide any service or benefit sought by an employee. |
| GDPR | DPDPA |
| GDPR Requirements for Valid Consent: Freely Given: Consent must be voluntary, with no coercion or pressure exerted on individuals. Specific and Informed: Consent should be given for a specific purpose, and individuals must be fully informed about the data processing activities. Unambiguous Affirmative Action: Consent must be obtained through a clear and affirmative action, leaving no room for ambiguity. Non-Conditional Provision of Services: Generally, the provision of a service should not be made conditional upon obtaining consent for processing that is not necessary for the service. Distinct from Other Terms: A request for consent must be clearly distinguishable from any other terms and conditions, ensuring that individuals can grant or withhold consent separately. Separate Consent for Different Purposes: Consent for separate processing purposes should be obtained separately to maintain clarity and specificity. Right to Withdraw Without Detriment: Individuals have the right to withdraw their consent at any time “without detriment,” and the process for withdrawal should be as straightforward as giving consent. | DPDPA Requirements for Valid Consent: Freely Given: Similar to the GDPR, consent must be given voluntarily, without any form of coercion. Specific and Informed: Consent should be granted with a clear understanding of the purpose and scope of data processing. Unconditional: Implying that the provision of a service cannot be made conditional on individuals providing consent for the collection of unnecessary data. Unambiguous: Consent must be expressed clearly and unequivocally. Ease of Withdrawal: Individuals should be able to withdraw their consent with a level of ease comparable to the process of giving consent. Clear and Plain Language: Consent requests must be presented in language that is clear and easy to understand. Multilingual Accessibility: Consent requests should be accessible in both English and all the official languages specified in the Indian Constitution. |
| GDPR | DPDPA |
| Under the GDPR, there are six lawful bases for processing personal data, with the possibility of additional bases established by individual member states: Consent: Data processing is lawful when the data subject has given clear and informed consent. Performance of a contract: Processing is allowed when it is necessary for the performance of a contract with the data subject. Legal obligation: Data can be processed when there is a legal obligation to do so. Legitimate interests: Processing may be based on the legitimate interests pursued by the data controller, provided that it does not override the rights and interests of the data subject. Life protection and vital interests: Personal data can be processed to protect someone’s life and vital interests. Public interest: Processing for reasons of public interest or official authority is permitted. | DPDPA in India provides an expanded list of legitimate grounds for processing personal data, which encompass: Voluntarily provided data for specified purposes: Data processing is permitted if the data principal provides data voluntarily for a specific purpose and does not object to its use. Performance of a state function: Data processing can occur when it is necessary for the functioning of government or state authorities. Legal obligation and sovereignty: Processing is allowed to meet legal obligations or to safeguard the sovereignty and integrity of India. Compliance with judicial orders: Data can be processed to comply with judicial orders issued by the courts. Response to medical emergencies: Personal data processing is permitted during medical emergencies that pose a threat to an individual’s life. Threat to public health: Data can be processed during situations posing a threat to public health. Public safety and disaster response: Processing is lawful when it pertains to ensuring public safety or providing assistance during a disaster or public order breakdown. Employment purposes: Personal data can be processed for employment-related purposes, including safeguarding the employer from loss or liability, maintaining the confidentiality of proprietary information, and providing benefits or services to employees. |
| GDPR | DPDPA |
| Explicit consent. Compliance with employment and social security obligations. Protection of life and vital interests. Legitimate activities by not-for-profit bodies with specific aims. Legal claims establishment, exercise, or defense. Data made public by the individual. Substantial public interest as defined by law. Preventive or occupational medicine, diagnosis, and care. Public interest in health. Archiving, scientific, or historical research. | DPDPA in India treats all personal data uniformly and does not create special categories of personal data. Therefore, the grounds for processing all personal data, including sensitive data, remain the same, with the conditions and requirements applicable to all data types. |