Skip to main content

Legal Capsule: General Data Protection Regulation: Impact on India-based businesses by Economic Laws Practice

By
General Data Protection Regulation (“GDPR”), approved and adopted by European Parliament in April 2016, is a ‘rights based’ data protection model which allows the users to have greater rights over his/her data.  This came into force on May 25, 2018 GDPR and is today an important topic for most businesses, given the extra-territorial reach of these regulations. This article explores some of the key facets of GDPR and highlights pertinent points.


  • Applicability:Primarily, GDPR lays down rules in relation to protection of natural persons with regard to their personal data. The GDPR is applicable not only to organisations located within the European Union (“EU”), but also applies to organisations located outside of the EU if they ‘process’ personal data of EU subjects as a ‘controller’ or a ‘processor’, and where the processing activity relates to (a) offering of goods or services (including for free) to data subjects in EU; or (b) monitoring theirbehaviour if the behaviour takes place within EU.
  • Processing of personal data:‘Processing’ in the context of GDPR means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Data Protection Principles: GDPR lays down specific data protection principles for processing of personal data. Each ‘controller’ and ‘processor’ needs to ensure that the personal data is (a) processed lawfully, fairly and in a transparent manner, (b) collected for a specific, explicit and legitimate purpose, (c) adequate, relevant and necessary in relation to the purposes for which it is collected, and (d) accurate and is kept up to date. There is not only a requirement to comply with the prescribed principles but the ‘controller’ should be able to demonstrate the compliance.
  • Obligation to comply with GDPR: The obligation to comply with the above principles is not only on the entity collecting personal data of EU subjects but also the entity which stores, transmits, alters, uses such personal data on behalf of the data controller.
  • Lawful data processing under GDPR: Data processing will be considered lawful under GDPR if the data subject has given consent to the processing of personal data for one or more specific purposes. But mere consent of the data subject is not sufficient. The controller shall be able to demonstrate that the data subject has provided the consent. The request for consent by the controller shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.[2] The data subject shall also have the right to withdraw his/her consent at any time, and it shall be as easy to withdraw consent as it is to give consent.
  • Sensitive personal data: Information which is considered specifically sensitive such as racial or ethnic origin or physical or mental health condition etc. cannot be obtained, stored, transmitted, processed, unless explicit consent for processing of such personal data has been provided by the data subject for one or more specified purposes.

Thinking Ahead to Minimize Exposure And Liabiities


Key takeaways for India-based organisations


The world’s 500 biggest corporations are on track to spend a total of $7.8 billion to comply with GDPR, according to consultants Ernst & Young.[3] In light of the significant compliance cost and burden, companies need to start thinking about the impact on their business model and pricing strategies.

GDPR provides the data subjects greater access to ascertain the manner in which their data is processed. Each controller is now required to maintain a record of processing activities under its responsibility and there are stringent conditions prescribed for notification of the personal data breaches. Given the strict compliance norms and the quantum of penalty involved, it has become imperative for organizations to have dedicated teams for ensuring ongoing GDPR compliance.

GDPR’s extra-territorial application could potentially have a significant impact on Indian organisations, making it critical for companies to analyseand assess whether GDPR is applicable to them. The sectors which are most likely to be affected are IT and ITeS services, business process outsourcing (BPO) units, e-commerce companies catering to customers in EU etc. 


 Venture Intelligence is India's longest serving provider of data and analysis on Private Company Financials, Transactions (private equity, venture capital and M&A) & their Valuations in India.

Popular posts from this blog

PE-VC investments decline 8% to $6.2 B in Q1'24

By
Press Release: Private Equity - Venture Capital (PE-VC) firms invested over $6.2 Billion (across 205 deals) in Indian companies during the first three months of 2024, shows data from  Venture Intelligence , a research service focused on private company financials, transactions, and their valuations. (Note: These figures include Venture Capital type investments, but exclude PE investments in Real Estate). The investment amount represents a 8% fall over the $6.7 Billion (across 242 deals) invested in the same period during 2023 and also down by 6% when compared to the immediate previous quarter (which witnessed $6.6 Billion being invested across 200 deals). Deal volumes in Q1'24 also declined 15% compared to Q1'23 and were up by 3% compared to the immediate previous quarter.  Q1’24 witnessed 8 mega deals ($100 M+ rounds) worth $3.5 Billion, compared to 17 such investments (worth $3.6 Billion) in Q1’23 and 15 such deals (worth $4.1 Billion) in the immediate previous quarter.  Th
Read more

PE-VC investments in Q2'23 decline 33% to $9.9 Billion

By
Private Equity-Venture Capital (PE-VC) investments in India during the quarter ended June 2023 (Q2'23), at $9.85 Billion across 182 deals, registered a 33% decrease compared to the same period in 2022 (which saw $14.6 Billion being invested across 371 deals). The investment amount however rose 74% compared to the immediate previous quarter (which saw $5.7 Billion being invested across 181 deals), shows data from  Venture Intelligence , a research service focused on private company financials, transactions, and their valuations. The PE-VC investment figures for the first 6 months of 2023 - at $15.5 Billion (across 363 deals) - was 50% lower compared to the same period in 2022 (which saw $31 Billion being invested across 800 deals). Q2’23 witnessed 19 mega deals ($100 M+
Read more

Chiratae, Speciale and Stride Ventures win APEX'24 Venture Capital Awards

By
Chiratae Ventures, Speciale Invest and Stride Ventures were awarded as among the leading Venture Capital investors in India for 2023 as part of Venture Intelligence APEX‘24 Private Equity & Venture Capital awards event in Mumbai.  The Venture Intelligence “Awards for Private Equity Excellence” (APEX) is dedicated to celebrating the best that the Indian Private Equity & Venture Capital industry has to offer. The APEX Awardees are selected based on both Self Nomination by the participating PE-VC firms and "crowd sourced" voting from the Limited Partner, PE-VC and advisory communities. (The main criteria are Return Track Record, New Fund Raises & Follow-on Funding Rounds for Portfolio Companies) VC Investor of the Year Chiratae Ventures received the Venture Capital Investor of the Year 2023 Award on the back of 10 part exits totaling $178 million via Secondary Sales during the year. Its exits included those from retail unicorn Lenskart, SaaS Startup Pixis and baby pr
Read more

Blackstone, MO Alts and InvAscent win APEX'24 Private Equity Awards

By
Press Release Blackstone, MO Alternates (formerly Motilal Oswal PE) and InvAscent were awarded as among the leading Private Equity and Growth Capital investors in India for 2023 as part of Venture Intelligence APEX‘24 Private Equity & Venture Capital awards event in Mumbai.  The Venture Intelligence “Awards for Private Equity Excellence” (APEX) is dedicated to celebrating the best that the Indian Private Equity & Venture Capital industry has to offer. The APEX Awardees are selected based on both Self Nomination by the participating PE-VC firms and "crowd sourced" voting from the Limited Partner, PE-VC and advisory communities. (The main criteria are Return Track Record, New Fund Raises & Follow-on Funding Rounds for Portfolio Companies) PE Investor of the Year Blackstone received the Private Equity Investor of the Year 2023 Award on the back of strong complete exits during the year: from Sona Comstar and IBS Software. Ganesh Mani and Amit Dalmia, Senior Managing D
Read more

Avendus tops League Table for Transaction Advisors to PE deals in Q1'23

By
Aeka Advisors and Ambit claim the No.2 & 3 slot Avendus topped the Venture Intelligence League Table for Transaction Advisor to Private Equity Transactions for Q1 2023 advising 5 deals worth $808 million. Aeka Advisors stood second having advised 3 deals worth $228 million. Ambit followed with 4 deals worth $160 million. Ernst & Young ($114 million across 4 deals) and o3 Capital ($80 million across 2 deals) completed the top five for Q1 2023. Avendus acted as advisor to ADIA’s $500 million investment in omnichannel eyewear retailer Lenskart . Aeka Advisors acted as advisor to Kreditbee’s $160 million fundraise from Advent International, Mitsubishi UFJ Financial Group (MUFG) and existing investors. Ambit advised the $104 million fundraise of Freshtohome from Mount Judi Ventures, Iron Pillar, Amazon and others. The  Venture Intelligence League Tables , the first such initiative exclusively tracking transactions involving India-based companies, are based on the value of PE
Read more