Skip to main content

Legal Capsule: General Data Protection Regulation: Impact on India-based businesses by Economic Laws Practice

By
General Data Protection Regulation (“GDPR”), approved and adopted by European Parliament in April 2016, is a ‘rights based’ data protection model which allows the users to have greater rights over his/her data.  This came into force on May 25, 2018 GDPR and is today an important topic for most businesses, given the extra-territorial reach of these regulations. This article explores some of the key facets of GDPR and highlights pertinent points.


  • Applicability:Primarily, GDPR lays down rules in relation to protection of natural persons with regard to their personal data. The GDPR is applicable not only to organisations located within the European Union (“EU”), but also applies to organisations located outside of the EU if they ‘process’ personal data of EU subjects as a ‘controller’ or a ‘processor’, and where the processing activity relates to (a) offering of goods or services (including for free) to data subjects in EU; or (b) monitoring theirbehaviour if the behaviour takes place within EU.
  • Processing of personal data:‘Processing’ in the context of GDPR means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Data Protection Principles: GDPR lays down specific data protection principles for processing of personal data. Each ‘controller’ and ‘processor’ needs to ensure that the personal data is (a) processed lawfully, fairly and in a transparent manner, (b) collected for a specific, explicit and legitimate purpose, (c) adequate, relevant and necessary in relation to the purposes for which it is collected, and (d) accurate and is kept up to date. There is not only a requirement to comply with the prescribed principles but the ‘controller’ should be able to demonstrate the compliance.
  • Obligation to comply with GDPR: The obligation to comply with the above principles is not only on the entity collecting personal data of EU subjects but also the entity which stores, transmits, alters, uses such personal data on behalf of the data controller.
  • Lawful data processing under GDPR: Data processing will be considered lawful under GDPR if the data subject has given consent to the processing of personal data for one or more specific purposes. But mere consent of the data subject is not sufficient. The controller shall be able to demonstrate that the data subject has provided the consent. The request for consent by the controller shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.[2] The data subject shall also have the right to withdraw his/her consent at any time, and it shall be as easy to withdraw consent as it is to give consent.
  • Sensitive personal data: Information which is considered specifically sensitive such as racial or ethnic origin or physical or mental health condition etc. cannot be obtained, stored, transmitted, processed, unless explicit consent for processing of such personal data has been provided by the data subject for one or more specified purposes.

Thinking Ahead to Minimize Exposure And Liabiities


Key takeaways for India-based organisations


The world’s 500 biggest corporations are on track to spend a total of $7.8 billion to comply with GDPR, according to consultants Ernst & Young.[3] In light of the significant compliance cost and burden, companies need to start thinking about the impact on their business model and pricing strategies.

GDPR provides the data subjects greater access to ascertain the manner in which their data is processed. Each controller is now required to maintain a record of processing activities under its responsibility and there are stringent conditions prescribed for notification of the personal data breaches. Given the strict compliance norms and the quantum of penalty involved, it has become imperative for organizations to have dedicated teams for ensuring ongoing GDPR compliance.

GDPR’s extra-territorial application could potentially have a significant impact on Indian organisations, making it critical for companies to analyseand assess whether GDPR is applicable to them. The sectors which are most likely to be affected are IT and ITeS services, business process outsourcing (BPO) units, e-commerce companies catering to customers in EU etc. 


 Venture Intelligence is India's longest serving provider of data and analysis on Private Company Financials, Transactions (private equity, venture capital and M&A) & their Valuations in India.

Popular posts from this blog

PE-VC investments decline 8% to $6.2 B in Q1'24

By
Press Release: Private Equity - Venture Capital (PE-VC) firms invested over $6.2 Billion (across 205 deals) in Indian companies during the first three months of 2024, shows data from  Venture Intelligence , a research service focused on private company financials, transactions, and their valuations. (Note: These figures include Venture Capital type investments, but exclude PE investments in Real Estate). The investment amount represents a 8% fall over the $6.7 Billion (across 242 deals) invested in the same period during 2023 and also down by 6% when compared to the immediate previous quarter (which witnessed $6.6 Billion being invested across 200 deals). Deal volumes in Q1'24 also declined 15% compared to Q1'23 and were up by 3% compared to the immediate previous quarter.  Q1’24 witnessed 8 mega deals ($100 M+ rounds) worth $3.5 Billion, compared to 17 such investments (worth $3.6 Billion) in Q1’23 and 15 such deals (worth $4.1 Billion) in the immediate previous quarter....
Read more

Avendus tops League Table for Transaction Advisors to PE deals in H1'24

By
Citi and Ambit claim the No.2&3 slots Avendus topped the Venture Intelligence League Table for Transaction Advisor to Private Equity Transactions in H1’2024 advising 12 deals worth $2.4 Billion. Citi stood second, having advised 1 deal worth $2 Billion. Ambit followed with 7 deals worth $797 million. Kotak Mahindra Capital ($735 million across 2 deals) and Ernst & Young ($657 million across 7 deals) completed the top five for H1’ 2024. The  Venture Intelligence League Tables , the first such initiative exclusively tracking transactions involving India-based companies, are based on the value of PE and M&A transactions advised by Financial and Legal Advisory firms. Among the larger deals in the latest quarter, Citi, KPMG , Ernst & Young advised $2 Billion acquisition of the Indian business of American Tower Corporation by Brookfield . Avendus, Ernst & Young, JM Financial, Barclays and KPMG advised $ 554 million acquisition of Shriram Housing Finance by Warb...
Read more

AZB tops League Table for Legal Advisors to PE deals in H1’24

By
Trilegal and Khaitan & Co. claim the No.2 & No.3 slots AZB & Partners (AZB) topped the Venture Intelligence League Table for Legal Advisor to Private Equity Transactions in H1 2024 advising 41 deals worth $5.4 Billion. It was followed by Trilegal ($5.1 Billion across 54 deals) and Khaitan & Co. (4.8 Billion across 46 deals) in the second and third spot respectively. Cyril Amarchand Mangaldas (CAM) ($2.9 Billion across 34 deals) and Talwar Thakore & Associates ($2.4 Billion across 9 deals) completed the top five. Among the larger Private Equity deals during H1’2024, Khaitan & Co., Talwar Thakore & Associates, S&R Associates ,and Trilegal a dvised the $2 Billion acquisition of the Indian business of American Tower Corporation by Brookfield which was the largest PE-VC investment in 2024 . AZB advised the $900 Million acquisition of Altimetrik by TPG Capital and the $840 Million acquisition of Healthium Medtech by KKR . Resolut Partners , Khaitan & ...
Read more

Citi tops League Table for Transaction Advisors to M&A deals in H1'24

By
  Ernst & Young and Avendus claim the No.2 & No.3 slots Citi , which advised the  $2 Billion acquisition of the Indian business of American Tower Corporation by Brookfield,  topped the Venture Intelligence League Table for Transaction Advisors to M&A Deals   during H1 2024. Ernst & Young stood second advising 8 deals worth $1.5 billion. Avendus followed with 7 deals worth $1.2 billion. KPMG ($1.1 billion across 5 deals) and JM Financial ($900 million across 4 deals) completed the top five. The  Venture Intelligence League Tables , the first such initiative exclusively tracking transactions involving India-based companies, are based on the value of PE and M&A transactions advised by Financial and Legal Advisory firms. Among the other larger M&A deals in H1 2024 (other than the  ATC-Brookfield deal) , Ernst & Young, KPMG and Deloitte advised $1.1 Billion acquisition in PNC Infratech 12 Road Projects by Highways Infrastructure Tr...
Read more

AZB & Partners tops League Table for Legal Advisors to M&A deals in H1’24

By
Khaitan & Co. and J Sagar Associates claim the No.2 & No.3 slots AZB & Partners topped the Venture Intelligence League Table for Legal Advisor to M&A Transactions during H1 2024 advising 37 deals worth $14.8 Billion. It was followed by Khaitan & Co. ($12.8 Billion across 32 deals) and J Sagar Associates (JSA) ($9.8 Billion across 13 deals). Cyril Amarchand Mangaldas (CAM) ($6.2 Billion across 38 deals) and Trilegal ($4.8 Billion across 20 deals) completed the top five. Among the largest M&A deals during H1 2024, AZB, JSA and Khaitan & Co. advised $8.5 Billion acquisition of Disney Hotstar by Reliance Jio . S&R Associates , Talwar Thakore & Associates (TTA), Khaitan & Co. and Trilegal advised the $2 Billion buyout deal   of  ATC India by Canadian infrastructure investor Brookfield Asset Management . CAM advised the $1.3 Billion in the acquisition of a  further  stake in Ambuja Cement  by Adani Enterprises . Among fo...
Read more