GDPR and India’s DPDP Act: Email Marketing Compliance for Indian Businesses

GDPR email marketing India DPDP compliance is no longer a niche concern for large enterprises with international reach. Any Indian business running email campaigns — to domestic subscribers under India’s DPDP Act, or to EU/UK subscribers under GDPR — needs to understand both frameworks and what they demand from their email infrastructure.

This guide puts both laws side by side, explains what each requires specifically for email marketing, identifies where they overlap and where they diverge, and gives you a concrete checklist to work through.

India’s Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s first comprehensive data protection law. It was notified in August 2023 and is being implemented in phases through 2024–2026. MeitY (Ministry of Electronics and Information Technology) is the primary regulatory body.

Key definitions

• Data Principal: The individual whose personal data is being processed. Your email subscriber.
• Data Fiduciary: The entity that determines the purpose and means of processing. Your business.
• Data Processor: An entity that processes data on behalf of a Data Fiduciary. DexcyJet, when processing your subscriber data.
• Consent Manager: An entity accredited by the government through which Data Principals can manage consent across multiple Data Fiduciaries.

What DPDP Act requires for email marketing

1. Valid consent before collection

Under Section 6, consent must be:

• Free (not bundled as a condition of service, unless necessary for the service)
• Specific (the subscriber must know they’re consenting to marketing email specifically)
• Informed (the purpose must be clearly communicated before consent is given)
• Unconditional (no “you must agree or you get no service” for optional marketing)
• Unambiguous (pre-ticked checkboxes do not count)

2. Consent Notice

Before obtaining consent, you must provide a Consent Notice in English (and optionally in languages listed in the Eighth Schedule to the Constitution). The notice must specify:

• The personal data being collected (email address, name, preferences)
• The purpose of processing (email marketing campaigns)
• How the Data Principal can withdraw consent

3. Right to withdraw consent

Data Principals can withdraw consent at any time. Your unsubscribe mechanism must be immediate — a subscriber who clicks unsubscribe must be removed from marketing lists without delay. Batch-processing unsubscribes the following week is non-compliant.

4. Data Fiduciary’s obligations

• Maintain data only for the stated purpose and duration
• Implement appropriate security safeguards
• Notify MeitY and affected Data Principals in the event of a personal data breach
• Respond to Data Principal access and deletion requests

What’s different about DPDP Act vs GDPR

The DPDP Act is in some ways simpler and in some ways less prescriptive than GDPR. Key differences:

• No right to data portability (unlike GDPR Article 20)
• No requirement for a legal basis other than consent for voluntary data — legitimate interests as a lawful basis doesn’t exist in the DPDP Act in the same form
• Grievance Officer is mandatory for all Data Fiduciaries (similar to a DPO but not identical)
• Cross-border transfers: The Act uses a positive list / negative list model — data can be transferred internationally unless MeitY restricts a specific country. The GDPR’s adequacy decision mechanism doesn’t apply here.
• Penalties: Up to ₹250 crore for individual breaches; up to ₹500 crore for systemic failures to maintain security safeguards.

GDPR: What It Means for Indian Businesses

The General Data Protection Regulation (EU 2016/679) applies to any organisation processing personal data of individuals in the EU/UK — regardless of where the organisation is established. An Indian B2B SaaS company with EU customers, or an edtech platform with EU-based learners, is subject to GDPR.

Lawful bases for email marketing under GDPR

GDPR provides six lawful bases for processing. For marketing email, the relevant ones are:

• Consent (Article 6(1)(a)): The most commonly used for cold or acquired lists. Standards are the same as DPDP Act — freely given, specific, informed, unambiguous.
• Legitimate interests (Article 6(1)(f)): Applicable for existing customers (you have an existing relationship and are marketing related products/services). Must be balanced against the subscriber’s rights. Cannot be used for cold email to new contacts.

GDPR requirements specific to email marketing

Consent records: You must be able to prove consent. Record: the timestamp, the specific form or mechanism used, the IP address, and the consent text shown at the time.

Right to object: Under Article 21, subscribers can object to marketing processing at any time. The right is absolute — you cannot override it.

Right to erasure (Article 17): A subscriber can request deletion of all their personal data. For email marketing, this means removing them from all lists, suppression records included. Note: you can retain a record of the email address in a suppression list to prevent re-sending — that’s lawful processing for the purpose of compliance.

Data Processing Agreement (DPA): When you use DexcyJet as your email platform, DexcyJet is a Data Processor under GDPR. A DPA must be in place. DexcyJet’s standard DPA is available under Terms of Service / Legal. It covers:

• Processing only on documented instructions
• Confidentiality obligations
• Technical and organisational security measures
• Sub-processor disclosure and approval
• Assistance with Data Subject rights
• Deletion or return of data on contract termination

Data transfers: Sending EU subscriber data to servers outside the EU requires a legal transfer mechanism. DexcyJet processes data in Indian data centres. For EU customers using DexcyJet, the transfer mechanism is the Standard Contractual Clauses (SCCs) incorporated into the DPA.

Side-by-Side Comparison

A Practical Compliance Checklist

Before building your list:

• [ ] Draft a Consent Notice in English (and regional language if needed) covering purpose, data type, and withdrawal mechanism
• [ ] Implement double opt-in to generate verifiable consent events
• [ ] Record consent timestamp, form ID, IP address, and consent text version for each subscriber

For your email system:

• [ ] Ensure every campaign email contains a functional one-click unsubscribe link
• [ ] Configure unsubscribe processing to be immediate (< 10 business days maximum; DexcyJet handles this in real time)
• [ ] Maintain a suppression list separate from your active list
• [ ] Execute a DPA with DexcyJet (available on request at privacy@dexcyjet.com)

For ongoing operations:

• [ ] Appoint a Grievance Officer (DPDP Act) — name and email must be disclosed
• [ ] Define and document retention periods for subscriber data
• [ ] Build a process to respond to access and deletion requests within the statutory timeframe
• [ ] Configure breach detection and notification procedures

DexcyJet stores consent events, handles unsubscribes in real time, maintains suppression lists, and provides data export/deletion APIs to support your GDPR and DPDP Act processes. See the features page for details, or sign up to start building a compliant list.

Try DexcyJet: Built with GDPR and DPDP Act compliance posture from day one — consent records, real-time unsubscribe processing, and a Data Processing Agreement included. Start free.