Why the India IT exporter needs a dual checklist, not two
An India IT services firm exporting to the EU sits at the intersection of two privacy regimes. Where it monitors EU-based employees or contractors, GDPR applies directly. Where it processes EU customer end-customer data as a processor, the customer DPA folds GDPR Article 28 obligations into the India file even though the monitored workforce is India-based. And the DPDP Act 2023 governs the India employees regardless. Three pathways, two regimes, one operation.
Running a GDPR checklist and a DPDP checklist as separate documents is the trap. The two regimes diverge on a small number of specific points — breach-notification SLA, cross-border transfer mechanism, and the automated-decision right — and a separate-file approach lets those divergences become clause conflicts. A 24-hour customer-DPA breach SLA in one file and a 72-hour statutory SLA in another is a conflict the DPO discovers during an incident, which is the worst time to discover it. The dual checklist reconciles the divergences up front. Verify with counsel.
Cluster 1 — Lawful basis, roles, and proportionality (Items 1-5)
The first cluster establishes the legal footing for monitoring across both regimes. Five items.
Lawful basis or consent documented per data category and regime.
Document the GDPR lawful basis (usually legitimate interest with a balancing test, occasionally consent) for EU-linked employee monitoring, and the DPDP consent or fiduciary basis for India employees. The bases differ by regime; document each rather than assuming one covers both.
Evidence. Lawful-basis register per data category; legitimate-interest balancing test where used.
Proportionality test for every monitoring purpose.
GDPR Article 88 and the EDPB guidance require monitoring to be the least intrusive means of achieving a legitimate purpose. Document, per monitoring purpose, the less-intrusive alternatives considered and why they were rejected. Continuous screenshot capture rarely survives this test where deliverable-level signal achieves the same purpose.
Evidence. Proportionality assessment per purpose; rejected-alternatives log.
Controller / processor and fiduciary / processor designation reconciled.
Map the GDPR controller/processor roles and the DPDP fiduciary/processor roles for each data flow, and reconcile them. The India exporter is typically a GDPR processor for customer data and a DPDP fiduciary for its own employees; document both so the obligations attach to the right flow.
Evidence. Role-mapping matrix per data flow with reconciliation notes.
Data Protection Impact Assessment for the monitoring system.
Workplace monitoring with systematic evaluation triggers a GDPR Article 35 DPIA. The DPIA documents purpose, necessity, proportionality, risks, and mitigations. The same DPIA serves the DPDP DPIA expectation for a Significant Data Fiduciary if designated. One DPIA, both regimes.
Evidence. Current DPIA with sign-off date and review cadence.
DPO named and contactable for both regimes.
Name the Data Protection Officer with contact details published to employees and customers. The single DPO can carry both the GDPR Article 37 role and the DPDP DPO expectation; document the appointment against both.
Evidence. DPO appointment letter, published contact, dual-regime scope statement.
Cluster 2 — Transparency, minimisation, automated decisions (Items 6-12)
The second cluster covers the employee-facing obligations and the automated-decision rules. Seven items.
Employee transparency notice in the language the employee reads.
The monitoring transparency notice must reach the employee in clear language. For EU-linked employees this is a GDPR Article 13/14 obligation; for India employees a DPDP Section 5 notice. Provide both in the relevant languages with the same substantive content.
Evidence. Transparency notices per jurisdiction and language; acknowledgement log.
Data minimisation record showing what is deliberately not captured.
Data minimisation is provable only by documenting what is captured and what is deliberately not. A monitoring architecture that captures screenshots and keystrokes when deliverable-level signal suffices fails minimisation. Document the minimisation decisions, not just the capture scope.
Evidence. Capture-scope register with not-captured rationale.
Automated-decision posture documented for any productivity scoring.
Where an AI productivity score drives an increment, a PIP, or a termination, GDPR Article 22 is engaged. Document the human-in-the-loop architecture, the right to meaningful information about the logic, and the contest pathway. A score without a per-decision explanation cannot satisfy the meaningful-information requirement.
Evidence. Article 22 posture memo; human-intervention workflow; sample explanation output.
Per-decision explainability trail available from the vendor.
The vendor whose AI output influences employment decisions must produce a per-decision why-trail — rule-trace, attribution, counterfactual — not a dashboard aggregate. A vendor that cannot produce a per-decision explanation puts the Article 22 contest right out of reach. Make explainability a procurement gate.
Evidence. Vendor explainability sample; procurement-gate confirmation.
No special-category or sensitivity inference without separate basis.
Emotion, stress, health, and similar inferences are GDPR special-category data and DPDP sensitivity-adjacent. Default-on sentiment or stress scoring needs a separate explicit basis. Disable by default; require an explicit opt-in with audit logging where genuinely needed.
Evidence. Sensitivity-inference disablement default; opt-in audit log if used.
Data-subject rights pathway with one-month SLA.
Access, rectification, erasure, and objection rights need a documented pathway with the GDPR one-month SLA and the DPDP equivalent. The vendor must support the data-extraction and correction mechanics. Test with a quarterly synthetic request.
Evidence. Rights-pathway URL; sample synthetic request and response.
Idle inference uses multi-signal fusion, not raw keystroke.
Idle inference from raw keystroke or mouse counts proxies an attention signal that strains both GDPR proportionality and DPDP purpose limitation. Document an idle architecture that uses application context, deliverable proximity, and calendar overlay rather than screenshot frequency or keystroke counts.
Evidence. Idle-inference architecture diagram; signal-source disclosure.
Cluster 3 — Breach, cross-border, penalty, review (Items 13-20)
The third cluster covers incident response, transfer mechanics, penalty modelling, and the review cadence. Eight items.
Reconciled breach-notification SLA across regimes and customer DPAs.
GDPR is 72 hours to the supervisory authority; DPDP is 72 hours to the Data Protection Board; some EU customer DPAs commit to 24 hours to the customer. Architect a single incident-detection trigger that fans out to all obligations with timestamped logs. The reconciliation is the point of the dual checklist.
Evidence. Multi-track breach playbook; sample timestamped trigger fan-out.
Named breach contacts and supervisory-authority map.
Named internal breach contact (DPO) and customer-facing contact, plus a map of which EU supervisory authority is lead for the customer relationships. No single-point dependency; on-call rotation documented.
Evidence. Breach contact card; lead supervisory-authority map; on-call rotation.
Cross-border transfer mechanism documented both directions.
EU data to India needs a GDPR Chapter V mechanism — Standard Contractual Clauses with a transfer impact assessment. India employee data to EU-hosted tooling needs documentation against the DPDP Section 16 posture once the Rules are notified. Document both directions. Verify with counsel as the DPDP Rules are pending.
Evidence. SCC register; transfer impact assessment; cross-border flow map.
Employee data residency pinned to minimise transfer exposure.
The cleanest architecture pins India employee data to an India region and keeps EU customer data flows on documented SCCs, minimising both transfer obligations. A vendor that can pin India residency in writing reduces the cross-border surface; require it in the data-processing addendum.
Evidence. Residency commitment in DPA; region-pinning confirmation.
Monitoring vendor scored against both free assessments.
Score the monitoring or productivity vendor against the EU AI Act Vendor Scorecard and the DPDP Vendor Risk Assessment Worksheet for an independent verdict band on both regimes. The score is free; the PDF is email-gated only at download. Re-score on vendor or feature changes.
Evidence. Latest scorecard bands; date of last assessment; action log.
Penalty exposure modelled under both ceilings.
GDPR Article 83 caps administrative fines at up to EUR 20 million or 4 percent of worldwide annual turnover, whichever is higher; DPDP Section 33 caps at INR 250 crore. Model both bands per failure class and plan against the higher, which for an exporter is usually the GDPR turnover basis. Both are ceilings, not expected values; verify with counsel.
Evidence. Exposure band per regime and failure class; date of last model run.
EU customer DPAs folded into the compliance file with conflict log.
Fold the EU customer DPAs into the compliance file with a clause-conflict reconciliation log so the exporter does not commit to incompatible SLAs across files. The conflict log is where the dual checklist earns its keep.
Evidence. Customer DPA register; clause-conflict reconciliation log.
Dual checklist re-run quarterly with delta log.
Quarterly re-run by the DPO with a delta log capturing regime changes, customer DPA changes, and product feature changes. Annual full re-attestation against the 20 points. The EU AI Act high-risk obligations phasing in during 2026 make the quarterly cadence necessary rather than optional. Verify with counsel.
Evidence. Quarterly delta log; annual attestation; remediation tracker.
Penalty modelling for the dual-regime DPO
The exporter's penalty exposure is the higher of the two regime ceilings applied to the realistic failure-class band. Three modelling rules.
One. The GDPR turnover-percentage basis usually dominates. Four percent of worldwide annual turnover can exceed the DPDP INR 250 crore rupee ceiling for a mid-to-large exporter, so plan against the GDPR figure as the upper bound.
Two. Model by failure class. Consent and proportionality failures sit in a different band from breach-notification failures. Aggregate modelling understates the worst case.
Three. Re-model on customer-mix and regulatory change. A new EU financial-services customer raises the band; the EU AI Act high-risk obligations phasing in during 2026 add an obligation layer. All figures are ceilings or modelled bands, not expected enforcement values; verify with counsel.
Treating GDPR and DPDP as a single undifferentiated obligation. The two regimes converge on principles but diverge on breach SLA, transfer mechanism, and the automated-decision right. A DPO who collapses them into one generic checklist misses the reconciliation points that surface during an incident. Run them as one document, but keep the divergences explicit.
How this checklist fits the exporter compliance lifecycle
The dual checklist pairs with three other artefacts to cover the exporter's full compliance decision.
| Artefact | Use moment | Output |
|---|---|---|
| This dual checklist (20 points) | Quarterly DPO/CISO self-assessment | Pass/Gap/Critical per item with delta log |
| EU AI Act Vendor Scorecard | Score the vendor on EU AI Act readiness | Readiness band against high-risk obligations |
| DPDP Vendor Risk Assessment Worksheet | Score the vendor on DPDP readiness | Audit-Ready / Process-Led / Tool-Led / Risk-Acceptance band |
| GDPR + DPDP Dual Fine Exposure Estimator | Size your own dual fine exposure across both regimes | Indicative Low / Moderate / High / Severe band per regime |
| Explainable AI & GDPR Article 22 | Reference for the automated-decision gate | Explainability requirement detail |
Together the four cover dual self-assessment, EU AI Act vendor scoring, DPDP vendor scoring, and the explainability deep-dive. Run them in that order and the exporter's compliance file holds up to both a supervisory-authority enquiry and a Data Protection Board inquiry. Verify with counsel.
Score the vendor on GDPR and DPDP together
Two free interactive tools for the dual-regime DPO. Both email-gated only at PDF download.
Frequently asked questions
Does GDPR apply to an India IT exporter monitoring its own employees?
It can, through two routes. If the India IT exporter monitors EU-based employees or contractors, GDPR applies directly to that employee personal data. And where the India operation processes EU customer end-customer data as a processor, the customer DPA folds GDPR Article 28 obligations into the India compliance file even though the monitored employees are India-based. Either route brings GDPR Article 88 employee-data principles and Article 22 automated-decision rules into scope alongside the DPDP Act 2023. Run a dual-regime checklist rather than two separate ones. Verify with counsel.
What is GDPR Article 88 and why does it matter for employee monitoring?
GDPR Article 88 lets member states set specific rules for processing employee personal data in the employment context, and the EDPB Guidelines 05/2020 and Opinion 2/2017 set the proportionality and transparency floor for workplace monitoring. For an India IT exporter, Article 88 matters because it raises monitoring of EU-linked employees above the generic GDPR lawful-basis test to a proportionality-and-necessity test — the monitoring must be the least intrusive means of achieving a legitimate purpose, with transparency to the employee. A monitoring architecture that fails proportionality fails Article 88 even with a documented lawful basis. Verify with counsel.
How do GDPR and DPDP differ on employee monitoring for an India exporter?
They converge more than they diverge, which is why a dual checklist works. Both require purpose limitation, data minimisation, and a lawful basis or consent. GDPR adds the Article 88 proportionality test and the Article 22 right not to be subject to solely automated decisions with legal or similarly significant effect; DPDP adds the fiduciary or processor designation and the 72-hour breach notification to the Data Protection Board. The main reconciliation points are breach-notification SLA — GDPR 72 hours to the supervisory authority, DPDP 72 hours to the Board, customer DPA sometimes 24 hours — and cross-border transfer. Run one checklist that reconciles both. Verify with counsel.
What is the penalty exposure under GDPR and DPDP for an India IT exporter?
GDPR Article 83 sets administrative fine ceilings at up to EUR 20 million or 4 percent of total worldwide annual turnover, whichever is higher, for the most serious classes. DPDP Section 33 sets statutory ceilings at INR 250 crore for the most serious classes. Both are ceilings, not expected enforcement values; the realistic band depends on failure class, data principal count, and breach-response timeliness. For an India IT exporter the GDPR exposure usually dominates because the turnover-percentage basis can exceed the DPDP rupee ceiling. Model both bands and use the higher as the planning figure. Verify with counsel.
Does GDPR Article 22 cover AI productivity scoring of employees?
Where an AI productivity score drives a decision with legal or similarly significant effect on the employee — an increment, a performance improvement plan, a termination — Article 22 is engaged and the employee has a right to meaningful information about the logic, to human intervention, and to contest the decision. A productivity AI that surfaces a score without a per-decision explanation cannot satisfy the meaningful-information requirement. The India IT exporter should require a per-decision explainability trail from any monitoring or productivity vendor whose output influences employment decisions. Verify with counsel.
How should an India IT exporter handle cross-border transfer of employee data to the EU?
Two directions to handle. EU employee or customer data flowing to India needs a GDPR Chapter V transfer mechanism — Standard Contractual Clauses are the common route, with a transfer impact assessment documenting the India legal environment. India employee data flowing to EU-hosted tooling needs documentation against the DPDP Section 16 cross-border posture once the Rules are notified. The cleanest architecture minimises both by pinning employee data to an India region and keeping the EU customer data flows on documented SCCs. Verify with counsel.
What evidence should the DPO keep to prove monitoring proportionality?
Four artefacts. A Data Protection Impact Assessment that documents the legitimate purpose, the less-intrusive alternatives considered and rejected, and the residual risk. The employee transparency notice in the language the employee reads. The data-minimisation record showing what is captured and what is deliberately not. And the per-decision explainability trail for any automated scoring. Together these four artefacts let the DPO answer the proportionality question a supervisory authority asks. Score the vendor's contribution to these artefacts with the DPDP Vendor Risk Assessment Worksheet. Verify with counsel.
Disclaimer. This checklist reflects GDPR as in force and the DPDP Act 2023 as enacted; the DPDP Rules notification is expected during 2026 and EU AI Act high-risk obligations phase in during 2026, both of which may change operational specifics including SLAs, transfer mechanics, and automated-decision rules. Penalty figures referenced (EUR 20 million / 4 percent turnover under GDPR Article 83; INR 250 crore under DPDP Section 33) are statutory ceilings, not expected enforcement values. Article 88, Article 22, and Chapter V references are written for India IT exporters with EU exposure and do not replace EU counsel review. Verify all items with your own legal counsel before relying on any output in a regulatory submission. Questions: hello@gstride.ai.