GDPR and OTP for Indian Apps Serving EU Customers

Indian SaaS and fintechs increasingly serve EU customers. GDPR applies whenever EU-resident data is processed, no matter where the servers live. OTP flows are personal-data processing — phone number, IP, timestamp — and need careful design.

Overview

• GDPR applies extraterritorially.
• OTP is personal-data processing.
• Processor relationships need DPAs.
• EU-to-India transfers need SCCs or adequacy.

Lawful Basis for OTP Processing

For OTP-based authentication, “performance of contract” is typically the cleanest lawful basis. Marketing SMS requires consent.

EU-to-India Data Transfer

India is not on the EU adequacy list. EU-origin data sent to Indian SMS providers needs Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.

Retention

• OTP logs minimised to verification window plus minimal audit.
• Phone numbers tied to account lifecycle.
• Right-to-erasure on request.

Controller / Processor Roles

• You — controller.
• SMS provider — processor.
• DPA signed in advance.

GDPR + DPDP Overlap

DPDP Act 2023 broadly tracks GDPR for the basics. Where they diverge — children’s consent thresholds, breach notification windows — you generally take the stricter rule. See our DPDP guide.

FAQ

For Indian SaaS serving EU users, StartMessaging can sign the necessary DPA and SCC documents — talk to support during onboarding.