A&Y LEGAL

DPDP Act, GDPR & Cross-Border Data Compliance

Data Privacy Case Studies.

Engagements where A&Y Legal designed and implemented privacy compliance frameworks aligned to India's DPDP Act, the EU GDPR, and sectoral regulators including the RBI and IRDAI.

Engage Counsel

If your matter resembles any of the engagements below, a 30-minute discovery call is the fastest next step.

Call +91 75977 21536
Case 01Fintech / NBFC · 2024

DPDP Act Readiness Programme for a Fintech Lender

Client: RBI-regulated digital lending platform

2M+

Records scoped

RBI

Audits cleared

DPDP+DLG

Frameworks

Challenge

A digital lender processing data of 2M+ borrowers needed end-to-end DPDP Act readiness while maintaining RBI Digital Lending Guidelines compliance.

Approach

  • ·Conducted a data-flow audit across origination, underwriting, and collections systems.
  • ·Drafted notice-and-consent architecture, DPO charter, and grievance redressal SOP.
  • ·Mapped DPDP obligations against RBI DLG to surface and resolve overlaps.

Outcome

  • ·Privacy notice and consent flows deployed across web and mobile.
  • ·Internal DPO function operationalised with quarterly reporting cadence.
  • ·Zero regulator-flagged issues during subsequent RBI audit cycle.

Counsel's Takeaway

"Privacy compliance and sectoral regulation must be architected together — never sequentially."

Call +91 75977 21536

Confidential · 30-minute discovery call

Case 02SaaS / Enterprise Tech · 2023

Cross-Border Data Transfer Architecture for a SaaS Exporter

Client: B2B SaaS company serving EU enterprises

3

EU deals closed

SCC 2021

Module used

ISO 27701

Future-ready

Challenge

An Indian SaaS company onboarding EU enterprise clients required a defensible GDPR Article 28 processing structure and Standard Contractual Clauses (SCCs) for cross-border transfers.

Approach

  • ·Drafted Data Processing Agreements aligned to EU SCCs (2021 modules).
  • ·Conducted Transfer Impact Assessments for Indian sub-processor stack.
  • ·Established sub-processor change-notification and audit-rights protocols.

Outcome

  • ·Three EU enterprise contracts closed with privacy review cleared by client counsel.
  • ·Transfer Impact Assessment template adopted as the firm's repeatable artefact.
  • ·Foundation laid for future ISO 27701 certification.

Counsel's Takeaway

"GDPR is no longer an export tax — it is a competitive credential when documented properly."

Call +91 75977 21536

Confidential · 30-minute discovery call

Explore the Practice

Read more about our Data Privacy practice

Service scope, methodology, and the philosophy that shapes how we engage.

Call +91 75977 21536

Free 30-minute discovery call · Response within 24 hours · Confidential