Sections 33-34
Penalties & Enforcement
The DPDP Act 2023 establishes a robust penalty framework with fines up to ₹250 Crores for serious violations, enforced by the Data Protection Board of India.
Penalty Schedule
Breach of Personal Data (Section 8(5))
Up to ₹250 CroresFailure to notify breach to Board and Data Principals
Up to ₹200 CroresNon-compliance with obligations for children's data (Section 9)
Up to ₹200 CroresBreach of Significant Data Fiduciary obligations (Section 10)
Up to ₹150 CroresFailure to implement reasonable security safeguards
Up to ₹250 CroresNon-compliance with Board directions
Up to ₹50 CroresBreach of Data Principal duties (Section 15)
Up to ₹10,000Data Protection Board Powers
Receive and adjudicate complaints from Data Principals
Initiate inquiries suo motu or on complaint
Issue directions to Data Fiduciaries
Impose monetary penalties as per Schedule
Refer matters to Appellate Tribunal
Seek assistance from other authorities
Mitigating Factors
Penalty amounts may be reduced based on:
Immediate corrective action taken
Self-disclosure of breach
Cooperation with Board investigation
Prior compliance track record
Implementation of preventive measures
No prior violations
Appeal to Appellate Tribunal
60 Days
Time limit to file appeal from date of Board order
TDSAT
Telecom Disputes Settlement & Appellate Tribunal is the appellate authority
Supreme Court
Further appeal lies to Supreme Court on questions of law
Related Certifications
Strengthen Your Compliance Posture
Explore complementary certifications that work together to provide comprehensive security and compliance coverage.