dpdpact.co.in

This website belongs to KavachOne Solutions Pvt. Ltd., having its corporate office located in Noida, India.
image 1 removebg preview
Menu
Linkedin X-twitter Facebook
kavachone logo removebg preview
Menu
DPDP Act Penalties & Enforcement in India: Complete Guide 2025 | KavachOne
⚠️ Penalty Guide β€” DPDP Act 2023

DPDP Act
Penalties &
Enforcement
in India

India's DPDP Act 2023 introduces one of the most consequential penalty frameworks in Indian regulatory history β€” with fines reaching β‚Ή250 crore for a single violation. The Data Protection Board has broad investigative and adjudicatory powers, and early enforcement is expected to send a clear signal to the market. Here is everything organisations need to know β€” and do β€” before penalties land.

πŸ›‘οΈ Reduce Your Penalty Risk Full Penalty Schedule ↓
⚠️ DPDP Penalty Scale
Security safeguard failure
β‚Ή250 Cr
Children's data (no parental consent)
β‚Ή200 Cr
Breach notification failure
β‚Ή200 Cr
Processing without consent
β‚Ή200 Cr
Rights fulfilment failure
β‚Ή150 Cr
SDF obligation non-compliance
β‚Ή150 Cr
Processor violation
β‚Ή10 Cr
Max Single Penalty β‚Ή250 Crore
β‚Ή250 CrMaximum Single Penalty Under DPDP
DPBData Protection Board β€” Enforcement Authority
72 HrsBreach Notification Deadline Before Penalty Clock Starts
TDSATTelecom Disputes Settlement β€” First Appeal Forum
High CourtSecond Appeal Against TDSAT Orders
Full Penalty Schedule

Complete DPDP Act Penalty Schedule β€” Every Violation

Schedule 1 of the DPDP Act sets out the maximum penalty for each category of violation. These are caps β€” the DPB determines the actual penalty based on severity, intent, cooperation, and compliance evidence.

βš–οΈ DPDP Act β€” Schedule 1 Penalty Table

Penalties are per violation, per inquiry. Multiple violations can result in cumulative penalties. Amounts in Indian Rupees.

Violation Category DPDP Section Who Is Liable Aggravating Factors Max Penalty
Failure to implement reasonable security safeguards to prevent a personal data breach Β§8(5) Data Fiduciary Sensitive data involved; large number of affected individuals; evidence of negligence; prior warnings from DPB β‚Ή250 Crore
Processing children's personal data without verifiable parental consent, or engaging in targeted advertising / behavioural tracking of children Β§9 Data Fiduciary Scale of child users; intentional age-gate bypass; commercial exploitation of children's data; repeat violations β‚Ή200 Crore
Failure to notify the Data Protection Board and affected data principals of a personal data breach Β§8(6) Data Fiduciary Delayed notification (beyond 72 hours); attempted concealment of breach; harm to affected individuals; scale of breach β‚Ή200 Crore
Processing personal data without valid consent or a recognised Legitimate Use basis Β§6, Β§7 Data Fiduciary Intentional non-compliance; commercial gain from unlawful processing; sensitive data processed without consent; scale of violations β‚Ή200 Crore
Failure to fulfil data principal rights β€” access, correction, erasure, portability, nomination, grievance redressal Β§11–14 Data Fiduciary Systematic denial of rights; no rights portal; failure to respond within 30 days; pattern of ignoring legitimate requests β‚Ή150 Crore
Non-compliance by a Significant Data Fiduciary with additional obligations β€” DPO, Annual DPIA, Data Audit, Algorithmic Accountability Β§10 Significant Data Fiduciary Failure to appoint DPO; no annual DPIA conducted; refusal to engage Data Auditor; non-submission of DPB reports β‚Ή150 Crore
Breach of any term of a voluntary undertaking given to the DPB Β§30 Data Fiduciary / Any Person Deliberate breach of undertaking; repeat violations; undertaking given to avoid prosecution β‚Ή150 Crore
Residual non-compliance with any other DPDP Act provision or Rule not covered above Β§25 Data Fiduciary / Data Processor Nature of the specific violation; harm caused; whether violation was intentional or negligent β‚Ή50 Crore
Violations by a Data Processor acting contrary to the instructions of a Data Fiduciary Β§8(3) Data Processor Processor acting beyond scope of DPA; unauthorised secondary processing; processor-caused breach β‚Ή10 Crore
Data Protection Board

The Data Protection Board's 6 Enforcement Powers

The DPB is India's dedicated data protection regulator β€” with broad powers to investigate, adjudicate, and enforce the DPDP Act. Understanding what the DPB can do is the first step in managing enforcement risk.

πŸ”Ž
Initiate Inquiries
The DPB can initiate an inquiry suo motu (on its own motion), on a complaint from a data principal, or on reference from the Central Government. No prior complaint is required β€” the DPB can investigate any organisation it has reason to believe is non-compliant.
πŸ“‚
Summon & Examine
The DPB has powers equivalent to a Civil Court β€” it can summon and enforce attendance of any person, require the production of documents, issue commissions for examination of witnesses, and receive evidence on affidavit.
πŸ”
Search & Inspect
The DPB can direct inspection of premises, systems, and records held by any Data Fiduciary or Processor under investigation. Technical experts may be appointed to assist in the inspection of complex data systems and consent records.
✍️
Accept Voluntary Undertakings
At any stage of inquiry, the DPB may accept a voluntary undertaking from the organisation β€” committing to specific compliance actions, remediation, and future adherence. Breach of a voluntary undertaking itself carries a β‚Ή150 crore penalty.
βš–οΈ
Impose Financial Penalties
Following adjudication, the DPB can impose financial penalties up to the Schedule 1 maximum for each violation found. The DPB must consider mitigating and aggravating factors β€” penalties are not automatically set at the maximum amount.
πŸ“‹
Issue Compliance Directions
Beyond financial penalties, the DPB can issue specific directions to Data Fiduciaries β€” mandating changes to data processing practices, consent mechanisms, security measures, or operational procedures β€” with further penalties for non-compliance with directions.
Enforcement Process

How the DPB Enforcement Process Works

From complaint or triggering event to final adjudication β€” the five stages of a DPDP enforcement action.

⚑
Stage 1
Triggering Event
Complaint from data principal; breach notification received; DPB suo motu action; Central Government referral; media/whistleblower disclosure
πŸ”Ž
Stage 2
Preliminary Inquiry
DPB assesses whether a prima facie case exists. Organisation may be asked for initial written response. Decision on whether to proceed to full inquiry.
πŸ“‹
Stage 3
Full Investigation
DPB issues notice to organisation; summons documents and records; may conduct premises inspection; receives evidence; organisation has right to respond.
βš–οΈ
Stage 4
Adjudication Hearing
Organisation presents its defence; mitigating factors submitted; voluntary undertaking option available; DPB issues reasoned order with penalty or dismissal.
πŸ›οΈ
Stage 5
Appeal (If Required)
Appeal to TDSAT within 60 days of DPB order; further appeal to High Court on questions of law. Payment of 50% of penalty required to file appeal.
Penalty Factors

What Increases vs Reduces Your DPDP Penalty

The DPB does not automatically impose the maximum penalty β€” it weighs aggravating and mitigating factors. Understanding these is critical for both compliance strategy and incident response.

↑ Aggravating Factors β€” Increase Penalty
Intentional or deliberate non-compliance β€” not accidental
Large number of data principals affected by the violation
Sensitive personal data involved (financial, health, biometric, children's)
Commercial gain derived from the unlawful processing
History of prior violations or DPB warnings
Attempted concealment or destruction of evidence
Failure to notify a breach within the 72-hour deadline
Continued violation after becoming aware of it
Non-cooperation with DPB investigation
Harm actually caused to individuals β€” financial, physical, reputational
↓ Mitigating Factors β€” Reduce Penalty
Prompt, timely breach notification to DPB within 72 hours
Proactive compliance programme in place before the violation
ISO 27001:2022 certification and documented security framework
Full, genuine cooperation with the DPB investigation
Voluntary undertaking offered at early stage of inquiry
Immediate remediation steps taken on discovery of violation
Comprehensive consent audit log β€” evidence of good-faith compliance intent
No prior enforcement history or DPB findings
Limited harm to data principals β€” effective incident response
Small organisation or limited commercial capacity to pay
Appeal Mechanism

Appealing a DPB Penalty Order

The DPDP Act provides a structured two-tier appeal mechanism against DPB penalty orders. Understanding the timeline, costs, and scope of each tier is essential for enforcement response planning.

1
πŸ›οΈ DPB Adjudication Order
The Data Protection Board issues a reasoned written order β€” finding violations and imposing a financial penalty, or dismissing the complaint. The order is served on the organisation and becomes the basis of any appeal.
Written reasoned orderPenalty quantum specifiedRemediation directions may be included
2
πŸ“‘ First Appeal: TDSAT β€” Within 60 Days
Appeal must be filed with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days of the DPB order. To file the appeal, the organisation must deposit 50% of the penalty amount with TDSAT or provide security. TDSAT can review both facts and law.
60-day filing deadline50% deposit or security requiredFact and law reviewTDSAT can stay DPB order
3
βš–οΈ Second Appeal: High Court β€” Questions of Law
Appeals from TDSAT orders lie to the High Court β€” but only on questions of law, not pure fact-finding. The High Court examines whether TDSAT correctly applied the legal provisions of the DPDP Act, not whether it reached the "right" factual conclusions.
Questions of law onlyNo re-examination of factsHigh Court jurisdiction
4
πŸ† Supreme Court β€” Constitutional/Fundamental Rights
In extraordinary cases β€” particularly those involving constitutional rights to privacy under Article 21, or fundamental questions of DPDP Act interpretation β€” parties may approach the Supreme Court of India by way of Special Leave Petition (SLP).
Special Leave PetitionConstitutional / SLP groundsArticle 21 privacy rightExceptional cases only
Penalty Prevention

16 Steps to Avoid DPDP Penalties

The best penalty mitigation strategy is not having a violation to defend. These 16 actions β€” across 4 priority areas β€” are the most effective shields against DPB enforcement.

🀝
Consent & Legal Basis
  • Deploy ConsentiQo for all data collection points
  • Map every activity to Consent or Legitimate Use
  • Maintain timestamped consent audit log
  • Enable one-click withdrawal at all times
πŸ”’
Security & ISO 27001
  • Achieve ISO 27001:2022 certification
  • Encrypt PII at rest and in transit
  • Conduct annual penetration testing
  • PII Scanner across all data stores
🚨
Breach Response
  • 72-hour DPB notification process live
  • Principal notification via ConsentiQo ready
  • Annual breach simulation completed
  • Breach register maintained continuously
πŸ“‹
Documentation & Governance
  • ROPA complete and current for all processing
  • DPIAs for all high-risk activities
  • DPAs with all data processors executed
  • DSAR register with 30-day SLA tracking

Build Your Penalty Shield
with KavachOne

KavachOne's integrated DPDP compliance platform β€” ConsentiQo, PII Scanner, ROPA, DPIA, TPRM, and Breach Response β€” creates the documented compliance evidence that protects organisations in DPB enforcement proceedings. ISO 27001:2022 certified with PCI DSS QSA expertise, KavachOne delivers the strongest available mitigation package.

πŸ›‘οΈ Build Your Penalty Shield Explore Privacy Suite β†’
FAQs

Common Questions: DPDP Penalties & Enforcement

Can the DPB impose multiple separate penalties on a single organisation in one inquiry? β–Ύ
Yes β€” the DPDP Act's penalty schedule is structured per violation type, not per inquiry. If a single investigation reveals multiple distinct violations β€” for example, failure to implement security safeguards AND failure to notify a breach AND processing without consent β€” the DPB can impose separate penalties for each violation. The penalties would be cumulative, meaning an organisation facing three violations could theoretically face β‚Ή250 crore + β‚Ή200 crore + β‚Ή200 crore = β‚Ή650 crore in combined maximum penalties. This makes the case for a comprehensive, holistic compliance programme rather than addressing obligations piecemeal.
Does the DPB have to prove intent, or is the DPDP Act a strict liability regime? β–Ύ
The DPDP Act does not require the DPB to prove criminal intent (mens rea) for most penalty provisions β€” non-compliance with the stated obligations is sufficient to establish liability. However, intent is highly relevant to penalty quantum. The DPB must consider all relevant factors in determining the actual penalty within the Schedule 1 maximum β€” and deliberate, intentional non-compliance will attract a significantly higher penalty than accidental or negligent violations. This means organisations can reduce their exposure by demonstrating good-faith compliance efforts even where a technical violation has occurred.
Are penalties under the DPDP Act in addition to, or instead of, penalties under sector-specific laws like SEBI or RBI regulations? β–Ύ
DPDP penalties are in addition to β€” not instead of β€” penalties under sector-specific regulatory frameworks. A bank facing a DPDP violation for failing to notify a customer data breach could simultaneously face: a DPB penalty under the DPDP Act; an RBI regulatory action for breach of the RBI cybersecurity framework; and potentially SEBI penalties if listed entity disclosure requirements were also breached. Organisations operating under multiple regulatory frameworks must manage compliance across all applicable regimes β€” not just achieve DPDP compliance in isolation.
Can individual officers or directors be personally liable under the DPDP Act? β–Ύ
The DPDP Act's primary penalty framework is directed at organisations as Data Fiduciaries β€” not at individual officers or directors. However, the Act has provisions for holding companies and their managers accountable where violations are committed "with the consent or connivance of, or attributable to the neglect of, any person who was a director, manager, secretary or other officer" of the company. This means senior executives who are aware of non-compliance and fail to act β€” or who actively direct non-compliant processing β€” can face personal liability in addition to the organisational penalty. This is a significant incentive for Board-level DPDP oversight.
How should organisations prepare for a DPB inquiry if one is initiated? β–Ύ
Preparation for a potential DPB inquiry should start well before any enforcement action β€” not in response to a notice. The most important preparation steps are: maintaining a comprehensive, current ROPA; keeping all consent audit logs and breach records; having documented security policies and ISO 27001 certification; retaining evidence of DSAR fulfilment; and having a DPO or designated compliance contact who can interface with the DPB. If a notice is received, organisations should immediately engage specialist DPDP legal counsel, avoid destroying any records, respond within the DPB's stated timeline, and seriously consider the voluntary undertaking option as a way to demonstrate good faith and potentially reduce the penalty.
DPDP Act Penalties India DPDP Enforcement India 2025 Data Protection Board India DPDP Fines India DPDP Penalty Schedule DPB Adjudication India DPDP β‚Ή250 Crore Penalty Data Protection Board Powers India DPDP Non-Compliance Consequences KavachOne DPDP Compliance DPDP Appeal Process India DPDP Act Section 25 India Data Protection Penalty 2025 TDSAT DPDP Appeal DPDP Act 2023