EverydayPDF Logo
DPDP Act 2023 · India

DPDP Act Penalties: What Violations Cost, Section by Section

Updated July 5, 2026·7 min read·EverydayPDF Research

The DPDP Act's penalty schedule is the sharpest teeth any Indian privacy regime has ever had. The Data Protection Board of India can impose fines of up to ₹250 crore per instance — and "per instance" means a single breach affecting many individuals can multiply exposure.

The penalty schedule at a glance

Schedule of penalties under the DPDP Act, 2023
ViolationMaximum penalty
Failure to take reasonable security safeguards to prevent a personal data breach (Section 8(5))₹250 crore
Failure to notify the Board and affected individuals of a personal data breach₹200 crore
Breach of obligations relating to children's personal data (Section 9)₹200 crore
Breach of additional obligations of a Significant Data Fiduciary (Section 10)₹150 crore
Breach of any other provision of the Act or Rules₹50 crore
Breach of duties by a Data Principal (e.g., filing a false complaint)₹10,000

How the Board decides the actual amount

The maximums are ceilings, not defaults. Under Section 33(2), the Board considers the nature, gravity and duration of the breach, the type of personal data affected, whether the violation was repetitive, whether the entity gained from it or avoided loss, the mitigation actions taken and their timeliness, and the proportionality of the penalty.

  • A prompt, well-documented breach response materially reduces exposure.
  • Section 32 allows a voluntary undertaking — the Board can accept remedial commitments and drop proceedings, but breaching the undertaking revives them.
  • Appeals from Board orders go to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), and further to the Supreme Court.

Why security safeguards carry the biggest fine

The ₹250 crore slab attaches to the failure to maintain reasonable security safeguards — not to the breach itself. If personal data leaks because you sent it somewhere insecure, processed it through unvetted third-party tools, or skipped encryption, the failure is yours as the Data Fiduciary, regardless of which vendor actually leaked it.

A concrete example

A firm that routinely uploads client documents — bank statements, Aadhaar copies, tax filings — to a free cloud PDF tool has transferred personal data to an unvetted foreign processor with no contract and no visibility into retention. If that data surfaces in a breach, the fiduciary's inability to demonstrate reasonable safeguards is precisely what the ₹250 crore slab targets.

Remove the upload from the equation

EverydayPDF's tools run entirely in your browser — compress, merge, redact and convert without any file leaving your device. Zero transmission means zero third-party breach surface for your documents.

Try DPDP-safe redaction

Frequently asked questions

What is the maximum penalty under the DPDP Act?+

₹250 crore per instance, for failure to take reasonable security safeguards to prevent a personal data breach. Because it applies per instance, aggregate exposure from a large or repeated breach can be higher.

Who imposes penalties under the DPDP Act?+

The Data Protection Board of India, after an inquiry in which the entity is heard. The Board became operational on 13 November 2025, and penalties for substantive obligations become imposable once those obligations take effect on 13 May 2027.

Can individuals be fined under the DPDP Act?+

Yes, but modestly. A Data Principal who breaches statutory duties — for instance, by registering a false complaint or impersonating another person — can be fined up to ₹10,000.

Is there any way to reduce or avoid a penalty?+

Yes. The Board weighs mitigation actions and their timeliness under Section 33(2), and Section 32 permits voluntary undertakings — enforceable remedial commitments that can settle proceedings. Documented security measures, prompt breach notification and cooperative conduct all materially lower exposure.

Do DPDP penalties depend on company turnover like GDPR fines?+

No. GDPR fines scale with global turnover (up to 4%). DPDP penalties are absolute rupee ceilings per violation category, applied per instance — which can be proportionally harsher for smaller organisations.

Continue reading

This guide is general information about the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025, current as of July 5, 2026. It is not legal advice — consult a qualified professional for advice on your specific obligations.