DPDP Act Penalties
Complete Guide to Fines Up to Rs.250 Crore

Who’s at Risk: Every Data Fiduciary processing personal data without adequate encryption, access controls, or breach detection systems

Scenario: A fintech company stores customer Aadhaar numbers and bank details in an unencrypted database. A SQL injection attack exposes 5 million records. The company had no web application firewall, no intrusion detection system, and no encryption at rest. The Data Protection Board finds the security safeguards were not "reasonable" given the sensitivity and volume of data processed.

Who’s at Risk: Any Data Fiduciary that discovers a breach but conceals it or delays notification beyond the prescribed timeline

Scenario: An e-commerce platform discovers that a third-party vendor had unauthorised access to 2 million customer profiles for 6 months. The platform quietly patches the vulnerability but does not notify the Data Protection Board or the affected customers. A whistleblower reports the breach 3 months later. The Board imposes penalty for non-notification.

Who’s at Risk: EdTech platforms, gaming apps, social media companies, and any Data Fiduciary processing data of persons under 18

Scenario: A popular gaming app collects location data, device identifiers, and behavioural profiles of users under 14 without verifiable parental consent. The app uses this data for targeted advertising. The Board finds violations of Section 9(1) (no verifiable consent of parent/guardian) and Section 9(2) (tracking and behavioural monitoring of children).

Who’s at Risk: Large technology companies, social media platforms, and enterprises designated as SDFs by the Central Government based on volume and sensitivity of data processed

Scenario: A social media platform designated as a Significant Data Fiduciary fails to appoint a Data Protection Officer based in India, does not conduct the mandatory Data Protection Impact Assessment before launching a new AI-driven content recommendation feature, and fails to submit the periodic audit report to the Board.

Who’s at Risk: Individuals who misuse the complaint mechanism — filing false breach complaints or providing fabricated evidence to the Board

Scenario: An individual files a complaint with the Data Protection Board claiming a bank processed their data without consent. During the inquiry, it is established that the individual had explicitly consented to the processing through a signed loan agreement and knowingly filed a false complaint to pressure the bank into waiving a loan obligation.

Who’s at Risk: Any Data Fiduciary that offers a voluntary undertaking to the Board during proceedings but fails to comply with the committed actions

Scenario: A social media company facing a complaint for children's data violation offers a voluntary undertaking to implement verifiable parental consent within 90 days. The Board accepts the undertaking and defers penalty. The company fails to implement the system within the committed timeline. The Board can now impose the penalty applicable for the underlying Section 9 breach — up to Rs.200 crore.

Who’s at Risk: Any Data Fiduciary that collects data without valid consent, uses data beyond stated purpose, retains data longer than necessary, fails to establish a grievance mechanism, or transfers data to restricted countries

Scenario: A hospital collects patient health records for treatment (legitimate purpose) but shares the data with a pharmaceutical marketing company without separate consent. The hospital also retains records of discharged patients indefinitely without a retention policy, and has no grievance redressal officer. Multiple violations established under this catch-all tier.