Data Protection Board of India
Complaints, Adjudication & Penalties
The Data Protection Board of India (DPBI) is the quasi-judicial authority that adjudicates complaints under the Digital Personal Data Protection Act 2023. Unified Chambers and Associates represents data fiduciaries — banks, NBFCs, ARCs, fintech companies, and corporates — in DPBI proceedings, penalty adjudication, and appeals before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Senior Partner Advocate Subodh Bajpai, LLM, MBA (XLRI), leads every engagement personally.
Our 25 years of DRT practice — representing the same institutions before tribunals with similar procedural requirements — gives us a direct advantage in DPBI adjudication. The digital-first, evidence-driven format of Board proceedings mirrors the rigour we bring to every DRT and DRAT matter.
What Is the Data Protection
Board of India?
The Data Protection Board of India is established under Section 18 of the DPDP Act 2023 as the primary adjudicatory authority for data protection disputes in India. Unlike regulators that issue rules and supervise compliance proactively, the DPBI is fundamentally a complaint-driven body. It does not initiate proceedings suo motu — it adjudicates complaints filed by data principals (individuals) against data fiduciaries (organisations processing personal data).
The Board comprises a Chairperson and Members appointed by the Central Government. It is designed to be lean and digital-first: Section 18(3) provides that the Board shall function as a digital office, conducting proceedings electronically. All complaints, written responses, document submissions, and hearings take place through the Board’s digital platform. This digital-by-default architecture means that geographical location is irrelevant — a data fiduciary in Mumbai can be represented by counsel in Delhi without the logistics of physical court appearances.
The DPBI’s powers are significant. Section 21 empowers it to conduct inquiries into alleged contraventions of the Act. Section 27 provides that orders of the Board are enforceable as decrees of a civil court under the Code of Civil Procedure 1908 — meaning non-compliance with a DPBI penalty order can lead to execution proceedings, attachment of assets, and other coercive recovery mechanisms. For financial institutions accustomed to DRT proceedings, this enforcement mechanism is familiar: a DPBI order carries the same executory weight as a DRT recovery certificate.
The Board also has the power to accept voluntary undertakings from data fiduciaries under Section 22, which allows organisations to commit to specific compliance actions in exchange for potentially reduced penalties. This is an important negotiation tool that experienced counsel can leverage during the adjudication process.
How DPBI Proceedings
Work
The DPBI adjudicatory process follows a structured sequence from complaint to enforcement. Understanding this procedural flow is critical for data fiduciaries because missed deadlines or inadequate responses at any stage can result in adverse orders carrying penalties of up to Rs 250 crore.
Stage 1 — Exhaustion of Fiduciary’s Grievance Mechanism
Before approaching the DPBI, a data principal must first raise their grievance with the data fiduciary through its internal complaint mechanism. Section 19 mandates this as a precondition. Only if the fiduciary fails to respond within the prescribed timeframe, or provides an unsatisfactory response, can the data principal escalate to the Board. This means that a robust internal grievance redressal mechanism is not just a compliance requirement — it is the first line of defence against DPBI proceedings. Unified Chambers advises clients on designing these mechanisms to resolve complaints before they escalate.
Stage 2 — Complaint Filing Before the DPBI
The data principal files a complaint through the Board’s digital platform, specifying the contravention alleged, the data fiduciary responsible, and the facts supporting the complaint. The Board may, at this stage, reject the complaint if it is frivolous, vexatious, or does not disclose a contravention — a crucial preliminary filter that experienced defence counsel can invoke by highlighting procedural deficiencies in the complaint itself.
Stage 3 — Inquiry & Adjudication
If the complaint proceeds, the Board initiates an inquiry under Section 21. The data fiduciary receives a copy of the complaint and an opportunity to file a written response. The Board may call for documents, records, and explanations. Proceedings are conducted digitally, with the Board following principles of natural justice — both sides get the right to be heard. The quality of the written response, supporting evidence (consent records, privacy notices, processing logs, breach timelines), and legal argumentation at this stage directly determines the outcome.
Stage 4 — Penalty Imposition
If the Board finds a contravention established, it imposes monetary penalties as prescribed in the Schedule. The Board must consider the nature and gravity of the contravention, the type of personal data affected, the repetitive nature of the contravention, whether the fiduciary made any gain or avoided any loss, and whether the fiduciary took mitigating measures. This proportionality analysis provides significant room for experienced counsel to argue for reduced penalties — demonstrating voluntary compliance steps, cooperation with the Board, and systemic remediation measures.
Stage 5 — Appeal to TDSAT
Section 25 of the DPDP Act provides that any person aggrieved by an order of the Board may appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days. TDSAT has the power to confirm, modify, or set aside the DPBI order. The appellate jurisdiction adds a critical layer of judicial review — TDSAT’s decisions are further appealable to the Supreme Court of India on questions of law. For a bank or NBFC facing a Rs 200 crore penalty for breach notification failure (Schedule Sl.2), the TDSAT appeal is not optional but essential, and having counsel who understands appellate strategy from DRAT practice (the appellate tribunal for DRT matters) is a material advantage.
Representation Before the
Data Protection Board
Unified Chambers provides comprehensive legal representation for data fiduciaries at every stage of DPBI proceedings. Our approach mirrors the disciplined, evidence-driven strategy we deploy in DRT adjudication — because the procedural framework, evidentiary standards, and adversarial dynamics are fundamentally similar.
Key Provisions Governing
DPBI Proceedings
The following provisions of the DPDP Act 2023 form the statutory backbone of the Board’s constitution, jurisdiction, and adjudicatory process. Every data fiduciary facing a DPBI complaint must understand these sections and the legal arguments available under each.
For a comprehensive analysis of the DPDP Act 2023 and its compliance requirements, see our DPDP Compliance Guide. For sector-specific analysis, see DPDP for Banks and DPDP for NBFCs.
Data Protection Board — Key Questions Answered
What is the Data Protection Board of India (DPBI)?
The Data Protection Board of India (DPBI) is the adjudicatory authority established under Section 18 of the Digital Personal Data Protection Act 2023. It is a quasi-judicial body empowered to receive complaints from data principals, conduct inquiries against data fiduciaries, and impose monetary penalties up to Rs 250 crore per contravention. The Board is constituted by the Central Government and functions as a digital office — meaning all proceedings, filings, and hearings are conducted online by default. DPBI orders carry the force of a civil court decree under the Code of Civil Procedure 1908.
Who can file a complaint before the DPBI?
Under Section 19 of the DPDP Act, any data principal (an individual whose personal data is being processed) can file a complaint before the Data Protection Board. However, the complaint must first be made to the data fiduciary itself through its established grievance redressal mechanism. Only if the data fiduciary fails to respond within the prescribed period, or if the response is unsatisfactory, can the data principal escalate the complaint to the DPBI. The complaint must relate to a contravention of any provision of the Act or rules made thereunder.
What penalties can the Data Protection Board impose?
The DPBI can impose penalties as prescribed in the Schedule to the DPDP Act: up to Rs 250 crore for breach of security safeguards (Sl.1, Section 8(5)); up to Rs 200 crore for failure to notify the Board and affected data principals of a breach (Sl.2, Section 8(6)); up to Rs 200 crore for violations relating to children's data (Sl.3, Section 9); up to Rs 150 crore for breach of additional obligations of Significant Data Fiduciaries (Sl.4, Section 10); up to Rs 10,000 for Data Principal duties breach (Sl.5, Section 15); variable penalty for breach of voluntary undertaking (Sl.6, Section 32); and up to Rs 50 crore for breach of any other provision (Sl.7). Penalties are per contravention and can be imposed cumulatively for multiple violations arising from the same incident.
Where do appeals from DPBI orders go?
Appeals against orders of the Data Protection Board of India lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under Section 25 of the DPDP Act. The appeal must be filed within 60 days of the DPBI order, although TDSAT has discretion to condone delay if sufficient cause is shown. TDSAT is an established appellate body already handling telecom and broadcasting disputes, and its orders are further appealable to the Supreme Court of India on questions of law. Having experienced counsel who can navigate both the DPBI proceedings and the TDSAT appellate process is critical for effective legal representation.
Are DPBI proceedings conducted online?
Yes. The DPDP Act expressly provides that the Data Protection Board shall function as a digital office under Section 18(3). All complaints, responses, inquiries, and hearings are conducted through digital means. This digital-by-default model means that written submissions, document uploads, and video-conference hearings replace traditional in-person court appearances. However, the legal rigour required is identical to a physical tribunal — procedural compliance, evidence standards, and legal argumentation remain critical. Unified Chambers prepares all digital filings and submissions to the same standard as our DRT practice.
How does Unified Chambers defend data fiduciaries before the DPBI?
Unified Chambers provides end-to-end defence for data fiduciaries before the Data Protection Board: (a) analysing the complaint to identify the alleged contravention and applicable penalty tier; (b) preparing the written response with supporting documentation — privacy notices, consent records, data processing logs, and breach notification timelines; (c) representing the fiduciary during inquiry proceedings, including cross-examination of complainant's claims; (d) arguing for penalty mitigation based on compliance measures taken, cooperation with the Board, and proportionality principles; and (e) if the DPBI order is adverse, filing and arguing the appeal before TDSAT within the 60-day limitation period. Our familiarity with DRT adjudication — a tribunal system with similar procedural requirements — translates directly to DPBI practice.
Facing a DPBI Complaint?
We Defend Data Fiduciaries.
WhatsApp Advocate Subodh Bajpai directly. Describe the complaint, the contravention alleged, and your current compliance posture. Senior Partner response within one business day. Minimum engagement: Rs 50 lakhs.