DPDPA Penalties: Every Fine in the Act, Explained
Last verified: 24 June 2026 against the DPDPA Schedule. Re-verified whenever the Act or Rules change (the Schedule can be amended under S.42).
India's Digital Personal Data Protection Act, 2023 (DPDPA) sets seven penalty ceilings. The highest is up to ₹250 crore for failing to take reasonable security safeguards to prevent a personal data breach (Section 8(5)); failing to notify the Data Protection Board and affected individuals of a breach carries up to ₹200 crore (Section 8(6)). Penalties are imposed by the Data Protection Board of India under Section 33(1), per the Act's Schedule, after an inquiry — the figures are statutory maximums ("may extend to"), not fixed fines. Most day-to-day obligations — notice (S.5), consent (S.6), erasure (S.12), grievance redressal (S.13) — have no dedicated penalty line and fall under the residuary ceiling of up to ₹50 crore.
The full DPDPA penalty Schedule
Section 33(1) directs the Board to impose monetary penalties "as specified in the Schedule". The Schedule has exactly seven entries:
| Sl. | Provision breached | Section | Penalty ceiling |
|---|---|---|---|
| 1 | Failure to take reasonable security safeguards to prevent a personal data breach | S.8(5) | up to ₹250 crore |
| 2 | Failure to notify the Board and affected Data Principals of a breach | S.8(6) | up to ₹200 crore |
| 3 | Breach of additional obligations relating to children | S.9 | up to ₹200 crore |
| 4 | Breach of additional obligations of a Significant Data Fiduciary | S.10 | up to ₹150 crore |
| 5 | Breach of duties of the Data Principal | S.15 | up to ₹10,000 |
| 6 | Breach of a voluntary undertaking accepted by the Board | S.32 | up to the cap applicable to the underlying breach |
| 7 | Breach of any other provision of the Act or the Rules (residuary) | — | up to ₹50 crore |
How the Board decides the amount
The ceilings are not tariffs. Under Section 33(2), the Board weighs the nature, gravity, sensitivity and duration of the breach, whether it is repetitive, any gain realised or loss avoided, and the mitigation the organisation undertook. Penalties are credited to the Consolidated Fund of India (Section 34) — the Act provides no compensation payable to individuals, unlike the GDPR or the earlier PDP Bill drafts.
Three common misreadings
- "Section 12 carries a fine." Section 12 (correction and erasure), Section 13 (grievance redressal) and Section 14 (right to nominate) are data-principal rights, not penalty provisions. Failing to honour them maps to the residuary entry — up to ₹50 crore — not a section-specific fine.
- "Employees can claim per-head compensation." The DPDPA has no statutory damages payable to data principals. Any figure framed as "compensation per employee" under this Act is fabricated.
- "Add up the ceilings to get your fine." A combined figure is a statutory ceiling across the entries actually engaged, not a forecast. One incident can engage entries 1 and 2 together (an unprotected breach that also goes unreported), but the amount is always Board-determined.
Where AI tool usage fits
When employees connect AI tools to company data (via OAuth grants in Microsoft 365 or Google Workspace, or unsanctioned "shadow" tools), the exposure maps to the Schedule like this:
| Compliance gap | Schedule entry | Ceiling |
|---|---|---|
| Shadow or unmanaged AI tools accessing personal data without reasonable safeguards | Entry 1 — S.8(5) | up to ₹250 crore |
| No process to notify the Board and affected employees of a breach in time | Entry 2 — S.8(6) | up to ₹200 crore |
| Children's personal data processed without S.9 safeguards | Entry 3 — S.9 | up to ₹200 crore |
| Significant Data Fiduciary duties unmet (DPIA, audit, DPO) | Entry 4 — S.10 | up to ₹150 crore |
| No S.5 notice, no valid S.6 consent, or S.11–S.13 rights not honoured | Entry 7 — residuary | up to ₹50 crore |
The children's-data (S.9) and Significant Data Fiduciary (S.10) entries apply only where those conditions are actually met — they are not default exposure for every organisation.
Which of these gaps does your organisation have today?
A free Pyroniq scan inventories every OAuth-consented AI tool in about six minutes.
Primary sources
- DPDPA Schedule (referenced by S.33(1))
- Section 33 — Penalties
- Section 12 — Right to correction and erasure
- Section 14 — Right to nominate
The figures above are statutory ceilings under the DPDPA 2023 Schedule. Actual penalties are determined by the Data Protection Board of India after inquiry. This guide is for awareness only and does not constitute legal advice.