DPDPA Penalties: Every Fine in the Act, Explained

Ashish KunalFounder — Pyroniq·

Last verified: 24 June 2026 against the DPDPA Schedule. Re-verified whenever the Act or Rules change (the Schedule can be amended under S.42).

India's Digital Personal Data Protection Act, 2023 (DPDPA) sets seven penalty ceilings. The highest is up to ₹250 crore for failing to take reasonable security safeguards to prevent a personal data breach (Section 8(5)); failing to notify the Data Protection Board and affected individuals of a breach carries up to ₹200 crore (Section 8(6)). Penalties are imposed by the Data Protection Board of India under Section 33(1), per the Act's Schedule, after an inquiry — the figures are statutory maximums ("may extend to"), not fixed fines. Most day-to-day obligations — notice (S.5), consent (S.6), erasure (S.12), grievance redressal (S.13) — have no dedicated penalty line and fall under the residuary ceiling of up to ₹50 crore.

The full DPDPA penalty Schedule

Section 33(1) directs the Board to impose monetary penalties "as specified in the Schedule". The Schedule has exactly seven entries:

Sl.Provision breachedSectionPenalty ceiling
1Failure to take reasonable security safeguards to prevent a personal data breachS.8(5)up to ₹250 crore
2Failure to notify the Board and affected Data Principals of a breachS.8(6)up to ₹200 crore
3Breach of additional obligations relating to childrenS.9up to ₹200 crore
4Breach of additional obligations of a Significant Data FiduciaryS.10up to ₹150 crore
5Breach of duties of the Data PrincipalS.15up to ₹10,000
6Breach of a voluntary undertaking accepted by the BoardS.32up to the cap applicable to the underlying breach
7Breach of any other provision of the Act or the Rules (residuary)up to ₹50 crore

How the Board decides the amount

The ceilings are not tariffs. Under Section 33(2), the Board weighs the nature, gravity, sensitivity and duration of the breach, whether it is repetitive, any gain realised or loss avoided, and the mitigation the organisation undertook. Penalties are credited to the Consolidated Fund of India (Section 34) — the Act provides no compensation payable to individuals, unlike the GDPR or the earlier PDP Bill drafts.

Three common misreadings

  1. "Section 12 carries a fine." Section 12 (correction and erasure), Section 13 (grievance redressal) and Section 14 (right to nominate) are data-principal rights, not penalty provisions. Failing to honour them maps to the residuary entry — up to ₹50 crore — not a section-specific fine.
  2. "Employees can claim per-head compensation." The DPDPA has no statutory damages payable to data principals. Any figure framed as "compensation per employee" under this Act is fabricated.
  3. "Add up the ceilings to get your fine." A combined figure is a statutory ceiling across the entries actually engaged, not a forecast. One incident can engage entries 1 and 2 together (an unprotected breach that also goes unreported), but the amount is always Board-determined.

Where AI tool usage fits

When employees connect AI tools to company data (via OAuth grants in Microsoft 365 or Google Workspace, or unsanctioned "shadow" tools), the exposure maps to the Schedule like this:

Compliance gapSchedule entryCeiling
Shadow or unmanaged AI tools accessing personal data without reasonable safeguardsEntry 1 — S.8(5)up to ₹250 crore
No process to notify the Board and affected employees of a breach in timeEntry 2 — S.8(6)up to ₹200 crore
Children's personal data processed without S.9 safeguardsEntry 3 — S.9up to ₹200 crore
Significant Data Fiduciary duties unmet (DPIA, audit, DPO)Entry 4 — S.10up to ₹150 crore
No S.5 notice, no valid S.6 consent, or S.11–S.13 rights not honouredEntry 7 — residuaryup to ₹50 crore

The children's-data (S.9) and Significant Data Fiduciary (S.10) entries apply only where those conditions are actually met — they are not default exposure for every organisation.

Which of these gaps does your organisation have today?

A free Pyroniq scan inventories every OAuth-consented AI tool in about six minutes.

Run Free Scan →

Primary sources

The figures above are statutory ceilings under the DPDPA 2023 Schedule. Actual penalties are determined by the Data Protection Board of India after inquiry. This guide is for awareness only and does not constitute legal advice.