DPDP Act · Section 33 & Schedule

DPDPA penalties: Section 33 and the Schedule

DPDPA penalties explained: how the Data Protection Board imposes monetary penalties under Section 33, the amounts in the Schedule (up to 250 crore), and how to reduce your risk.

In short

Under Section 33 of the DPDP Act, the Data Protection Board can impose monetary penalties after an inquiry, with the amounts set out in the Schedule. The largest is up to 250 crore rupees for failing to take reasonable security safeguards to prevent a breach, and up to 200 crore rupees for breaching obligations relating to children. The Board considers the nature, gravity and duration of the breach and any mitigation when deciding the amount.

Last updated 2026-06-03

How penalties work

The Data Protection Board determines, after an inquiry, whether a person has committed a significant breach and imposes a monetary penalty up to the limits in the Schedule. In setting the amount it weighs the nature, gravity and duration of the breach, the type of data affected, repetition, gains or losses, and the mitigation taken.

The Schedule amounts

Headline figures include up to 250 crore rupees for failure to take reasonable security safeguards leading to a breach, up to 200 crore rupees for failing to meet children's obligations and breach-notification duties, and up to 50 crore rupees for other specified failures, with smaller amounts for other breaches.

Penalties apply to data fiduciaries and, where relevant, Consent Managers; data principals can also face a small penalty for false or frivolous grievances under the duties provisions.

How to reduce your risk

The largest penalties track the security-safeguards and children's duties, so the highest-leverage controls are reasonable security, pre-consent tracker blocking, a verifiable consent and notice flow, an age-gate for minors, and an incident-response plan that can notify the Board and affected people on time.

ConsentX provides the consent-side controls and tamper-evident evidence that demonstrate diligence and help mitigate exposure if the Board ever asks.

This page is a plain-English summary of the Digital Personal Data Protection Act, 2023 for general information and is not legal advice. Confirm your obligations with qualified counsel.

All DPDPA sections DPDP Act explained DPDPA overview ConsentX for India

Meet this DPDPA requirement with ConsentX

DPDPA-native consent, Section 9 age-gate and verifiable receipts. Start free or take the DPDPA quiz.

Get started free Take the DPDPA quiz

DPDPA Section 33 & Schedule questions

What is the maximum DPDPA penalty?+

Up to 250 crore rupees, for failing to take reasonable security safeguards to prevent a personal data breach.

Who imposes DPDPA penalties?+

The Data Protection Board of India, after an inquiry, with amounts set by the Schedule to the Act.

How can I reduce DPDPA penalty risk?+

Focus on the most-penalised duties: reasonable security, pre-consent blocking, verifiable consent and notice, a children's age-gate, and a tested breach-response plan.

More DPDPA sections

DPDPA Section 5: Notice DPDPA Section 6: Consent and withdrawal DPDPA Section 7: Certain legitimate uses DPDPA Section 8: Duties of a data fiduciary DPDPA Section 9: Children's data DPDPA Section 10: Significant Data Fiduciaries DPDPA Sections 11-14: Data principal rights