What are the maximum penalties under the DPDP Act 2023?

The DPDP Act 2023 Schedule specifies per-instance caps: up to Rs 250 crore for security safeguard failures, Rs 200 crore for breach notification failures, Rs 150 crore for children's data violations, and Rs 50 crore for other violations including consent, purpose limitation, and data principal rights.

Are DPDP Act penalties revenue-based or fixed?

DPDP Act penalties are fixed per-instance caps, not a percentage of revenue. The Data Protection Board has discretion to impose amounts below the maximum based on the nature, gravity, and duration of the violation.

Who enforces DPDP Act penalties in India?

Penalties are adjudicated by the Data Protection Board of India (DPBI), established under Section 18 of the DPDP Act 2023. The Board operates as a digital-first, complaint-driven adjudicatory body.

Free Tool

DPDP Act Penalty Calculator

Estimate your organisation's maximum penalty exposure under the Digital Personal Data Protection Act, 2023. Select your violation categories for an instant calculation.

Section 33 Schedule

DPDP Act Penalty Tiers

Rs 250 Cr

Security Safeguard Failure

Schedule, Item 1

Failure to implement reasonable security safeguards resulting in a personal data breach.

Rs 200 Cr

Breach Notification Failure

Schedule, Item 2

Failure to notify the Data Protection Board and affected data principals of a breach.

Rs 150 Cr

Children's Data Obligations

Schedule, Item 3

Non-compliance with verifiable parental consent or children's data processing safeguards.

Rs 50 Cr

Other Provisions

Schedule, Item 4

Consent obligations, purpose limitation, retention limits, data principal rights, or DPO requirements.

Penalties are per-instance maximums with a fixed-cap model. Unlike GDPR, which calculates fines as a percentage of global turnover, the DPDP Act applies the same ceiling regardless of company size. The Data Protection Board retains full discretion over the actual amount imposed.