Section 33 DPDPA Penalties: ₹250 Crore Risk for Event Planners & HR Functions
| Applies to | Corporate event planners, HR teams, and employee engagement managers handling personal data in India |
| Primary law | DPDPA 2023 · Section 33 |
| Penalty ceiling | ₹50 crore to ₹250 crore depending on violation category |
| Enforcement status | Data Protection Board accepting complaints — 2026-07 |
| Source | DPDPAReady Compliance Team |
Section 33: Understanding the DPDPA Penalty Schedule for Events & HR
The Data Protection Board of India enforces compliance through Section 33, which establishes a tiered penalty structure based on violation severity. For corporate event planners and HR functions handling attendee, employee, and speaker personal data, understanding this section is critical to avoiding fines that can reach ₹250 crore.
Section 33(1) of the DPDPA states the penalty framework:
“The Board may, after holding an inquiry in the manner prescribed, impose upon a data fiduciary or a data processor any of the following penalties: (a) a penalty of up to rupees two hundred and fifty crore for failure to put in place safeguards in terms of the provisions of Chapter III [Security Safeguards]; (b) a penalty of up to rupees two hundred crore for failure to notify the breach in terms of the provisions of Chapter VIII [Breach Notification]; (c) a penalty of up to rupees one hundred and fifty crore for breach of any other provision of this Act.”
This creates three distinct penalty pathways, each with a different ceiling:
- Security safeguard failures (Chapter III): up to ₹250 crore
- Breach notification failures (Chapter VIII): up to ₹200 crore
- Other violations (including consent failures, SDN violations, erasure refusal): up to ₹150 crore
For event companies and HR departments, understanding which violation triggered an inquiry determines both the penalty ceiling and the Board’s analytical framework.
How Events & HR Trigger Section 33 Violations
Corporate events and HR functions collect extensive personal data daily:
- Employee data: Names, email, phone, department, role, salary, bank details (for payroll), date of birth, emergency contacts, spouse and dependent names, health information (for benefits or wellness programs)
- Event attendee data: Registration names, email, phone, company name, job title, dietary preferences, accessibility needs, emergency contact
- Speaker and vendor data: Full names, email, phone, bank account numbers (for honorariums), tax identification numbers
- Recruitment data: Candidate resumes, phone numbers, educational history, reference contact information, sometimes salary history
A single data breach in these systems can expose thousands of personal records and trigger Section 33 inquiries across multiple violation pathways simultaneously.
Security Safeguard Failures (₹250 Crore Ceiling)
Chapter III of DPDPA mandates security safeguards that data fiduciaries must implement. For events and HR, these include:
- Encryption of personal data in transit (HTTPS, encrypted email) and at rest (AES-256 or equivalent)
- Access controls restricting data viewing to authorized personnel only
- Audit logs recording who accessed what data, when, and for what purpose
- Annual security audits by qualified professionals
- Incident response procedures for detecting and responding to breaches
- Data retention limits (e.g., “we delete attendee data after 24 months”)
Real-world scenario: An event management company stores 50,000 attendee records—names, email addresses, company names, job titles—in a Google Sheet. The HR manager shares this sheet with all 15 team members via a link that allows comment-only access. Unknown to the company, a Google Drive indexing error exposes the sheet publicly; search engines cache it. A data activist discovers the list and publishes it online, noting “50,000 professionals doxxed by careless event organizers.”
This represents a clear Chapter III violation—the data was not encrypted (plain text in Google Sheets), access was overly permissive (all 15 team members), and there was no audit trail. The company faces a Section 33 penalty for security safeguard failure, with a ceiling of ₹250 crore.
Breach Notification Failures (₹200 Crore Ceiling)
Section 33 has a distinct penalty ceiling for failures to notify breaches—one of the largest under the Act. This reflects DPDPA’s philosophy that notification delays compound harm.
Chapter VIII (Breach Notification) requires:
- A data fiduciary to notify a grievance officer and leadership within a reasonable timeframe of discovering a breach
- If a breach is “likely to cause any harm” to affected individuals, notification within 30 days of discovery
- If a breach is “of high risk,” notification to the Data Protection Authority
- Notification must include: date of breach, nature of data involved, number of individuals affected, likely consequences, steps being taken to remedy
Real-world scenario: An HR team discovers on June 1 that a contractor’s laptop—containing a spreadsheet with 2,000 employee personal data records (names, email, phone, salary)—was stolen. The HR team investigates internally for 60 days, hoping to recover the laptop. On August 15 (76 days after discovery), they notify employees via email: “A laptop was lost; your data might be affected.” No notification to the Data Protection Authority is sent.
This is a breach notification failure under Chapter VIII—the company notified 76 days after discovery, not within 30 days. The penalty ceiling for this failure is ₹200 crore, distinct from other violations. The Board will assess factors like gravity (salary data exposed = high), duration (60 days before internal notification = very long), and remediation (whether the company offered credit monitoring).
Other Violations (₹150 Crore Ceiling)
The third penalty category includes violations not specifically categorized as security safeguard or breach notification failures. For events and HR, common violations include:
- Lack of valid consent: Collecting employee emails or attendee phone numbers without explicit consent; scraping competitor attendee lists
- Missing privacy notices: Collecting data without providing a privacy notice explaining why, how long data will be kept, and what rights individuals have
- Refusal to grant access: An attendee requests a copy of their registration data; the event company refuses or delays response
- Significant Data Fiduciary (SDN) violations: If classified as an SDN (handling data of 1M+ individuals or sensitive categories), failing to maintain data audit trails, accountability records, or transparency reports
- Misuse of personal data: Using attendee data collected “for event registration only” to sell attendee lists to sponsors without additional consent
- Erasure refusal: An individual requests deletion; the company retains data without legal justification
These violations carry a penalty ceiling of ₹150 crore, lower than security or notification failures but still substantial.
Section 33(2): How the Board Calculates Penalties
The penalty ceiling is a starting point, not an automatic fine. Section 33(2) requires the Data Protection Board to consider multiple factors when determining the actual quantum:
“(2) In determining the quantum of penalty, the Board shall have due regard to: (a) the nature and gravity of the contravention; (b) the duration of the contravention; (c) the history of non-compliance by the data fiduciary or data processor; (d) the amount of gain made, or loss caused, by the contraventions; (e) such steps as have been taken by the data fiduciary or the data processor towards remediation and compliance.”
For event and HR teams, these factors translate as follows:
Nature and gravity of the contravention:
- Exposing attendee email addresses only = lower severity
- Exposing employee salary + bank account data = higher severity
- Number of records (100 vs. 100,000) amplifies gravity
Duration of the contravention:
- Data was unencrypted for 1 month = lower duration
- Data was unencrypted for 12 months = higher duration
- Breach remediated within 1 week = mitigating factor
History of non-compliance:
- First-time violation = Board may impose lower penalty
- Prior warning from the DPA = aggravating factor
- Second or third violation = Board may approach the ceiling
Amount of gain made or loss caused:
- Company saved ₹5 lakh by avoiding security infrastructure = aggravating
- Affected individuals suffered identity theft or financial loss = aggravating
- No financial gain or loss = neutral
Steps taken toward remediation:
- Company notified individuals within 30 days of discovery = major mitigating factor
- Company retained a cybersecurity firm for forensic analysis = mitigating
- Company encrypted all systems post-breach = mitigating
- Company offered 2 years of credit monitoring to affected individuals = strong mitigation
These factors can reduce a penalty from ₹250 crore to ₹20 crore, or eliminate it entirely in borderline cases where the company self-reported and remediated proactively.
Building a Section 33 Compliance Framework for Events & HR
To avoid Section 33 penalties, implement these foundational controls:
-
Conduct a data inventory — Document all personal data types collected, where each is stored, and how long it’s retained.
-
Publish privacy notices — Write clear, plain-language privacy notices for event registration forms and employee onboarding, including what data you collect, why, how long you keep it, and how individuals can request access or deletion.
-
Implement consent management — Separate event participation consent from marketing consent; never assume consent for one use extends to another.
-
Restrict data access — Limit who can download attendee lists or access employee records using role-based access control; disable public sharing on Google Sheets; require multi-factor authentication (MFA) for admin access.
-
Encrypt all data transmissions and exports — Use HTTPS on all web forms; send CSV exports via encrypted email or secure file-sharing platforms; encrypt data on USB drives if physical storage is used.
-
Create a written breach response plan — Define steps: detect breach, notify leadership within 24 hours, investigate within 7 days, notify individuals within 30 days if required, file DPA report if high-risk, document findings and remediation.
-
Maintain access logs and audit trails — Implement audit logging in your HR system and event platform; review logs monthly for unauthorized access; retain logs for at least 12 months.
-
Add data protection clauses to vendor contracts — Ensure your event platform, HR system, email provider, and cloud storage provider have explicit DPDPA compliance clauses.
-
Schedule annual compliance audits — Hire a DPDPA-certified consultant to review your data collection, storage, retention, and deletion practices annually; implement their recommendations.
-
Train your team on DPDPA and Section 33 risk — Conduct quarterly training for all staff with data access; make clear that casual data sharing violates Chapter III and triggers Section 33 risk.
Why Section 33 Penalties Are Higher Than Expected
The penalty ceilings under Section 33 (up to ₹250 crore) surprise most event companies and mid-market HR departments. Three factors explain this design:
Scalability of harm across industries: A single breach of event data can affect thousands of individuals who then face secondary harms—phishing emails, reputational damage to their employers, identity theft risk. The compounding harm justifies high-ceiling penalties to deter inadequate data security.
Section 33(2) allows penalty reduction below the ceiling: The Board is not obligated to impose ₹250 crore penalties for all breaches. A first-time, small-scale breach discovered and notified within 30 days might result in ₹1–10 crore. The ceiling is real risk; the actual penalty depends on facts.
Deterrence from EU GDPR precedent: India’s DPDPA penalty structure closely mirrors the EU’s GDPR fine structure, which has imposed €50+ million fines. India’s DPA is signaling that data protection is a serious financial and operational risk.
Frequently Asked Questions
Q: If I fail to encrypt an attendee database, will I automatically be fined ₹250 crore under Section 33?
No. The ₹250 crore ceiling applies to security safeguard failures under Section 33(c), but Section 33(2) requires the Board to consider mitigating factors. A first-time failure affecting 1,000 attendees that was discovered and remediated within days might result in ₹5–50 crore, not ₹250 crore. However, a repeat violation, large-scale exposure (100,000+ records), delayed remediation, or evidence that the company saved money by skipping security will push penalties toward the ceiling.
Q: My event platform (Eventbrite, Splash, etc.) got hacked. Can I be held liable for Section 33 penalties?
Your contract with the platform designates them as a “data processor” and you as the “data fiduciary.” In theory, the data processor bears responsibility for security safeguards (Chapter III). However, you remain liable if: (1) you failed to vet their security practices before engagement, (2) you failed to notify individuals within 30 days after learning of the breach, or (3) you violated Section 33 through your own actions (e.g., storing a backup on an unencrypted USB drive). Always include DPDPA compliance clauses in vendor contracts.
Q: How quickly must I notify attendees of a breach to avoid the ₹200 crore Section 33 penalty for notification failures?
DPDPA Chapter VIII and Section 33(b) require notification within 30 days if a breach is “likely to cause any harm” to individuals. Notify as quickly as possible: internal (leadership, grievance officer) within 24 hours of discovery; affected individuals within 30 days; Data Protection Authority if high-risk within 30 days. Delayed or absent notification triggers the ₹200 crore ceiling, distinct from other penalties.
Q: Does Section 33 apply to small event companies and HR teams, or only large enterprises?
Section 33 applies to all data fiduciaries and data processors—including solo entrepreneurs, small event agencies, and mid-market HR departments. There is no small-business exemption. However, Section 33(2) considers “the nature and gravity” of each breach; a breach affecting 50 people inherently carries lower gravity than one affecting 50,000, so penalties will reflect this proportionality.
Q: If I’m a Significant Data Fiduciary (SDN) for events or HR, do I face higher Section 33 penalties?
Not explicitly. Section 33 does not impose higher penalty ceilings for SDNs. However, SDN classification triggers additional obligations (data audit, transparency reports, grievance officer, audit trails), and violations of these obligations fall under the “other provisions” pathway in Section 33(c), carrying a ₹150 crore ceiling. The risk for SDNs is broader compliance requirements, not higher penalty ceilings—but those broader requirements mean more ways to violate Section 33.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →