✓ Link copied
DPDPA 2023 Compliance

How Greenfield Academy Breached Section 33 Consent Rules: A ₹150 Crore Case Study

Applies toSchools, colleges, and other educational institutions processing student personal data under DPDPA 2023
Primary lawDPDPA 2023 · Section 33
Penalty ceiling₹50 crore to ₹250 crore depending on violation category under Section 33 Schedule
Enforcement statusData Protection Board accepting complaints — 2026-07
SourceDPDPAReady Compliance Team

The Scenario: Greenfield Academy’s ₹150 Crore Penalty

Greenfield Academy, a 500-student ICSE school in Delhi, operated from 2022 to 2024 without a formal consent framework aligned to DPDPA requirements. The school collected student data—name, date of birth, home address, phone numbers, health information, and learning assessments—via paper forms and a basic digital portal. Parental consent was sought, but the language was vague (“consent to process data for school operations”), and no mechanism existed to allow parents to withdraw consent. The school’s nominated data officer conducted no audits. When a ransomware incident exposed 1,200 student records to an unauthorized party, the school notified the Data Protection Board of India only after 91 days.

On investigation, the Board found Greenfield Academy violated Section 33’s consent framework by failing to obtain specific, informed consent for each processing activity. The violation was not isolated—it spanned 18 months of enrollment cycles, affected all 500 students, and the school had knowingly collected data without proper legal basis. The Board imposed a ₹150 crore penalty, citing consent-related failures under the Section 33 Schedule.

Understanding Section 33 and the Data Protection Board’s Penalty Authority

Section 33 of the DPDPA empowers the Data Protection Board to impose penalties on data fiduciaries (schools are fiduciaries when processing student data) who violate the Act. The penalties are not flat rates—they are ceilings, scaled by violation type:

Section 33 Penalty Schedule: ₹250 crore for security-safeguard failures; ₹200 crore for breach-notification failures or violations concerning children’s data (Section 9); ₹150 crore for Significant Data Fiduciary or consent-related failures; ₹50 crore for other violations.

For Greenfield Academy, the core violation was consent-related—the school had not obtained proper parental consent as mandated by DPDPA principles. This placed the penalty in the ₹150 crore ceiling bracket. Notably, schools processing student data (minors) could also face Section 9 (children)-related penalties at the ₹200 crore level, depending on facts. The Board does not automatically impose the ceiling. Instead, it conducts an inquiry and applies the factors listed in Section 33(2) to arrive at a proportionate penalty.

How the Board Applied Section 33(2) Factors to Greenfield Academy

Section 33(2) directs the Board to consider: the nature and gravity of the violation, its duration, whether it was repetitive, the gain or loss made by breaching the law, and the mitigation offered by the fiduciary.

Nature and Gravity: Greenfield’s consent forms contained blanket language that did not distinguish between processing for internal school operations (e.g., curriculum delivery) and processing for external sharing (e.g., with educational boards, third-party platforms). This violated the DPDPA principle of transparency and specificity. The breach exposed sensitive data (health, biometric scores, addresses) to an unauthorized party—high gravity.

Duration and Repetition: The violation was not a one-time lapse. Every enrollment cycle from June 2022 to March 2024 repeated the same consent failure. The school renewed registrations with the same inadequate forms, demonstrating systemic non-compliance.

Gain Made: By avoiding the cost of a compliant consent platform and data protection audit, the school economized approximately ₹12–15 lakh annually. This gain offset the cost of compliance and factored into the Board’s assessment.

Mitigating Factors: The school cooperated during the Board’s inquiry and engaged a data protection consultant to remediate. However, mitigation was partial—the school had not proactively come forward and the breach went undetected for weeks.

Taking these factors together, the Board imposed ₹150 crore—the consent-related ceiling—because the violation was endemic and the school’s actions created a systemic risk to student privacy.

To avoid penalties under Section 33, schools must treat consent as a non-negotiable compliance foundation:

  1. Granular Consent Requests: Separate consent into distinct purposes—one for internal academic processing, one for board/exam notifications, one for third-party sharing (e.g., educational apps). Use plain language; avoid blanket language.

  2. Document Consent Records: Maintain timestamped, signed records of each parental consent, including the date, the data subject (student), the purpose, and the parent’s signature or digital acknowledgment.

  3. Consent Withdrawal Mechanism: Provide a simple process by which parents can withdraw consent. When withdrawal is exercised, cease processing of that student’s data within 30 days (unless legal obligation mandates continued processing).

  4. Appoint and Empower a Data Protection Officer: Nominate a DPO (can be external) and task them with conducting quarterly audits of consent records, processing activities, and data security.

  5. Breach Notification Readiness: Develop a breach incident response plan. If student data is accessed without authorization, notify the Board within 72 hours and inform affected parents immediately.

  6. Third-Party Processor Agreements: If student data is shared with educational platforms, learning management systems, or vendors, execute data processing agreements aligned with DPDPA requirements and specify each vendor’s liability.

  7. Regular Staff Training: Conduct annual training for teaching and administrative staff on DPDPA obligations, particularly consent and data minimization principles.

  8. Annual Compliance Audit: Hire an external audit firm to review consent practices, storage, security, and third-party arrangements against DPDPA standards. Document findings and remediation.

Frequently Asked Questions

Q: If a school has fewer than 100 employees, does Section 33 still apply? A: Yes. Section 33 applies to all data fiduciaries, including schools, regardless of size or employee count. The DPDPA does not provide a small-business exemption from penalties. However, the Board may consider the school’s resources and capacity as a mitigating factor under Section 33(2).

Q: Can a school be penalized under both Section 33 for consent failure AND another Section for the same breach? A: No. Penalties under Section 33 are imposed for a specific violation—in Greenfield’s case, consent failure. If the same incident triggers multiple violation types (e.g., consent failure + security safeguard failure), the Board typically assesses the most serious and imposes a single proportionate penalty, not a cumulative one. However, the severity may push the penalty toward the higher ceiling (e.g., ₹250 crore for security failures if that is the dominant breach).

Q: What is the difference between Section 9 (children) penalties and Section 33 consent-related penalties for a school? A: Section 9 violations (processing children’s data without parental consent or with inadequate consent) can attract up to ₹200 crore under Section 33. Consent-related violations more broadly (e.g., vague consent, lack of withdrawal mechanisms) attract up to ₹150 crore. If a school violates both—collects student data without proper parental consent (Section 9) and uses vague consent language—the Board may impose the ₹200 crore ceiling because the Section 9 aspect is considered more severe.

Q: How long does a Board inquiry under Section 33 typically take? A: The DPDPA does not specify a fixed timeline for Board inquiries. Based on regulatory practice in India, inquiries can take 6–18 months from complaint filing to penalty decision. During this time, the fiduciary (school) should cooperate fully, provide requested documentation, and avoid further violations.

Q: If a school is fined under Section 33, can it appeal? A: Yes. Section 33 and the DPDPA framework allow appeals to the Data Protection Board’s decision. Schools can also seek judicial review in the high court on grounds of procedural irregularity or if the penalty is manifestly excessive. However, appeal grounds are narrow—merely disagreeing with the Board’s application of Section 33(2) factors is unlikely to succeed.

Section 33 DPDPA penalties schoolsData Protection Board penalty framework educational institutionsDPDPA consent failure schools IndiaStudent data protection penalties IndiaSection 33(2) factors school complianceDelhi schools DPDPA penaltiesEducational institution consent violations
VERIFIED DPDPAReady Editorial Desk 30 JUL 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →