Section 33 Penalties for Sports Events: ₹50–₹250 Crore Fines Under DPDPA
| Applies to | Marathon organizers, sports event management companies, and race coordinators handling runner personal data in India. |
| Primary law | DPDPA 2023 · Section 33 |
| Penalty ceiling | Up to ₹50 crore to ₹250 crore depending on violation category: ₹250 crore for security safeguard failures, ₹200 crore for breach notification or Section 9 (children’s data) violations, ₹150 crore for consent or Significant Data Fiduciary failures, ₹50 crore residual. |
| Enforcement status | Data Protection Board accepting complaints — 2026-07 |
| Source | DPDPAReady Compliance Team |
Understanding Section 33 Penalties: Key Terms for Marathon Organizers
Marathon organizers collect sensitive personal data: runner names, ages, phone numbers, medical conditions, payment information. Section 33 of the DPDPA establishes penalties—up to ₹250 crore—when this data is mishandled. This glossary defines the key terms under Section 33 so event coordinators understand their exposure and compliance obligations.
Data Protection Board of India (DPBI)
The sole authority empowered to investigate and impose Section 33 penalties under the DPDPA. When a marathon organizer is accused of a data protection violation—say, failing to secure runner registration data—only the DPBI can investigate and fine the organization. The Board cannot delegate this power; all Section 33 penalties flow through its inquiry process and are not subject to appeal to any other body.
Security Safeguard Failure
The highest-tier violation under Section 33. When a marathon or sports event fails to implement adequate technical and organizational security measures for runner personal data, the penalty ceiling is ₹250 crore. Examples: unencrypted runner registration databases, no access controls on volunteer data, or server breaches exposed to negligent maintenance. The Schedule in Section 33 explicitly names safeguard failures as the costliest violation category because personal data is most exposed when these protections fail.
Breach Notification Failure
When a sports event discovers a data breach but fails to notify affected runners within the required timeline (or fails to notify altogether), Section 33 imposes penalties up to ₹200 crore. This also includes violations of Section 9 (children’s data). For example: a half-marathon app suffered a breach exposing 50,000 runner email addresses and phone numbers; the organizer discovered it but never told participants. The DPBI can impose up to ₹200 crore for this failure.
Consent Violation
Collecting personal data—runner names, medical conditions, contact details—without explicit, informed consent triggers Section 33 penalties up to ₹150 crore. This includes failures to honor data subject rights or misapplying legitimate-use grounds. Example: a marathon collects emergency contact information “for race purposes” but later shares or sells it to sponsors without runner consent. The DPBI can fine up to ₹150 crore.
Mitigating Factors
The DPBI does not automatically impose the maximum penalty. Section 33(2) requires the Board to consider:
“…the nature and gravity of the violation, the duration for which the violation persists, whether the violation is repetitive in nature, the amount of gain made by the data principal or data fiduciary from the violation, and any mitigating factors including the adherence of the data fiduciary to other provisions of this Act.”
A marathon organizer with a one-time, accidental breach, quick remediation, and otherwise strong data practices may receive a significantly lower fine than a repeat offender. The Board weighs all these factors during inquiry.
How Marathon Organizers Can Mitigate Section 33 Risk
- Encrypt runner data at rest and in transit using industry-standard protocols
- Implement access controls limiting staff to data they absolutely need for their role
- Maintain written, timestamped consent records for all data collection (registration, medical info, third-party sharing)
- Create and document a breach response plan with notification timelines (without undue delay = days, not weeks)
- Conduct quarterly security audits and maintain detailed audit logs of data access
- Cooperate immediately and transparently with DPBI inquiries; hiding or destroying evidence worsens penalties
- Train all staff handling runner data on Section 33 compliance and safeguard practices
Frequently Asked Questions
Q: Can a marathon organizer be fined under Section 33 if runners were not harmed?
A: Yes. Section 33 penalties are not proportional to actual harm; they are based on violation categories in the Schedule. A security safeguard failure—even if no breach occurred—can incur a fine up to ₹250 crore. However, the DPBI considers mitigating factors, so an organizer that discovered and fixed a vulnerability immediately may receive a reduced penalty or warning.
Q: Does DPDPA Section 33 apply only to large marathon events?
A: No. Section 33 penalties apply to any data fiduciary—including small, neighborhood running clubs—if they collect personal data (names, phone numbers, medical info, payment details) from participants. However, smaller organizers benefit from mitigating factors if they can show good-faith efforts at compliance and rapid remediation.
Q: What happens if a sports event notifies runners of a breach too late?
A: Late or missing breach notification is a Section 33 violation with a ceiling of ₹200 crore. The DPDPA requires notification “without undue delay” (typically interpreted as days, not weeks). The DPBI will consider how late the notice was, whether runners suffered harm, and whether the organizer made a genuine mistake. A repeated pattern of late notices will likely attract higher fines.
Q: Can a marathon be fined under Section 33 for collecting kids’ data without parental consent?
A: Yes. Section 9 violations (mishandling children’s data) fall under Section 33’s ₹200 crore ceiling. A youth marathon that collects medical conditions or parental contact info from runners under 18 without verifiable parental consent violates Section 9, triggering potential fines up to ₹200 crore. No exceptions apply to small or nonprofit events.
Q: How does the DPBI decide which penalty to impose within the ₹250 crore range?
A: The DPBI uses Section 33(2) factors: the violation’s nature and gravity, how long it persisted, whether it repeated, whether the organizer profited from it, and mitigating factors like adherence to other DPDPA provisions. A first-time security lapse discovered within days and immediately remediated may draw ₹5–₹50 crore; a deliberate, repeated breach hidden for months may draw ₹100–₹250 crore. The Board publishes no fixed formula—each case depends on these factors.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →