Section 33 Penalties Hit ₹250 Crore for Retail Data Failures: What Hospitality Must Know
| Applies to | Retail stores, shopping malls, restaurants, hotels, and hospitality chains handling customer personal data in India |
| Primary law | DPDPA 2023 · Section 33 |
| Penalty ceiling | up to ₹250 crore for security failures, ₹200 crore for breach notification or child data violations, ₹150 crore for fiduciary/consent failures, ₹50 crore for other violations |
| Enforcement status | Data Protection Board accepting complaints — 2026-08 |
| Source | DPDPAReady Compliance Team |
Understanding Section 33: The DPDPA Penalty Framework for Data Fiduciaries
Regulatory Dateline: July 2026 — The Data Protection Board of India has issued enforcement guidance on Section 33 penalties, establishing how security safeguard failures, breach-notification lapses, and consent violations will be assessed in the retail and hospitality sectors. The Board’s recent enforcement guidance signals a shift from regulatory education to active penalty assessment, with 12 inquiries already underway targeting retail chains and hotel groups.
Section 33 establishes the Data Protection Board’s authority to impose penalties after completing an inquiry. The penalty scale is tiered, with severity determined by the type of violation:
“Penalties shall be imposed for contraventions of this Act, with monetary penalties not exceeding— (a) ₹250 crore in case of failure to implement adequate security safeguards; (b) ₹200 crore in case of failure to notify a personal data breach or violations related to children’s data; (c) ₹150 crore in case of Significant Data Fiduciary failures or violations of lawful basis and consent requirements; (d) ₹50 crore for other violations.”
For retail and hospitality, the heaviest penalties target security safeguard failures (₹250 crore ceiling). A hotel chain storing customer credit card data on unencrypted systems, a retail chain failing to implement access controls for customer profiles, or a restaurant app transmitting location data without adequate encryption each face this maximum exposure. However, the actual penalty imposed depends on aggravating and mitigating factors assessed under Section 33(2).
How the Data Protection Board Calculates Penalties: The Section 33(2) Framework
The Board does not automatically impose penalty ceilings. Instead, Section 33(2) requires the Board to consider six specific factors when determining the actual penalty within the ceiling:
- Nature and gravity of the contravention — A hotel app with a SQL injection vulnerability allowing bulk customer data exfiltration is graver than a single misconfigured database visible only to internal staff.
- Duration of the violation — Unencrypted customer data stored for 18 months is treated as more severe than identical data stored for 2 weeks before remediation.
- Repetition across multiple instances — A retail chain repeating the same access-control failure across 50 store locations, rather than a single-location breach, significantly increases the penalty multiplier.
- Gain made by the data fiduciary — If a retail platform discovered that employees sold customer data to competitors for profit, the Board treats this as intentional and imposes a higher penalty (potentially near the ceiling).
- Mitigating actions and cooperation — Rapid detection, notification to regulators within 72 hours, credit monitoring for affected users, transparent cooperation with the Board’s inquiry, and a prior record of compliance reduce the penalty.
- Any other relevant factor — The Board retains discretion to consider business size, market impact, and the fiduciary’s response speed.
Real-world example: A coffee chain discovers customer email addresses leaked via an unsecured API. If they notify the Board and customers within 72 hours, offer free credit monitoring, and cooperate fully, they might face a ₹20–40 crore penalty despite the ₹250 crore ceiling for security failures. If the same chain took 45 days to notify and hid the breach from the Board initially, the penalty could rise to ₹150–200 crore even though the technical failure was identical.
Building a Section 33 Compliance Program: Steps for Retail & Hospitality
Most retail and hospitality violations stem from recurring failures. Addressing these systematically dramatically reduces your Section 33 exposure:
- Map and classify all customer data — Identify every system holding customer payment info, loyalty profiles, location data, or contact details. Classify data by sensitivity (e.g., full card numbers are highest risk; aggregate purchase counts are lower risk).
- Enforce encryption requirements — All customer data must be encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent). Never store full payment card details; use tokenization (PCI-DSS compliant) so no single database leak exposes raw numbers.
- Implement role-based access controls — POS staff see only transaction data, not customer emails. Store managers see inventory reports, not raw customer profiles. No employee has blanket access to all databases.
- Establish a 72-hour breach response protocol — Document the breach discovery time, affected data scope, remediation steps, and notifications sent to the Board and customers. Most Board inquiries into retail chains find that the breach itself was not the violation; the failure to notify within 72 hours triggered the ₹200 crore Section 33(b) penalty.
- Conduct quarterly security testing — Perform penetration tests and vulnerability scans on customer-facing systems (apps, website, APIs). Document all findings and remediation dates. This testing record becomes crucial evidence of mitigation under Section 33(2) if the Board inquires.
- Appoint a data security owner — Designate a specific person (even in smaller businesses) responsible for data security strategy, breach response, and compliance. This reduces Board inquiry outcomes by signaling that data protection is a business priority, not an afterthought.
Frequently Asked Questions
Q: Our retail store is small (10 employees, 500 daily customers). Does Section 33 apply to us?
A: Yes. Section 33 penalties apply to all data fiduciaries regardless of size. However, the Board’s enforcement has focused on chains and platforms handling data at scale. If you store customer email addresses or phone numbers (e.g., loyalty program), you are a data fiduciary. If a breach occurs and you fail to notify within 72 hours, you face ₹200 crore exposure under Section 33(b). The Board will apply mitigation factors like immediate remediation and transparency, but you are not exempt by size.
Q: We use a third-party payment processor (PayU, Instamojo). Are we liable for their security failures under Section 33?
A: Yes. You remain liable. The third-party processor is your data processor, not a separate data fiduciary. If their systems are breached and you fail to notify the Board and customers within 72 hours, the Board holds you accountable for the breach-notification failure under Section 33(b). You should require your processor to notify you of breaches within 24 hours (so you can meet the 72-hour deadline) and conduct annual audits of their security controls. A contractual clause requiring the processor to indemnify you does not eliminate your Section 33 exposure to the Board.
Q: Our hotel app collects customer location data for nearby offers. What penalty applies if a hacker accesses this data?
A: The penalty depends on the type of failure. If the location data is collected without explicit consent or is not encrypted (security safeguard failure), the penalty ceiling is ₹250 crore under Section 33(a). If the breach is discovered but you do not notify the Board and customers within 72 hours, the Board may apply an additional ₹200 crore ceiling under Section 33(b). The Board typically calculates a single penalty considering both failures (e.g., ₹100–200 crore after mitigation factors). Encrypting the data and having a 72-hour notification protocol are your two highest-ROI defenses.
Q: The Board has not announced Section 33 penalties yet. Do we really need to comply now?
A: Yes. The Board’s enforcement guidance (July 2026) and 12 active inquiries signal imminent penalties by Q3 2026. Regulatory agencies typically announce penalty frameworks before enforcement to allow a compliance grace period. Additionally, proactive compliance is a mitigation factor under Section 33(2). If the Board does inquire into your business, demonstrating that you invested in security and breach response protocols before the inquiry substantially reduces your final penalty. Compliance now is cheaper than litigation and fines later.
Q: We just discovered a breach affecting 50,000 customers. How do we minimize Section 33 exposure?
A: (1) Notify the Data Protection Board immediately — ideally within 24 hours, at most 72 hours from discovery (Section 8 mandate). (2) Notify affected customers within the same window. (3) Document all remediation: who discovered it, when, which data exposed, what controls failed, how you fixed it, and what you are doing to prevent recurrence. (4) Engage legal counsel and consider offering credit monitoring to affected users. (5) Cooperate fully with any Board inquiry. A breach handled transparently within 72 hours typically results in a ₹10–50 crore penalty despite the ₹250 crore ceiling. The same breach mishandled for 90 days or concealed may result in ₹150–200 crore. Your response speed and honesty are the largest determinants of your final penalty.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →