✓ Link copied
DPDPA 2023 Compliance

Section 33 Penalties for Trade Shows: ₹50–₹250 Crore Violation Breakdown

Applies toTrade Shows & Exhibitions operating in India
Primary lawDPDPA 2023 · Section 33
Penalty ceiling₹50 crore to ₹250 crore depending on violation category
Enforcement statusData Protection Board accepting complaints — 2026-08
SourceDPDPAReady Compliance Team

The Section 33 Penalty Schedule: Five Tiers Compared

Trade show and exhibition organizers handle sensitive data from thousands of attendees and exhibitors—but Section 33 of the DPDPA imposes steep penalties for mishandling. The Act’s Schedule sets five penalty tiers, from ₹50 crore to ₹250 crore, depending on violation type. This post maps each tier to real trade-show scenarios and shows how the Data Protection Board calculates penalties within each ceiling.

Penalty Tier Comparison Table

Violation CategoryDPDPA SectionPenalty CeilingTrade Show TriggerBoard Factors
Security Safeguard FailureSection 4 (via Section 33(1)(b))₹250 croreInadequate encryption, uncontrolled vendor access, no incident-response plan, data stored without protectionNature (deliberate vs. negligent), gravity (scale of exposure), duration (how long undetected), repetition (pattern of failure), gain made (misuse profit), mitigation (speed of remediation)
Breach Notification FailureSection 8 (via Section 33(1)(c))₹200 croreBreach occurs; organizer delays or fails to notify affected individuals or Board within prescribed windowTimeliness of Board disclosure, scope/volume of data breached, severity of harm to data subjects, evidence of intentional concealment
Children Safeguard FailureSection 9 (via Section 33(1)(c))₹200 croreCollection of child visitor/parent data without parental consent, age-gate bypassed, no restricted marketing appliedAge of children affected, volume of child records, duration of violation, whether organizer knowingly violated
Significant Data Fiduciary / Consent FailureSections 33(1)(d) + Section 6₹150 croreLarge-scale data collection without valid consent, misapplied “legitimate use” ground, inadequate privacy noticeConsent scope vs. actual use, transparency of notice, legitimacy defense strength, whether harm/misuse occurred
Other ContraventionsSection 33(1)(e): residual violations₹50 croreData retention beyond statutory limit, poor audit trails, inadequate anonymization, non-cooperation with BoardSystemic vs. isolated failure, evidence of intent, ease/speed of remediation

How the Board Calculates Within Each Ceiling

Section 33(2) mandates that the Board consider five specific factors when determining the penalty amount. These factors do not change the ceiling—they determine where within it the fine lands.

Example 1: Security Failure (Tier 1, ₹250 Crore Ceiling)

Scenario: Trade show organizer stores 50,000 attendee photos and emails on an unsecured server with no encryption. A third-party vendor gains access; data is exfiltrated.

Board’s Analysis Under Section 33(2):

  • Nature: Negligent (no deliberate intent; organizer simply failed to encrypt after prior audit warnings).
  • Gravity: High (50,000 records exposed, including children and families; photographs are sensitive biometric data).
  • Duration: 6 months before discovery (critical—long exposure window).
  • Repetition: First breach, but organizer had received prior audit warnings and ignored them (pattern of non-compliance).
  • Gain: Minimal (no evidence of resale or fraud; exposure was accidental).
  • Mitigation: Organizer immediately notified Board, engaged incident-response firm, overhauled encryption, offered free credit-monitoring to affected attendees.

Board Penalty: ₹165–180 crore (below the ₹250 crore ceiling because robust mitigation and lack of gain offset gravity and duration).

Example 2: Breach Notification Failure (Tier 2, ₹200 Crore Ceiling)

Scenario: Organizer discovers breach on Day 3. Notifies affected exhibitors on Day 5. Notifies the Board on Day 50 (prescribed window is 72 hours).

Board’s Analysis Under Section 33(2):

  • Nature: Deliberate delay (organizer internally acknowledged breach on Day 3 but waited 47 days to notify Board, citing “reputational assessment”).
  • Gravity: Moderate (10,000 exhibitor records; low sensitivity—business cards, phone numbers only; no children’s data).
  • Duration: 47 days of non-disclosure to Board (grave violation of Section 8 timeline).
  • Repetition: First breach, but organizer had received prior Board guidance on notification timelines.
  • Gain: Reputational concealment (organizer withheld disclosure to control negative press).
  • Mitigation: None (delay was intentional; organizer did not self-report).

Board Penalty: ₹185–200 crore (near ceiling because intentional concealment and reputational gain aggravate; lack of mitigation keeps it high).

Scenario: Organizer collects 5,000 exhibitor phone numbers “for event scheduling and logistics” but sells the list to three marketing vendors without notice. No exhibitor consented to data sale.

Board’s Analysis Under Section 33(2):

  • Nature: Deliberate misuse (organizer knew consent scope was limited to scheduling; sale violated that scope).
  • Gravity: Moderate (5,000 exhibitors; commercial harm quantifiable but not severe—unwanted marketing calls).
  • Duration: 3 years of selling data (systemic misuse).
  • Repetition: Systematic selling to third parties (not a one-time lapse).
  • Gain: ₹25 lakhs revenue from data sales over 3 years (direct pecuniary benefit).
  • Mitigation: Organizer refunded exhibitors ₹30 lakhs, deleted all records from vendors, hired data-protection officer, implemented consent audit framework.

Board Penalty: ₹105–125 crore (well below ₹150 crore ceiling; robust mitigation and remedy offset systemic nature; however, duration and gain prevent lighter penalty).


Mitigation Strategies: How to Reduce Exposure

Under Section 33(2), the Board explicitly weighs “mitigation” when calculating penalties. Trade show organizers can materially reduce exposure by:

1. Security-First Architecture

  • Encrypt attendee data at rest and in transit. Use vendor encryption attestation in Data Processing Agreements (DPAs).
  • Implement vendor audit clauses: right to audit security, incident-response protocols, and quarterly compliance reviews.
  • Document security safeguards in a Data Protection Impact Assessment (DPIA) and share findings with the Board if an inquiry arises.

2. Breach Preparedness

  • Pre-draft breach-notification templates (templates must name the Board and cite Section 8 timelines).
  • Maintain a Board contact list and Board-notification checklist to ensure 72-hour compliance.
  • Log all data incidents, even minor ones (unauthorized access attempt, misfiled data, lost USB). Logs demonstrate good-faith incident management.
  • Notify the Board first, not after notifying individuals (early Board notification is weighed favorably as mitigation).

3. Consent by Design

  • Collect explicit consent at registration for each data use (badge printing, post-event surveys, directory publication, photo/video recording, marketing).
  • Use granular checkboxes: separate consent for each purpose.
  • Do not rely on “legitimate use” as a backdoor to skip consent for secondary purposes (misapplication invites Tier 4 penalties).
  • Retain signed consent records and audit trails (Board will ask for these in an inquiry).

4. Children’s Data Safeguards

  • If your trade show attracts families (e.g., educational exhibitions, product launches), implement age verification at registration (“Is the registrant under 18?”).
  • Collect parental consent for child data via signed form or verified email.
  • Restrict profiling, behavioral marketing, and third-party sharing of child data.
  • Document age-gate and consent processes (Board appreciates evidence of Section 9 compliance).

5. Transparency & Privacy Notice

  • Display a privacy notice at all registration booths and online (QR codes linking to full notice are acceptable).
  • Specify what data you collect, how long you retain it (e.g., “We delete attendee records 90 days post-event unless you opt-in to our mailing list”), who accesses it (internal team + 2 external vendors), and how individuals can request deletion or portability.
  • Update notices annually and maintain version history (shows iterative transparency improvement).

6. Cooperation with the Board

  • If the Board issues a notice of inquiry, respond fully and promptly (non-cooperation attracts higher penalties).
  • Provide audit trails, consent records, vendor agreements, and incident logs (complete responsiveness demonstrates good faith).
  • Do not delay, redact selectively, or claim information is “privileged” unless legally justified.

7. Third-Party Data Audits

  • Commission an annual data protection audit by an accredited auditor (especially if you are a Significant Data Fiduciary—collecting data from 1 million+ people across events).
  • Audit should cover consent practices, vendor compliance, retention limits, access logs, and security posture.
  • If the audit uncovers violations, remediate immediately and notify the Board of corrective steps (self-reporting attracts lower penalties than Board discovery).

8. Vendor Risk Management

  • Sign a Data Processing Agreement (DPA) with every vendor (badge printer, email service, registration platform, video recording, analytics).
  • DPA must include: encryption requirements, sub-processor approval, incident-notification clauses, audit rights, and deletion-on-demand.
  • Audit vendor practices annually; document audit findings (if audit reveals security gaps, remediate immediately to show diligence).

Mapping Trade Show Functions to Section 33 Risk

Trade show organizers often handle data through different workflows. Here is how each function maps to Section 33 risk tiers:

Trade Show FunctionData CollectedViolation RiskSection 33 TierKey Mitigation
Registration & Badge PrintingName, email, phone, company, role, dietary preferencesConsent failure, data retention breachTier 4 (₹150 crore), Tier 5 (₹50 crore)Pre-event consent form, clear retention sunset (“We delete your data 90 days post-event”), unsubscribe mechanism
Photo & Video RecordingAttendee images, audio (sometimes children, families)Children safeguard failure, consent failureTier 2 (₹200 crore), Tier 4 (₹150 crore)Age-gate at registration, opt-in/opt-out signage at booths, parental consent for under-18 data, restrict commercial reuse
Lead Capture (Exhibitor Booth Scanners)Visitor data collected by exhibitor, shared back to organizerSecurity failure (poor vendor control), breach notification failureTier 1 (₹250 crore), Tier 2 (₹200 crore)DPA with exhibitors requiring encryption, breach-notification handoff protocol, organizer audit of exhibitor practices
Post-Event Follow-Up (Email, SMS)Attendee emails/phones for surveys, promotions, next-event invitationsConsent failure (reuse without fresh consent)Tier 4 (₹150 crore)Separate consent checkbox for marketing list; one-click unsubscribe; honor opt-outs immediately
Exhibitor Directory (Print or Digital)Exhibitor contact details, booth location, company sizeMisuse/re-sale risk (Significant Data Fiduciary violation)Tier 4 (₹150 crore)Consent for directory publication + notice of reuse restrictions; contract prohibition on exhibitor re-sale; audit directory use
Sponsorship Analytics (Heatmaps, Footfall)Anonymized movement patterns, heatmaps, re-identification riskInadequate anonymization, re-identification riskTier 4 (₹150 crore)Use true anonymization (not pseudonymization); vendor audit; delete linked identifiers once anonymization complete

The ₹50 Crore Ceiling: Residual Violations

Section 33(1)(e) catches “any other contravention of this Act”—violations that do not fit the four named tiers but still breach the Act. These fall under the ₹50 crore ceiling. For trade shows, examples include:

  • Data Retention Beyond Limit: Organizer keeps attendee lists for 5 years; Act (or your privacy notice) specifies deletion after 1 year. Violates Section 33(1)(e).
  • Right to Access Denial: Exhibitor requests copy of personal data; organizer delays 6 months or refuses. Violates data subject’s Section 8 rights; triggers Section 33(1)(e).
  • Poor Record-Keeping: No audit trail of who accessed visitor data, when, or why. Violates Act’s transparency requirements; Section 33(1)(e).
  • Selective Deletion: Visitor requests deletion; organizer deletes from primary database but retains copies in backups/analytics without disclosure. Section 33(1)(e).
  • Non-Cooperation with Board: Board requests incident logs; organizer provides partial/redacted logs or misses deadline. Section 33(1)(e) + possible obstruction penalty.

The ₹50 crore ceiling means isolated lapses (e.g., one late data-access response) invite lower penalties. However, systematic non-compliance (e.g., ignoring deletion requests every year, never deleting old attendee records) may see penalties at or near the ₹50 crore ceiling, or escalation to a higher-tier violation if combined with security/consent failures.

Verbatim from Section 33(2): “The Board shall, while imposing a penalty under sub-section (1), take into account the nature and gravity of the contravention, the period over which the contravention persisted, whether it is a repeated contravention, the amount of gain made, and any mitigation.”

This clause is your roadmap: every factor cuts both ways. A trade show organizer with a first-time breach, swift remediation, zero financial gain, and robust post-incident controls can argue the Board should impose penalties well below the ceiling. Conversely, a repeat offender with intentional misuse and financial gain faces penalties at or near the ceiling.


Frequently Asked Questions

Q: If my trade show collects 100,000 visitor names and emails without explicit consent, which Section 33 tier applies, and what penalty should I expect?

A: This is a Section 6 consent failure, falling under Tier 4 (₹150 crore ceiling). The actual penalty depends on Section 33(2) factors: nature (negligence vs. deliberate), gravity (100,000 is substantial), duration (how long before compliance), repetition (first-time or pattern), gain (whether data was sold/misused), and mitigation (whether you retroactively obtain consent or offer deletion). A first-time negligent organizer who immediately implements consent and offers deletion might face ₹20–50 crore. A repeat offender who sold the data faces ₹100–150 crore. Always frame remediation in your response to the Board (hire auditor, implement consent framework, compensate affected individuals).

Q: We discovered a data breach 3 days ago and notified exhibitors the next day. Why would the Board still impose a high penalty if we acted fast?

A: Speed of notification to exhibitors is good, but Section 8 requires notification to the Board within 72 hours of becoming aware of the breach. If you notified exhibitors on Day 4 but notified the Board on Day 50, you violated Section 8, triggering Tier 2 (₹200 crore ceiling). The Board factors whether you concealed the breach to manage reputation. Early Board notification—ideally within 48 hours—demonstrates transparency and substantially reduces penalties. If you notify the Board first, exhibitors second, the Board views this favorably as mitigation and may impose penalties at or well below the ceiling.

Q: Our trade show is B2B only—business professionals only. Do we need to worry about Section 9 (children) violations and the ₹200 crore penalty?

A: Yes, unless you actively exclude everyone under 18. If a professional brings their child to a booth, or if an employee signs up using a family email, you have child data—even unintentionally. Even B2B shows should implement age verification at registration (“Is the registrant under 18?”). If you cannot exclude children entirely, apply Section 9 safeguards: no profiling, no behavioral marketing, no third-party sharing of child data. Unintentional inclusion of one child record invites lower penalties. Intentional violations (knowingly collecting child data without parental consent) carry the ₹200 crore ceiling. Systematic failures to age-verify will aggravate penalties significantly.

Q: We outsource registration and badge printing to a vendor who recently lost attendee data in a breach. Are we liable for Section 33 penalties?

A: Yes. You are the Data Fiduciary for trade show data; the vendor is the Data Processor. Section 33(1)(b) holds you liable for inadequate safeguards—failure to use a vendor with security clauses, no encryption requirement, no incident-response protocol. The penalty ceiling is ₹250 crore for security failures. Mitigation: Require the vendor to sign a Data Processing Agreement (DPA) with encryption mandates, annual audit rights, and breach-notification clauses. If the vendor breaches and you discover it first, notify the Board immediately—early self-reporting significantly reduces penalties. Document your vendor audit practices (audits show due diligence to the Board). If you are already in an inquiry, hire a data auditor to review vendor practices and present audit findings to the Board as evidence of your governance.

Q: The Board issued a notice of inquiry into alleged consent violations related to our last event. How can we minimize the Section 33 penalty before the Board issues its order?

A: Section 33(2) explicitly weighs mitigation. Before the Board issues a final penalty order, take these steps:

  1. Respond promptly and fully to the inquiry. Provide all consent records, privacy notices, data-processing agreements, and incident logs. Obstruction or delays invite higher penalties.
  2. Implement retroactive remediation: If you failed to obtain consent, launch a retroactive opt-in campaign (“Confirm your consent to receive emails from us”). Offer data deletion to non-responders.
  3. Commission a third-party audit by an accredited data protection auditor. Audit all prior events and consent practices. Submit the audit report to the Board in your response, highlighting both violations found and corrective steps taken.
  4. Systemic improvements: Document new policies, mandatory staff training, consent tools, and vendor agreements you have implemented since the violation. Provide evidence to the Board.
  5. Financial remediation: If data was misused (e.g., sold to marketers), offer compensation or credit to affected attendees. Compensation is not mandatory but weighs strongly as mitigation.
  6. Engage data-protection counsel with experience in Board proceedings. Counsel can frame your mitigation case effectively.

A trade show organizer who demonstrates good-faith remediation, systemic reform, and responsiveness to the Board can see penalties reduced significantly from the ceiling. For example, a consent violation with a ₹150 crore ceiling might be reduced to ₹40–70 crore if you show comprehensive remediation and intent to comply going forward.

Q: Section 33 mentions “Significant Data Fiduciary” obligations as a separate Tier 3 violation. How do I know if my trade show qualifies as a Significant Data Fiduciary?

A: Significant Data Fiduciary status depends on scale and sensitivity. While the DPDPA does not define precise thresholds, trade shows handling data from 1 million+ individuals across multiple events, or processing children’s or sensitive biometric data (photos, health information), likely qualify. If you qualify as a Significant Data Fiduciary, you face higher compliance burdens (independent audit, Board notification, privacy impact assessments) and Tier 3 penalties (₹150 crore ceiling) for systemic failures. Even if you do not meet the threshold today, document your data volumes annually. If you exceed the threshold, proactively notify the Board and implement Significant Data Fiduciary safeguards (audits, governance framework, Board cooperation). Proactive notification and compliance investment demonstrate mitigation and reduce penalties if violations later occur.

Section 33 DPDPA penalties trade showstrade show exhibitor data breach penalties IndiaDPDPA violation fine amounts exhibitionsData Protection Board India penalty categoriesSection 33 penalty mitigation trade showsexhibition visitor data compliance violationsDPDPA security safeguard failure penalties
VERIFIED DPDPAReady Editorial Desk 2 AUG 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →