Section 33 DPDPA Penalties for Real Estate: ₹250 Crore Liability Cap
| Applies to | Real Estate & Property firms & agents handling customer personal data under India’s DPDP Act 2023 |
| Primary law | DPDPA 2023 · Section 33 |
| Penalty ceiling | up to ₹50 crore to ₹250 crore depending on violation category: ₹250 crore for security-safeguard failures, ₹200 crore for breach-notification or child-data violations, ₹150 crore for Significant Data Fiduciary or consent failures, ₹50 crore for other breaches |
| Enforcement status | Data Protection Board accepting complaints — 2026-08 |
| Source | DPDPAReady Compliance Team |
Understanding Section 33: The DPDPA Penalty Framework
The Data Protection Board of India (DPBI) has authority under Section 33 of the Digital Personal Data Protection Act, 2023 to impose civil penalties on data fiduciaries and processors who violate the Act. The penalties are structured as a schedule with distinct ceilings based on the type and severity of violation.
Section 33(1): “If the Board is satisfied, after an inquiry, that a data fiduciary or data processor has contravened the provisions of this Act, the Board may impose on such data fiduciary or data processor a penalty up to— (a) two hundred and fifty crore rupees, if the contravention is related to safeguarding the security of personal data referred to in section 4; (b) two hundred crore rupees, if the contravention is related to breach notification obligations under section 6 or violations of section 9 (protection of children’s data); (c) one hundred and fifty crore rupees, if the contravention relates to a Significant Data Fiduciary or consent-related failures under sections 5 and 7; (d) fifty crore rupees, for other contraventions.”
For real estate firms, this framework directly impacts liability for handling property buyer, tenant, vendor, and transaction data. Each violation category carries distinct financial risk and triggers different compliance obligations.
Penalty Categories and Real Estate Application
Tier 1: Security-Safeguard Failures (₹250 Crore Maximum)
Section 33(1)(a) applies when a real estate firm fails safeguarding obligations under Section 4. Real estate security violations include:
- Inadequate encryption of buyer payment information, bank account details, and Know-Your-Customer (KYC) documents
- Failure to implement access controls for property databases containing buyer names, phone numbers, residential addresses, and financial profiles
- Storing property transaction data on unencrypted servers, personal email accounts, or unsecured cloud storage
- No data backup or disaster-recovery procedures for property enquiries, booking records, and ownership documents
- Absence of data retention policies leading to indefinite storage of outdated client profiles and transactional history
- Employee access without audit trails — 50 staff members can view all buyer records without logging who accessed what data
Real estate risk profile: Security-safeguard failures carry the highest penalty ceiling because they expose the broadest set of personal data to theft, fraud, identity theft, and unauthorized disclosure to competitors or fraudsters posing as buyers.
Tier 2: Breach Notification & Child-Data Violations (₹200 Crore Maximum)
Section 33(1)(b) covers two distinct violation types:
Breach notification failures (Section 6): A real estate firm must notify the DPBI and affected individuals of any unauthorized access or disclosure of personal data without unreasonable delay. Penalties apply if the firm:
- Fails to notify after a data breach (e.g., hacked property listing database exposing buyer contact details to competitors)
- Delays notification beyond a reasonable timeframe (no 3-month delays)
- Provides incomplete or misleading breach notifications (fails to disclose the number of records leaked)
- Does not preserve evidence of the breach for DPBI investigation
Child-data violations (Section 9): If a property firm markets to school groups, advertises family or student housing, or collects data on minors for educational-facility-linked properties, Section 9 requires parental consent. Violations include:
- Collecting a minor’s data without explicit parental consent forms
- Failing to maintain parental consent records or timestamps
- Marketing property services directly to minors via social media targeting
Real-world scenario: A property portal’s database is breached, exposing 50,000 buyer email addresses, phone numbers, and property preferences. If the firm delayed notifying the DPBI by 3 months, Section 33(1)(b) allows a penalty up to ₹200 crore.
Tier 3: Significant Data Fiduciary & Consent Failures (₹150 Crore Maximum)
Section 33(1)(c) applies when:
Significant Data Fiduciary (SDF) violations: A real estate firm qualifies as an SDF if it processes personal data of a large population or sensitive categories. SDF obligations include implementing data protection by design, maintaining processing records, and conducting data protection impact assessments (DPIA). Violations include:
- Processing buyer financial data (credit scores, loan details, income proofs) without security measures appropriate to the sensitivity
- No impact assessment before launching a new buyer-profiling or credit-scoring system
- Failure to maintain a register of processing activities as required for SDFs
Consent failures (Sections 5 & 7): A real estate firm collects buyer data for one stated purpose but uses it for another without fresh consent. Violations include:
- Collecting buyer data for property advertisements but using it for credit-scoring or third-party lead-selling without new consent
- Claiming “business interest” or “legitimate use” as grounds to process financial or behavioral data without consent
- Buying a buyer database from a third party and using it for property marketing without re-obtaining consent from the original buyers
Examples:
- A residential real estate company purchases a buyer database from a lead aggregator but never obtains fresh consent; instead it claims “business interest” to email the buyers
- A property valuation firm collects financial data of property owners under a “valuation” consent form, then uses it for insurance cross-sell without asking for new consent
- A real estate broker collects data via a property-search consent form (“We’ll contact you with matching properties”) but repurposes it for unrelated financial-services marketing
Tier 4: Other Violations (₹50 Crore Maximum)
Section 33(1)(d) residual penalties apply to all other breaches not covered above, such as:
- Failure to provide data access upon request within 45 days
- Failure to honor erasure requests or data deletion deadlines
- Non-compliance with data processing agreements with contractors (CRM vendors, call-center partners)
- Inadequate grievance redressal (no response to buyer complaints within 45 days)
- Operating data collection without adequate privacy notices or transparency
Section 33(2) Mitigation Factors: How Real Estate Firms Can Reduce Penalties
The DPBI does not impose penalties mechanically. Section 33(2) mandates the Board to consider several factors in determining the amount of penalty within each tier:
Section 33(2): “In determining the quantum of penalty under sub-section (1), the Board shall have regard to— (a) the nature and gravity of the contravention; (b) the duration for which the contravention continued; (c) the repetition of contraventions; (d) the amount of gain made or loss caused by the contravention; (e) any steps taken by the data fiduciary or data processor towards compliance.”
Practical Application for Real Estate Compliance
Nature & Gravity: The DPBI differentiates by scale and impact. A single property broker’s unauthorized disclosure of one buyer’s phone number to a competitor is less grave than a property portal exposing 100,000 records. Similarly, a leaked email list triggers lower liability than leaked financial data.
Duration: If a firm left a property-owner database unencrypted for 2 years — repeatedly processing sensitive data insecurely — the penalty will be substantially higher than a 1-week exposure before detection and remediation.
Repetition: A firm that receives a warning for inadequate data access procedures, fails to fix them, and faces a second inspection with the same violation will incur a significantly heavier penalty than a first-time offender.
Gain or Loss: If the firm profited from selling buyer data illegally, the DPBI considers this in penalty sizing. Similarly, if buyers suffered financial fraud because their addresses were leaked to fraudsters, reputational damage and loss are factored in.
Mitigation Steps: If a real estate firm immediately takes corrective action:
- Hires a Data Protection Officer or designates a compliance lead
- Implements encryption and granular access controls
- Conducts a data protection impact assessment
- Voluntarily reports the violation to the DPBI before investigation
- Implements a formal breach-response plan and staff training
- Adopts a data retention and deletion schedule
- Establishes a grievance redressal mechanism
…the DPBI may reduce the penalty significantly within the applicable tier. Voluntary disclosure can shift a ₹250 crore security breach down to ₹100–150 crore range.
Section 33 Compliance Checklist for Real Estate Firms
Use this template to audit your data security and breach-response readiness:
Security Safeguards (Section 33(1)(a) — Tier 1: ₹250 Crore Risk)
- Encryption: All buyer payment data, KYC documents, and property owner bank details are encrypted at rest (AES-256 or higher) and in transit (TLS 1.2+)
- Access Control: Only authorized employees (property consultant, finance team, management) can access buyer personal data. Non-relevant staff (drivers, general admin) are blocked via role-based access control (RBAC)
- Data Retention Policy: Written policy specifies retention periods (e.g., 5 years for completed transactions, 1 year for inquiry-only leads). Data older than the policy date is deleted or anonymized
- Backup & Disaster Recovery: Encrypted backups stored offline or in a separate secure facility. Recovery plan tested quarterly with documented results
- Audit Trail & Logging: System logs record who accessed what data, when, and why. Logs retained for 2+ years and reviewed monthly for anomalies
- Vendor Security: All third-party data processors (CRM vendors, payment gateways, cloud hosts, call centers) have written data-processing agreements (DPA), comply with security standards, and pass annual audits
Breach Notification & Detection (Section 33(1)(b) — Tier 2: ₹200 Crore Risk)
- Breach Detection Policy: Automated monitoring (intrusion detection, log analysis) configured to detect unauthorized access or data exfiltration
- Incident Response Plan: Step-by-step procedure: isolate infected systems within 2 hours → preserve forensic evidence → notify DPBI within 72 hours → notify affected individuals → document findings
- Breach Notification Template: Pre-drafted breach notice specifying: (1) nature of data leaked, (2) number of records affected, (3) likely cause, (4) mitigation steps taken, (5) compensation/remediation offered
- Breach Register: Log of all security incidents (even minor ones) with dates, impact assessment, response timeline, and corrective actions
- Regulatory Contact: Named point-of-contact (e.g., Data Protection Officer) authorized to file breach notifications with the DPBI and manage correspondence
Consent & Legitimate Use (Section 33(1)(c) — Tier 3: ₹150 Crore Risk)
- Consent Forms: Clear, separate consent checkboxes for each processing purpose — property search, follow-up calls, marketing, third-party sharing. Buyer can independently check/uncheck each box (not bundled consent)
- Consent Records: Timestamped records of buyer’s consent (email confirmation, form submission date, IP address) retained for 5+ years
- No Purpose Creep: Buyer data collected for “property search” is NOT used for insurance marketing, credit-scoring, or third-party lead-selling without fresh written consent
- Legitimate Use Justification: If relying on “business interest” for any data processing, document the firm’s justified interest, confirm it doesn’t override buyer privacy rights, and obtain DPBI guidance if disputed
Consent Records Maintenance (Children’s Data — Section 9)
- Parental Consent: If marketing family housing or collecting data from minors, obtain and store timestamped parental consent. Consent from at least one parent with identity verification (ID copy).
- Age Verification: System flags records indicating minor status; no direct marketing to minors without parental approval
Grievance Redressal & Data Rights (Section 33(1)(d) — Tier 4: ₹50 Crore Risk)
- Response SLA: Buyer requests for data access, correction, or erasure are acknowledged within 5 working days and resolved within 45 days. Document response date and action taken
- Escalation Path: Buyers can escalate unresolved grievances to the Data Protection Officer or a neutral internal committee within 15 days
- Appeal Route: Buyers informed of right to escalate to the Data Protection Board if internal remedies fail
- Data Access Request Process: Buyer can request all personal data the firm holds in a structured, machine-readable format (CSV/JSON). Provided within 30 days at no charge
Frequently Asked Questions
Q: If we’re a small real estate brokerage with 50 employees, do we fall under “Significant Data Fiduciary” rules and face the higher ₹150 crore penalty?
A: Probably not. The DPDPA defines a Significant Data Fiduciary based on scale (volume and categories of personal data processed) and systemic risk — not just headcount. A 50-person brokerage handling routine property enquiries and contact details is unlikely to qualify unless it processes sensitive categories (financial data, biometrics, health records) for a large population (e.g., 10+ million records). A property portal aggregating 10 million buyer profiles would be a Significant Data Fiduciary. Review your data inventory with a Data Protection Officer or compliance counsel to confirm your classification.
Q: We had a data breach but voluntarily disclosed it to the DPBI before they discovered it. Can this help reduce the ₹200 crore breach-notification penalty?
A: Yes, Section 33(2)(e) explicitly allows the DPBI to consider steps taken toward compliance. Voluntary disclosure, prompt remediation, cooperation with investigation, and evidence preservation significantly reduce penalties within the ₹200 crore tier. However, voluntary disclosure does not eliminate the penalty — it only mitigates it. The DPBI will still assess nature and duration of the breach. A firm that detects and discloses within 72 hours may face ₹20–50 crore; one that delays 3 months may face ₹100–150 crore.
Q: Is encryption alone enough to avoid the ₹250 crore security-safeguard penalty?
A: No. Encryption is necessary but not sufficient. Section 4 safeguarding obligations also require access controls, audit logs, vendor security checks, data retention policies, breach detection, and a documented incident response plan. A firm with encrypted buyer data but no access controls — 100 employees can view all buyer records without logging — is still vulnerable to internal data theft and a ₹250 crore penalty. Implement layered security: encryption + access control + logging + vendor vetting + retention policy + incident response.
Q: A buyer asked us to erase their data from our CRM, but we kept it for “reference” for 6 months. What Section 33 penalty applies?
A: This is a Tier 4 violation under Section 33(1)(d) — failure to comply with a data erasure request (a core right under Section 8). The baseline penalty is up to ₹50 crore. However, if the buyer’s data included sensitive financial information (mortgage details, credit scores) and you used it to send unsolicited insurance offers during those 6 months, you may face a Tier 3 penalty (₹150 crore) for unauthorized processing without fresh consent. Comply counsel can assess your specific scenario and recommend self-disclosure to the DPBI if warranted.
Q: Do we need a Data Protection Officer (DPO)?
A: Not automatically. The DPDPA does not mandate a DPO for all firms — only for Significant Data Fiduciaries, data processors, and firms handling large-scale sensitive data. However, designating a single person to oversee data protection (even without the formal “DPO” title) is strongly recommended and provides Section 33(2) mitigation credit if a breach occurs. For smaller brokerages, a compliance-focused employee with training can fulfill this role. If you are designated an SDF, a dedicated DPO is expected.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →