DPDPA 2023 · Section 33

Section 33 of the DPDPA 2023: Penalties for Non-Compliance

Section 33 of the Digital Personal Data Protection Act, 2023 empowers the Data Protection Board of India to impose monetary penalties of up to ₹250 crore on any Data Fiduciary, Data Processor, or Significant Data Fiduciary that fails to comply with the Act, with the exact amount fixed by reference to the Schedule and the factors listed in sub-section (2). It is the single most important enforcement clause in India's data protection regime and applies uniformly across every sector that handles digital personal data.

Key facts

Statute	Digital Personal Data Protection Act, 2023
Section	33 (read with the Schedule)
Maximum penalty	₹250 crore per instance
Imposing authority	Data Protection Board of India
Effective	Phased rollout 2025-2026 (Draft Rules Jan 2025)
Applies to	All Data Fiduciaries, Significant Data Fiduciaries and Data Processors

What Section 33 says

Section 33 sits at the heart of DPDPA enforcement. After an inquiry under Section 28, the Data Protection Board fixes a penalty by reference to the Schedule, which pegs distinct ceilings: up to ₹250 crore for failure of reasonable security safeguards under Section 8(5), up to ₹200 crore for failure to notify a breach under Section 8(6) or for breach of Section 9 children's data duties, up to ₹150 crore for Significant Data Fiduciary defaults under Section 10, and up to ₹50 crore for other contraventions. Sub-section (2) requires the Board to consider gravity, duration, type of data, repetition, gain or loss avoided, and mitigation. Penalties are per breach event, not per data principal.

If the Board determines on conclusion of an inquiry that non-compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such monetary penalty specified in the Schedule. — DPDPA 2023, Section 33(1)

What it means in practice

The Data Protection Board, not a civil court, decides penalties under a fast-track administrative process
Ceilings are per breach event, so a single ransomware incident exposing lakhs of records can attract one ₹250 crore fine rather than per-record damages
Mitigation, voluntary breach notification, and cooperation with the Board are explicit factors that reduce quantum
Penalties stack on top of reputational and contractual fallout; sectoral laws like the IT Act still apply in parallel
The Schedule, not Section 33 itself, fixes the upper limits for each category of default

Who Section 33 applies to

Wedding and event photographers storing client galleries and KYC documents
Event management and marathon organisers collecting bib registrations, medical declarations and bib-tagged photos
Schools, preschools and edtech platforms handling children's data under Section 9
Corporate HR teams and staffing firms processing employee biometrics, payroll and background checks
Hospitals, diagnostic chains and clinics handling patient health records
Hotels, resorts and hospitality groups storing guest ID and CCTV footage
Retail and D2C brands running loyalty programmes and CCTV-based analytics
Media houses, OTT platforms and ad agencies operating subscriber and audience databases
Photo studios offering passport, school and corporate photography
Banks, NBFCs, insurers and fintechs already regulated by RBI but now dual-regulated under DPDPA

Common violations

Unsecured cloud gallery at a wedding studio

A wedding photographer hosts client galleries on a public link without password protection or expiry; a leak can trigger the Schedule's ₹250 crore ceiling for failure to maintain reasonable security under Section 8(5).

School publishing student photos without verifiable parental consent

A school uploads minors' photographs to social media or a vendor app without verifiable parental consent, attracting the Schedule's ₹200 crore ceiling for breach of Section 9 children's data duties.

Marathon organiser leaking medical declarations

A marathon's registration partner exposes runners' health declarations and emergency contacts on an unsecured S3 bucket, inviting the ₹250 crore safeguards ceiling plus ₹200 crore for failure to notify the Board.

Hospital chain delaying breach notification

A diagnostic chain detects a patient-records exfiltration but delays informing the Data Protection Board and affected principals, triggering the ₹200 crore Schedule ceiling under Section 8(6).

Hotel group retaining guest IDs indefinitely

A hospitality brand keeps scanned guest IDs years past lawful purpose, breaching storage limitation duties and exposing itself to the residual ₹50 crore Schedule ceiling.

HR vendor processing biometrics without lawful basis

A corporate HR outsourcing partner runs facial-recognition attendance without consent or notice, attracting penalties for processing without lawful basis under Sections 4 and 8.

Penalty for breach

Up to ₹250 crore per breach for security failures, ₹200 crore for breach-notification or children's-data failures, ₹150 crore for Significant Data Fiduciary defaults, ₹50 crore residual ceiling for other contraventions, and ₹10,000 on Data Principals for false or frivolous complaints.

Use the DPDPA Penalty Calculator to estimate your exact exposure.

Frequently asked questions

Is the ₹250 crore penalty per data principal or per incident?

Per breach event. The Data Protection Board fixes one penalty for the contravention, irrespective of how many data principals were affected, though scale is a factor in quantum under Section 33(2).

Can a wedding photographer realistically face a ₹250 crore fine?

The ₹250 crore figure is a ceiling, not a floor. For a sole photographer the Board will calibrate by gravity, gain, and ability to pay, but the same statutory ceiling legally applies as it does to a Fortune 500 company.

What happens if a school leaks student photographs?

It is a Section 9 children's data breach. The Schedule attaches a ceiling of ₹200 crore, and the Board will also consider whether verifiable parental consent and age-gating were in place.

Do hotels need to notify the Data Protection Board of every CCTV leak?

Yes. Section 8(6) requires intimation of any personal data breach to the Board and to affected principals. Failure to do so independently attracts up to ₹200 crore under the Schedule.

Are Data Processors like cloud vendors directly liable under Section 33?

Yes. While the Data Fiduciary remains primarily accountable, processors can be penalised directly where their acts or omissions cause the breach, particularly under contractual and security obligations.

Can the Board waive or reduce penalties for voluntary disclosure?

Section 33(2) explicitly requires the Board to consider mitigation steps. Prompt self-reporting, cooperation, and remediation are well-recognised factors that reduce quantum.

Are penalties under Section 33 tax-deductible business expenses?

No. Statutory penalties for legal contravention are not allowable as business expenditure under Section 37 of the Income-tax Act, 1961.

Related sections

Not sure if your workflow complies with Section 33?

Free 48-hour DPDPAReady audit — we map your exact workflow against this section and quantify exposure.

Get your free audit →

VERIFIED • DPDPAReady Editorial Desk • 20 JUN 2026

Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.