DPDPA Penalty Calculator
Estimate your maximum ₹ exposure under the Schedule to India's Digital Personal Data Protection Act 2023 (Section 33). Pick the violation type and the number of affected Data Principals — we'll return the statutory ceiling plus an adjudication-factor breakdown.
How it works
- Pick the violation — the Schedule to DPDPA 2023 sets a statutory ceiling for each category (₹250cr / ₹200cr / ₹150cr / ₹50cr).
- Scale by affected count — Section 33(2) requires the Board to consider the gravity, including the number of Data Principals impacted.
- Adjust for mitigation — Section 33(2)(d) lets the Board reduce a penalty where the Fiduciary has acted to mitigate or where this is a first incident.
- Read the ceiling — the figure is a planning number, not a guarantee. Actual penalty is for the Data Protection Board to determine.
What the Schedule actually says
| Statute | DPDPA 2023, Schedule (under Section 33) |
|---|---|
| Penalty ceiling — security | ₹250 crore |
| Penalty ceiling — breach notification | ₹200 crore |
| Penalty ceiling — children's data (Section 9) | ₹200 crore |
| Penalty ceiling — Significant Data Fiduciary duties | ₹150 crore |
| Penalty ceiling — other | ₹50 crore |
| Adjudicator | Data Protection Board of India |
| Appeal forum | Telecom Disputes Settlement and Appellate Tribunal (Section 29) |
Frequently asked questions
How accurate is this calculator?
The calculator returns the maximum statutory ceiling per Schedule entry to the DPDPA 2023. Actual penalties depend on Data Protection Board adjudication factors under Section 33(2): nature, gravity, duration, repetition, gain made, and whether mitigating action was taken. Use the ceiling as your worst-case planning figure.
Does this replace legal advice?
No. This calculator is for educational planning. For an actual exposure assessment for your business, book a free DPDPAReady audit — our team will map your specific workflow against each section and quantify realistic exposure.
How are penalties imposed?
Under Section 33, the Data Protection Board can impose a monetary penalty after an inquiry. Section 33(2) lists the factors the Board considers. Penalties can be appealed under Section 29 to the Telecom Disputes Settlement and Appellate Tribunal.
What is the maximum total exposure?
A single workflow can trigger multiple Schedule items simultaneously — e.g. a children's data breach in a school management system can attract both the ₹200 crore Section 9 ceiling and the ₹250 crore security ceiling. Cumulative exposure for one incident can reach ₹450 crore or more.
Do small businesses get a lower ceiling?
No. The DPDPA Schedule sets a fixed maximum applicable to all Data Fiduciaries irrespective of size. However, the Board may consider proportionality, intent, and remediation under Section 33(2) when fixing the actual penalty.
Want a real exposure assessment?
Free 48-hour audit — we map your exact workflow against every Section and quantify realistic penalty exposure.
Get your free audit →Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.