DPDPA Penalty Calculator
Up to ₹250 Crores. Per contravention. Cumulative.
Penalties under DPDPA 2023 are not capped per organisation — they are calculated per contravention, with the Schedule prescribing six distinct categories. The Data Protection Board considers seven factors when fixing penalty quantum. This guide maps the entire penalty architecture.
Contravention categories
Schedule, DPDPA 2023Factors weighted by the Board
Section 33(1)Highest single contravention
Para 1, ScheduleOn cumulative penalty exposure
Per organisationThe penalty is not capped per organisation. It is capped per contravention.
Section 33 of DPDPA 2023 empowers the Data Protection Board of India to impose monetary penalties for contraventions specified in the Schedule. The Schedule prescribes six categories of contravention with distinct penalty ceilings.
Crucially, the Act does not aggregate or cap penalties at the organisation level. A single breach event can attract multiple categories of contravention simultaneously — inadequate security safeguards (Para 1), failure to notify (Para 2), and breach of other provisions (Para 6). Each is a separate penalty.
When the Board determines penalty quantum, it weighs seven statutory factors. Two organisations with identical contraventions can face materially different penalties depending on volume, sensitivity, mitigation, and compliance history.
Penalty architecture, in descending order of exposure
The Schedule to DPDPA 2023 prescribes six categories of contravention, each with its own ceiling. The bars below visualise relative exposure on a log scale — the difference between Para 1 and Para 5 is six orders of magnitude.
Failure to take reasonable security safeguards to prevent personal data breach
Para 1, ScheduleFailure to notify the Data Protection Board and affected Data Principals of a breach
Para 2, ScheduleNon-compliance with obligations relating to children’s data
Para 4, ScheduleNon-fulfilment of additional obligations by Significant Data Fiduciaries
Para 3, ScheduleBreach of any other provision of the Act or Rules (residual catch-all)
Para 6, ScheduleNon-compliance with provisions relating to duties of Data Principal
Para 5, ScheduleThe seven factors that move the penalty needle
When the Data Protection Board fixes penalty quantum within the prescribed ceiling, it considers these statutory factors. Understanding how each factor is weighted is foundational to risk modelling.
Volume of personal data processed
Scale of processing is the first factor under Section 33(1)(a). Larger volumes attract higher penalties for the same contravention.
Sensitivity of data and impact
Financial, health, and biometric data attract heightened scrutiny. Section 33(1)(b) considers nature, gravity, and duration of contravention.
Repetitive or continuing nature
A single failure that persists across multiple data subjects compounds quickly. The Board considers whether the contravention was a one-time lapse or systemic.
Realised gain or loss avoided
Section 33(1)(d) considers whether the contravention was deliberate, the realised gain, or loss avoided as a result of the contravention.
Action taken to mitigate effects
Voluntary disclosure, prompt remediation, and cooperation with the Board are mitigating factors under Section 33(1)(g).
Past compliance record
Prior contraventions, even if minor, are aggravating. A clean compliance record is materially mitigating.
The most common high-exposure patterns we see
Our practitioners encounter these patterns repeatedly across initial gap assessments. Each is quantifiable, each is fixable, and each is a leading indicator of regulatory exposure.
No formal breach notification protocol — not documented, not rehearsed
Bundled consent for multiple processing purposes via single checkbox
Processing children’s data without verifiable parental consent mechanism
No Data Protection Officer for entities likely to be classified as SDF
Inadequate technical security safeguards — no MFA, weak access controls, unencrypted at rest
No Data Processing Agreements with vendors handling personal data
No periodic Data Protection Impact Assessments where required
No mechanism for Data Principals to exercise rights of access and erasure
Request a Penalty Risk Estimate
Share the contours of your operations and our practitioners will model your maximum statutory exposure across the six contravention categories — along with the factors that would materially affect Board-level penalty determination.
Request a Confidential Risk Estimate
Our practitioners will reach out within one working day with an indicative exposure analysis.