Code: Section 33 – DPDP Act, 2023
(1) If the Board determines on conclusion of an inquiry that breach of the provisions
of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the
Schedule.
(2) While determining the amount of monetary penalty to be imposed under
sub-section (1), the Board shall have regard to the following matters, namely:—
(a) the nature, gravity and duration of the breach;
(b) the type and nature of the personal data affected by the breach;
(c) repetitive nature of the breach;
(d) whether the person, as a result of the breach, has realised a gain or avoided
any loss;
(e) whether the person took any action to mitigate the effects and consequences
of the breach, and the timeliness and effectiveness of such action;
(f) whether the monetary penalty to be imposed is proportionate and effective,
having regard to the need to secure observance of and deter breach of the provisions
of this Act; and
(g) the likely impact of the imposition of the monetary penalty on the person
—
Explanation of Section 33 – DPDP Act
Section 33 empowers the Data Protection Board to impose financial penalties when a significant breach of the DPDP Act occurs. After a proper inquiry, and once the accused party is heard, the Board can levy a monetary penalty, as per the Schedule attached to the Act.
The law also lists the factors the Board must consider before deciding the amount of the penalty. These include the severity of the breach, the type of data affected, whether the breach was repeated, and the actions taken to fix it.
This section ensures that penalties are fair, proportional, and effective. It also acts as a strong deterrent against future violations.
Key Highlights
- Penalties can only be imposed after a full inquiry and hearing.
- Only “significant” breaches qualify for monetary penalties under this section.
- The Board must follow guiding factors listed in the law before deciding on the penalty amount.
- The goal is to encourage compliance, deter violations, and protect personal data rights.
—
Illustration
Example 1: Data Leak Due to Negligence
A company fails to secure its server, exposing sensitive personal data of thousands of users. The Board conducts an inquiry and finds the breach to be significant. Since the company took no timely action to fix the issue and had previously violated the Act, the Board imposes a monetary penalty.
Example 2: Repeated Violation by an App Developer
An app developer repeatedly collects user data without consent, despite warnings. The Board finds that the breach is ongoing and intentional. As a result, it imposes a larger penalty, citing the repetitive nature of the violation.
—
Common Questions and Answers on Section 33 DPDP
- What is a “significant breach” under Section 33? A significant breach refers to a serious violation of the Act or its rules—especially when it affects a large number of individuals or involves sensitive personal data.
- Can the Board impose a penalty without a hearing? No. The person or entity involved must be given a fair chance to present their side before any penalty is imposed.
- What does the “Schedule” refer to in this section? The Schedule specifies the types of violations and the maximum penalties allowed for each. It serves as a reference guide for the Board.
- How does the Board decide the amount of the penalty? The Board considers several factors, such as how serious the breach was, whether it was repeated, the kind of data involved, and how the person responded to the breach.
- Is there any relief if the person tried to fix the problem? Yes. If the person took prompt and effective steps to reduce the impact of the breach, the Board may reduce the penalty amount accordingly.
—
Conclusion
Section 33 of the Digital Personal Data Protection Act serves as a crucial enforcement tool. It ensures that serious violations are penalized appropriately, but also fairly. The section balances punishment with proportionality, giving violators a chance to be heard and encouraging responsible data practices.
By following the guiding factors listed in the law, the Board ensures consistency and transparency in imposing penalties. This strengthens the overall data protection regime in India.
For more updates and legal insights on the DPDP Act, visit ApniLaw.
