Skip to Content
CKonnect
  • Home
  • CourseKonnect
    • e-learning
    • Udemy
    • learning (Old LMS)
  • Career
    • Life @CKonnect
    • All Jobs
  • Knowledge Base
    • PrivacyReads
    • Community
    • Newsletters
    • Priv ToolKit
  • Stay Tuned
    • ComplyKonnect
    • E-PrivJournals
    • Priv-Books
  • Connects
    • 1:1
  • Contact Us
CKonnect
    • Home
    • CourseKonnect
      • e-learning
      • Udemy
      • learning (Old LMS)
    • Career
      • Life @CKonnect
      • All Jobs
    • Knowledge Base
      • PrivacyReads
      • Community
      • Newsletters
      • Priv ToolKit
    • Stay Tuned
      • ComplyKonnect
      • E-PrivJournals
      • Priv-Books
    • Connects
      • 1:1
  • Contact Us

Data Protection Board of India

  • All Blogs
  • Digital Personal Data Act, 2023
  • Data Protection Board of India
  • 17 July 2026 by
    Data Protection Board of India
    CKonnect

    The Chapter V is dedicated to Data protection board of India, from section 18-26 under the DPDP Act, 2023 and Rule 17 to 21 and 5th and 6th Schedule of DPDP Rules, 2025.

    1. Statutory basis- The Board is established by the Central Government under Section 18 of the Act. It is a "body corporate," meaning it can own property, sign contracts, and sue (or be sued) in its own name.
    2. Composition and appointment

    The section 19 of DPDP Act, 2023

    Members: The Board consists of a chairperson and other Members.

    Qualification: They must be experts in fields like data governance, law, and digital economy. At least one member must be a legal expert.

    Appointment Process: The Central Government appoints them based on recommendations from a "Search-cum-Selection Committee". This committee is led by the Cabinet Secretary (for the Chairperson) or the IT Secretary (for Members).

    Term: They hold office for two years and can be re-appointed.

    1. Powers and function

    The Section 27 & 28 of the DPDP Act,2023 and rule 20 of DPDP Rules, 2025, the Board is an independent body that functions mostly as a digital office. Its core jobs are:

    • Directing Remedies: If a data breach happens, it can order the company to take urgent steps to fix it or reduce the harm.
    • Inquiring into Breaches: It investigates complaints from Data Principals regarding privacy breaches.
    • Consent Managers: It oversees Consent Managers and can investigate them if they break the rules.
    • Civil Court Powers: For investigations, the Board has the power of a Civil Court. It can summon people, demand documents, and inspect data or books.
    1. Inquiry process
      Legal concept under Section 28 of the DPDP Act, 2023 and Rule 19, DPDP rules, 2025

    Start: The process starts when the Board receives a complaint, a government reference, or a breach report.

    Screening: The Board decides if there are "sufficient grounds" (enough evidence) to proceed. If not, it closes the case.

    Inquiry: If they proceed, they conduct an inquiry following the "principles of natural justice" (fairness).

    Digital Proceedings: The Board uses "techno-legal measures" so people do not have to physically appear for hearings.

    Timeline: The inquiry must be finished within 6 months. This can be extended by another 3 months if necessary.

    Conclusion: After hearing the person concerned, the Board issues an order to either close the case or impose a penalty.

     

    1. Penalty powers
      The Section 33 & Schedule of the DPDP Act, 2023, the Board lack the jurisdiction to impose a sentence of imprisonment. It can only impose money penalties.

    Maximum Penalty: Up to 250 Crore Rupees for a data breach.

    Other Penalties: Up to 200 Crore Rupees for failing to notify the Board about a breach.

    Factors: When deciding the amount, the Board looks at how bad the breach was, if it was repetitive, and if the company gained money from it

    1. Appeal procedure

    The Section 29 of the DPDP Act and Rule 22 of DPDP Rules, 2025.

    • Where to Appeal: If you are unhappy with the Board's decision, you can appeal to the Appellate Tribunal (TDSAT).
    • Time Limit: You must file the appeal within 60 days.
    • Digital Filing: The appeal must be filed in a digital form.

     

    1. How organisations will interact with the Board
      Breach Reporting:
      Section 8(6) of the Act; Rule 7(2) of the Rules, the companies must report data breaches to the Board "without delay" and send a detailed report within 72 hours.

     Voluntary Undertaking: Under section 32 of DPDP Act, 2023, If company make a mistake, they can offer a "voluntary undertaking" (a formal promise) to fix it. If the Board accepts this, they might stop further legal action against you.

    Audits (SDFs): Rule 13(2) of the Rules, Significant Data Fiduciaries must submit audit reports to the Board.

    1. Scenarios where the Board can suspend/cancel registrations

    Rule 4(5) of the DPDP Rules, 2025, the Board has the specific power to suspend or cancel the registration of a Consent Manager.

    • Scenario: If a Consent Manager fails to meet the conditions of registration mentioned in the Rule 4 of DPDP, rules 2025.
    • Process:

      1. The Board informs the Consent Manager of the failure.
      2. It gives them a chance to be heard (explain themselves).
      3. If not satisfied, the Board can suspend or cancel the registration to protect the interests of the users.

    Blocking Websites: For other companies (Data Fiduciaries), the Board cannot "cancel" them directly, but it can advise the Central Government to block public access to their website/app if they are penalized repeatedly.

    By Naukhaiz Aftab

    in Digital Personal Data Act, 2023
    Share this post
    Our blogs
    • Where Privacy Meets Tech
    • Templates That Work: Built for Real Privacy Teams
    • The Privacy Perspective: Insights from the Real World
    • CKonnect Stories
    • e-learning from CourseKonnect
    • Privacy Team Pulse
    • Our blog
    • Digital Personal Data Act, 2023
    Data Principal Rights Requirements
    Follow us

    Privacy Notice ​​Refund Policy

     Terms & Conditions

        ​    connect@ckonnect.co.in

    How can we help?

    konnect with us

    Website Logo

    Respecting your privacy is our priority.

    Allow the use of cookies from this website on this browser?

    We use cookies to provide improved experience on this website. You can learn more about our cookies and how we use them in our Cookie Policy.

    Allow all cookiesOnly allow essential cookies