India has notified the Digital Personal Data Protection Rules, 2025, bringing into force the enforcement and penalty framework under the Digital Personal Data Protection Act, 2023.
The Rules empower the Data Protection Board of India to examine violations of the Act and impose financial penalties on entities that fail to comply with legal obligations related to personal data protection.
Serious violations — including failure to implement required security safeguards, failure to report data breaches, or violation of core compliance requirements — can attract penalties of up to ₹250 crore.
Other categories of non-compliance, such as procedural failures related to consent, data retention, and lawful processing conditions, can result in penalties of up to ₹50 crore, depending on the nature and gravity of the breach.
The penalty framework applies to all entities classified as Data Fiduciaries and Consent Managers under the law.
Penalties are determined based on the scale, impact, and severity of the violation, as assessed by the Data Protection Board.
Point-to-Point Summary
The Data Protection Board can investigate and penalise violations.
Maximum penalty for serious violations: ₹250 crore.
Maximum penalty for other violations: ₹50 crore.
Applies to Data Fiduciaries and Consent Managers.
Penalty amount depends on severity and impact.