Section 33 of The Digital Personal Data Protection Act, 2023 View Chapter 8

Penalties.

33. Penalties.

   (1)  If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule.

   (2)  While determining the amount of monetary penalty to be imposed under sub-section (1), the Board shall have regard to the following matters, namely:—

    (a)  the nature, gravity and duration of the breach;

    (b)  the type and nature of the personal data affected by the breach;

    (c)  repetitive nature of the breach;

    (d)  whether the person, as a result of the breach, has realised a gain or avoided any loss;

    (e)  whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;

    (f)  whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and

    (g)  the likely impact of the imposition of the monetary penalty on the person.