📘 Section 2 — Definitions

This section defines the core terms used in the Act (alphabetically as clauses).

⚠️ Note: Section 2 contains many definitions (clauses). Below are the most exam/practice-critical ones in the same style.

🔹 Section 2(c) — “Board”

Provision: “Board” means the Data Protection Board of India established under Section 18.

✅ Simple Meaning: The enforcement authority under the Act.

📌 Example:
Board investigates breaches and can impose penalties.

🔹 Section 2(g) — “Consent Manager”

Provision: A person registered with the Board who acts as a single point of contact to enable a Data Principal to give/manage/review/withdraw consent through an accessible, transparent, interoperable platform.

✅ Simple Meaning: A regulated consent dashboard/controller for individuals.

📌 Example:
A portal where you revoke permissions granted to multiple apps.

🔹 Section 2(i) — “Data Fiduciary”

Provision: Any person who alone or with others determines the purpose and means of processing personal data.

✅ Simple Meaning: The “decider” entity—like the controller.

📌 Example:
An e-commerce company deciding why and how customer data is processed.

🔹 Section 2(j) — “Data Principal”

Provision: The individual to whom personal data relates; includes parent/guardian for a child; includes lawful guardian for person with disability.

✅ Simple Meaning: The person whose data it is.

📌 Example:
If the user is a child, the parent is treated as Data Principal for exercising rights.

🔹 Section 2(k) — “Data Processor”

Provision: Any person who processes personal data on behalf of a Data Fiduciary.

✅ Simple Meaning: Vendor/service provider doing processing for the fiduciary.

📌 Example:
Cloud hosting provider processing customer data for an Indian company.

🔹 Section 2(t) — “Personal data”

Provision: Any data about an individual who is identifiable by or in relation to such data.

✅ Simple Meaning: Data that can identify a person (directly or indirectly).

📌 Example:
Name + phone number; or device ID that identifies a user.

🔹 Section 2(n) — “Digital personal data”

Provision: Personal data in digital form.

✅ Simple Meaning: The Act focuses on digital personal data (including data digitised later).

🔹 Section 2(x) — “Processing”

Provision: Wholly/partly automated operations on digital personal data (collection, storage, use, sharing, erasure, etc.).

✅ Simple Meaning: Almost anything you do with digital personal data.

📌 Example:
Collecting user email, storing it, sending promo emails, and deleting later—all are “processing”.

🔹 Section 2(u) — “Personal data breach”

Provision: Any unauthorised processing or accidental disclosure/acquisition/sharing/use/alteration/destruction/loss of access that compromises confidentiality, integrity or availability.

✅ Simple Meaning: Any incident that exposes, corrupts, or blocks legitimate access to personal data.

📌 Example:
Ransomware encrypts a database → “loss of access” is also a breach.

🔹 Section 2(z) — “Significant Data Fiduciary”

Provision: Data Fiduciary or class notified by Government under Section 10.

✅ Simple Meaning: Bigger/riskier entities with extra compliance duties.

📌 Example:
A large platform handling huge volumes may be notified as an SDF.

(Section 2 also defines terms like “automated”, “digital office”, “intermediary” references, etc. These support interpretation across the Act.)

📘 Section 3 — Application of Act

This section tells where the Act applies and where it does not apply.

🔹 Section 3(a) — Applies to processing within India

Provision: Applies to processing of digital personal data within India where personal data is collected in digital form or collected offline and digitised later. (DPDPA)

✅ Simple Meaning: If data ends up digital and is processed in India, Act applies.

📌 Example:
A hospital collects paper forms and later digitises → DPDPA applies to the digital processing.

🔹 Section 3(b) — Extra-territorial reach (outside India)

Provision: Applies to processing outside India if it is connected with offering goods/services to Data Principals in India. (DPDPA)

✅ Simple Meaning: Foreign companies targeting Indian users can come under the Act.

📌 Example:
A foreign app sells subscriptions to users in India → its processing relating to that offering is covered.

🔹 Section 3(c) — Exclusions

Provision: Does not apply to:

1. personal data processed by an individual for personal/domestic purpose; and
2. personal data made publicly available by the Data Principal or by someone legally required to publish it. (DPDPA)

✅ Simple Meaning: Personal household use is excluded; publicly-available data in specified ways is excluded.

📌 Example 1:
You store friends’ numbers on your phone for personal use → Act doesn’t apply.

📌 Example 2:
A public authority publishes information under a legal duty → that publication is outside Act’s scope (for that aspect).

Section 4 — Grounds for processing personal data

This section sets the legal bases for processing.

🔹 Section 4(1) — Consent or Certain Legitimate Uses

Provision: A Data Fiduciary may process personal data only for a lawful purpose after obtaining consent or for certain legitimate uses under Section 7.

✅ Simple Meaning: You generally need consent unless Section 7 allows a legitimate use.

📌 Example 1:
Marketing emails → usually require consent.

📌 Example 2:
Processing necessary for some “legitimate use” cases under Section 7 → consent may not be required.

🔹 Section 4(2) — Purpose limitation (linked to consent/notice)

Provision: Processing must be limited to the purpose(s) for which consent is given or legitimate use exists (as structured under the Act’s notice/consent framework).

✅ Simple Meaning: No “use it for anything” processing—purpose must be specific and lawful.

Section 5 — Notice

This section requires the fiduciary to inform the Data Principal.

🔹 Section 5(1) — Notice before/at time of seeking consent

Provision: Must provide notice describing personal data to be processed, purpose, how to exercise rights, and how to complain to the Board.

✅ Simple Meaning: Tell users what data, why, and how they can act.

📌 Example:
Before signup, app shows a notice: what it collects, why, how to withdraw consent, and grievance contact.

🔹 Section 5(2) — Legacy processing (consent already taken before Act)

Provision: If consent was taken before commencement, fiduciary must give notice as soon as reasonably practicable informing what data was processed and purpose.

✅ Simple Meaning: Old users must also be brought into the notice framework.

📌 Example:
Existing customers get an email: “We have your profile + transaction data; used for account servicing + compliance.”

🔹 Section 5(3) — Clear language + multilingual option + contact details

Provision: Consent request must be clear/plain; option to access in English or any Eighth Schedule language; must provide DPO/authorised contact details for rights.

✅ Simple Meaning: Consent must be understandable and accessible.

📌 Example:
Consent screen available in English + Kannada/Hindi; includes DPO email.

Section 6 — Consent

This section governs how consent works.

🔹 Section 6(1) — Consent must be free, specific, informed, unambiguous

Provision: Consent must meet these qualities and be through clear affirmative action.

✅ Simple Meaning: No forced, vague, or hidden consent.

📌 Example:
Pre-ticked checkbox is risky; user should actively choose.

🔹 Section 6(2) — Limited to specified purpose

Provision: Consent relates to processing for the specified purpose mentioned in notice.

✅ Simple Meaning: Can’t use “consent” to justify unrelated purposes later.

🔹 Section 6(3) — Withdrawal must be as easy as giving consent

Provision: Data Principal can withdraw; withdrawal process must be as easy as giving consent; processing post-withdrawal must stop unless another legal basis exists.

✅ Simple Meaning: One-click consent should mean one-click withdrawal.

📌 Example:
If you subscribed with one tap, you should be able to revoke with one tap.

🔹 Section 6(4) — Consent can be managed granularly (where applicable)

Provision: Act supports structured consent so users can manage permissions meaningfully (as implemented via rules/platform design).

✅ Simple Meaning: Consent shouldn’t be “all or nothing” in practice.

🔹 Section 6(5) — Consent for processing children / special cases is subject to Section 9

Provision: Where children’s data is involved, additional requirements apply.

✅ Simple Meaning: Child data processing has stricter rules (see Section 9).

🔹 Section 6(6) — Record/Proof of consent (practically necessary)

Provision: Fiduciary must be able to demonstrate consent was obtained in compliant manner (supported by rules and enforcement).

✅ Simple Meaning: Keep auditable logs.

🔹 Section 6(7) — Consent via Consent Manager

Provision: Consent may be given/managed/reviewed/withdrawn via Consent Manager.

✅ Simple Meaning: Users can manage consent through a registered platform.

🔹 Section 6(8) — Consent Manager accountability

Provision: Consent Manager must be accountable to Data Principal and act in her best interests.

🔹 Section 6(9) — Consent Manager registration + conditions

Provision: Consent Manager must be registered with Board and follow prescribed conditions.

📌 Example (In-house/Outsourced):
Bank provides a registered consent dashboard (in-house) or uses a registered third party.

Section 7 — Certain legitimate uses

This section allows processing without consent in certain situations.

Section 7 contains multiple clauses. These are the core buckets:

🔹 Section 7(a) — Voluntary disclosure by Data Principal

Provision: If Data Principal voluntarily provides data for a specified purpose, processing for that purpose is allowed.

✅ Simple Meaning: If you willingly give data for a service, it can be used to provide that service.

📌 Example:
You give address for delivery → company processes it to deliver.

🔹 Section 7(b) — State functions/benefits/services

Provision: Processing by State for providing/subsidy/benefit/service as may be notified, etc.

✅ Simple Meaning: Government schemes can process data for delivery of benefits.

📌 Example:
Using identity data to deliver a notified benefit.

🔹 Section 7(c) — Compliance with law / court orders

Provision: Processing necessary for compliance with law or order/judgment.

✅ Simple Meaning: If law requires it, consent isn’t needed.

📌 Example:
Company shares information under a lawful summons/order.

🔹 Section 7(d) — Medical emergency / disaster / public health

Provision: Processing for medical emergency, public health, disasters, etc.

✅ Simple Meaning: Emergency processing is allowed to protect life/health.

📌 Example:
Hospital accesses identity info to treat an unconscious patient.

🔹 Section 7(e) — Employment-related purposes

Provision: Processing for employment purposes (attendance, payroll, prevention of loss, etc.) as covered.

✅ Simple Meaning: Employers can process employee data for legitimate workplace needs.

📌 Example:
Processing bank account details for salary payment.

Section 8 — General obligations of Data Fiduciary

This is the “do the basics right” section: accuracy, security, breach, retention limits, grievance handling.

🔹 Section 8(1) — Comply with the Act

Provision: Fiduciary must comply with provisions of the Act and rules.

✅ Simple Meaning: Blanket duty to follow DPDPA.

🔹 Section 8(2) — Ensure completeness/accuracy

Provision: Must make reasonable efforts to ensure personal data is complete, accurate, consistent—especially if used for decisions affecting the Data Principal.

✅ Simple Meaning: Don’t make important decisions on wrong data.

📌 Example:
Incorrect address leading to wrongful account blocking → fiduciary should maintain data quality.

🔹 Section 8(3) — Implement reasonable security safeguards

Provision: Must implement reasonable safeguards to prevent personal data breach.

✅ Simple Meaning: Security is mandatory, not optional.

📌 Example:
Encryption, access controls, audits.

🔹 Section 8(4) — Data Processor responsibility

Provision: Fiduciary remains responsible for processing done by its processors.

✅ Simple Meaning: You can outsource processing, not accountability.

📌 Example:
Cloud vendor leaks data → fiduciary is still answerable.

🔹 Section 8(5) — Notify personal data breach

Provision: On breach, fiduciary must notify the Board and affected Data Principals in prescribed manner.

✅ Simple Meaning: Tell regulator and users when breach happens.

🔹 Section 8(6) — Reasonable grievance redressal

Provision: Must have effective grievance mechanism.

✅ Simple Meaning: Users need a real complaint channel.

🔹 Section 8(7) — Stop processing if purpose is achieved / consent withdrawn

Provision: Must cease processing once purpose is met and retention not necessary; also handle withdrawal appropriately.

✅ Simple Meaning: Don’t keep data forever.

🔹 Section 8(8) — Erase personal data (retention limitation)

Provision: Erase data when specified purpose is no longer served and retention not required by law.

✅ Simple Meaning: Delete when no longer needed (unless law requires keeping it).

🔹 Section 8(9) — Publish business contact info of DPO/authorized person

Provision: Provide contact for communications regarding rights.

✅ Simple Meaning: Users should know whom to contact.

🔹 Section 9(1) — Verifiable parental consent

Provision: Before processing child’s data, fiduciary must obtain verifiable consent of parent/lawful guardian, in prescribed manner.

✅ Simple Meaning: Child’s data needs parent/guardian consent.

🔹 Section 9(2) — No detrimental processing

Provision: Must not undertake processing likely to cause detrimental effect on well-being of child.

✅ Simple Meaning: Don’t process child data in harmful ways.

🔹 Section 9(3) — Ban on tracking/behavioural monitoring and targeted ads to children

Provision: Fiduciary shall not engage in tracking/behavioural monitoring or targeted advertising directed at children.

✅ Simple Meaning: No profiling kids for ads.

🔹 Section 9(4) — Government may relax for certain classes

Provision: Government may notify exceptions/relaxations for specific fiduciaries/classes and age thresholds/conditions as prescribed.

✅ Simple Meaning: Some verified/low-risk cases may get rule-based flexibility.

📌 Example:
An education platform might get conditional relaxation if notified and compliant with safeguards.

🔹 Section 10(1) — Government notifies SDFs

Provision: Government may notify any fiduciary/class as SDF based on factors like volume/sensitivity/risk to rights etc.

✅ Simple Meaning: Big/risky players get extra obligations.

🔹 Section 10(2) — Extra compliance duties

Provision: SDF must:

✅ 10(2)(a) appoint a Data Protection Officer (DPO)

✅ 10(2)(b) appoint an independent data auditor

✅ 10(2)(c) undertake periodic Data Protection Impact Assessment (DPIA)

✅ 10(2)(d) undertake periodic audit

✅ 10(2)(e) other measures as may be prescribed

✅ Simple Meaning: SDF must build an internal privacy governance system.

📌 Example:
A large social media platform must have DPO + audits + DPIA.

🔹 Section 11(1) — What the Data Principal can ask

Provision: Data Principal can obtain from fiduciary:

• summary of personal data being processed, and
• processing activities and other prescribed info.

✅ Simple Meaning: You can ask: “What data do you have about me and what are you doing with it?”

📌 Example:
User requests account data summary + categories of processing.

🔹 Section 12(1) — Correction/updation

Provision: Data Principal can request correction/ completion/ updating of personal data.

✅ Simple Meaning: Fix wrong data.

🔹 Section 12(2) — Erasure

Provision: Data Principal can request erasure of personal data that is no longer necessary for the purpose, subject to conditions/lawful retention.

✅ Simple Meaning: Delete data when it’s no longer needed (unless law requires keeping it).

📌 Example:
User closes account and asks deletion; company retains only what tax/law requires.

🔹 Section 12(3) — Manner prescribed

Provision: Requests handled in prescribed manner.

🔹 Section 13(1) — First approach the Data Fiduciary

Provision: Data Principal can approach fiduciary’s grievance mechanism.

✅ Simple Meaning: Complain to the company first.

🔹 Section 13(2) — Then approach the Board (if unresolved)

Provision: If not satisfied within prescribed time, Data Principal may complain to the Board.

✅ Simple Meaning: Escalation path exists.

📌 Example:
Company ignores correction request → user escalates to Board.

🔹 Section 14(1) — Nominee for exercising rights

Provision: Data Principal may nominate another individual to exercise rights in case of death/incapacity.

✅ Simple Meaning: Like a “data nominee” for your rights.

📌 Example:
After death, nominee requests account closure and data handling actions.

🔹 Section 15(a) — Don’t impersonate

✅ Simple Meaning: No pretending to be someone else to exercise rights.

🔹 Section 15(b) — Don’t suppress material information

✅ Simple Meaning: Don’t hide key facts while requesting services/benefits.

🔹 Section 15(c) — Don’t file false/frivolous complaints

✅ Simple Meaning: No misuse of complaint mechanism.

🔹 Section 15(d) — Provide authentic information

✅ Simple Meaning: When exercising rights, give correct info.

📌 Why Section 15 is Important:

• Stops harassment of companies/Board
• Keeps the ecosystem trustworthy
• Connects to penalties (Schedule includes penalty for breach of duties)

📌 Example:
A person files repeated fake breach complaints → may face cost/penalty consequences as applicable.

🔹 Section 16(1) — Restriction by Government Notification

Provision:
The Central Government may notify certain countries/territories where transfer of personal data for processing will be restricted.

✅ Simple Meaning:
Data can go outside India, but not to places the Government restricts.

✅ Why Section 16 is Important:

• Prevents risky cross-border transfers
• Helps national security and data sovereignty
• Enables Government control in sensitive scenarios

📌 Example 1:
A company wants to store Indian users’ data in Country X → if Country X is restricted, transfer is not allowed.

📌 Example 2:
A startup uses an overseas analytics vendor → must ensure vendor country is not on restricted list.

🔹 Section 16(2) — Other Laws Still Apply

Provision:
Nothing in Section 16 overrides other Indian laws that provide higher protection or stricter conditions on transfers.

✅ Simple Meaning:
Even if DPDPA allows transfer, RBI / health / sector rules may still restrict it further.

📌 Example 1:
RBI rules require stricter control over banking data → those rules still apply.

📌 Example 2:
A healthcare dataset transfer may be governed by additional health rules → DPDPA doesn’t cancel them

🔹 Section 17(1) — Partial Exemptions for Specific Purposes

Provision:
Certain parts of the Act (Chapter II except 8(1) & 8(5), Chapter III, and Section 16) do not apply when processing is necessary for the listed purposes.

✅ Simple Meaning:
For some legitimate purposes, the law relaxes compliance.

✅ Section 17(1)(a) — Enforcing Legal Rights or Claims

📌 Meaning: Data can be processed to enforce legal rights.

Example: Using customer records to recover unpaid dues in a lawsuit.

✅ Section 17(1)(b) — Courts/Tribunals/Regulators

📌 Meaning: Courts/tribunals and similar bodies can process data for their functions.

Example: Tribunal examines evidence with personal data.

✅ Section 17(1)(c) — Law Enforcement

📌 Meaning: Processing for prevention/detection/investigation/prosecution of offences.

Example: Police uses call data records during cybercrime investigation.

✅ Section 17(1)(d) — Foreign Data Principals (Outside India)

📌 Meaning: If Data Principal is not in India and processing is under foreign contract, exemptions apply.

Example: Indian BPO processes data of US customers for a US company.

✅ Section 17(1)(e) — Corporate Restructuring

📌 Meaning: Processing needed for merger/demerger/amalgamation etc.

Example: Customer database is transferred during merger approved by authority.

✅ Section 17(1)(f) — Loan Default / Financial Recovery

📌 Meaning: Processing to ascertain financial information of defaulters (subject to disclosure laws).

Example: Bank checks assets/liabilities of loan defaulter to recover money.

🔹 Section 17(2) — Full Exemptions (Act Does Not Apply)

Provision:
DPDPA does not apply to processing in certain cases.

✅ Section 17(2)(a) — Notified State Instrumentalities

📌 Meaning: Certain State bodies may be exempted for sovereignty, security, public order etc.

Example: National security agency processing intelligence data.

✅ Section 17(2)(b) — Research/Archiving/Statistics

📌 Meaning: Allowed if not used to make decisions about specific individuals.

Example: University uses anonymised dataset for statistical research.

🔹 Section 17(3) — Government Can Notify Relaxations for Certain Fiduciaries

Provision:
Government can exempt notified Data Fiduciaries (including startups) from certain sections like 5, 8(3), 8(7), 10, 11.

✅ Simple Meaning:
Government can give compliance relaxations to some classes of companies.

📌 Example:
Early-stage startup may get relaxation from some notice/DP obligations (if notified).

🔹 Section 17(4) — Special Relaxation for State Processing

Provision:
Certain provisions like 8(7) and parts of Section 12 may not apply to State processing in some cases.

✅ Simple Meaning:
Government processing has special carve-outs in certain situations.

🔹 Section 17(5) — Time-Limited “Transition Exemption” Power

Provision:
For 5 years from commencement, Government may notify temporary exemptions for classes of fiduciaries.

✅ Simple Meaning:
For the initial rollout period, Government can ease implementation.

🔹 Section 18(1) — Constitution of the Board

Provision: Government establishes the Board by notification.

✅ Simple Meaning: Government officially sets up DPBI.

🔹 Section 18(2) — Body Corporate

Provision: Board is a legal entity with powers like contracting, owning property, suing/being sued.

✅ Simple Meaning: Board can operate like an independent authority.

🔹 Section 18(3) — Headquarters

Provision: HQ decided by Government notification.

✅ Why Section 18 is Important:

• Enforcement body for complaints and breaches
• Makes compliance real through orders and penalties

📌 Example 1:
A company ignores breach reporting → Board can take action.

📌 Example 2:
A platform refuses deletion request → Board can intervene through proceedings.

🔹 Section 19(1) — Chairperson + Members

Government decides number of Members.

🔹 Section 19(2) — Appointment Process

Appointments as prescribed by Government.

🔹 Section 19(3) — Expertise Requirement

Members must have integrity + knowledge/experience; at least one must be law expert.

📌 Example:
Board includes experts from tech, governance, cybersecurity + law.

🔹 Section 20(1) — Terms of Service

Conditions prescribed and cannot be changed disadvantageously.

🔹 Section 20(2) — Tenure

Term is two years; eligible for reappointment.

🔹 Section 21(1) — Who is Disqualified

Insolvent, convicted, incapable, conflict of interest, abuse of position etc.

🔹 Section 21(2) — Opportunity of Being Heard

No removal without giving hearing.

📌 Example:
A Member with strong conflict of interest can be removed, but only after due hearing.

🔹 Section 22(1) — Resignation Rules

Resignation effective on Govt acceptance/3 months/successor joins/term ends.

🔹 Section 22(2) — Filling Vacancies

Vacancy filled by fresh appointment.

🔹 Section 22(3) — Cooling-Off / Employment Restriction

Cannot accept employment for 1 year without Govt approval; must disclose later employment with fiduciary under proceedings.

📌 Example:
Member cannot immediately join a company that was under investigation.

🔹 Section 23(1) — Meetings + Digital Means + Authentication

Procedure and order authentication as prescribed.

🔹 Section 23(2) — Proceedings Not Invalid Due to Technical Issues

Vacancy/defect doesn’t invalidate decisions unless merits affected.

🔹 Section 23(3) — Senior-most Member acts as Chair

When Chairperson unavailable.

Board can appoint staff with Govt approval; terms prescribed.

Chairperson, Members, officers treated as public servants under IPC.

Chairperson has administrative control; can authorise scrutiny, allocate proceedings, assign Members.

🔹 Section 27(1) — When Board Can Inquire + Penalise

Board can act upon triggers:

• ✅ 27(1)(a) — breach intimation by fiduciary
• ✅ 27(1)(b) — complaint/reference/court directions
• ✅ 27(1)(c) — complaint about Consent Manager
• ✅ 27(1)(d) — Consent Manager registration breach intimation
• ✅ 27(1)(e) — Govt reference regarding intermediary’s duty under 37(2)

📌 Simple Meaning:
Board doesn’t randomly act — it acts when a valid trigger occurs.

📌 Example 1:
Fintech reports breach → Board starts inquiry.

📌 Example 2:
User complaint about refusal to honour consent withdrawal → Board can initiate proceedings.

🔹 Section 27(2) — Power to Issue Directions

Board can issue directions (after hearing + reasons).

📌 Example: Stop unlawful processing; implement safeguards.

🔹 Section 27(3) — Modify/Suspend/Withdraw Directions

Board can change directions on representation or Govt reference.

🔹 Section 28(1) — Independent + Digital Office

Board works independently; as far as practicable uses digital systems.

🔹 Section 28(2) — Action on Receipt

Board acts upon complaint/intimation/reference etc.

🔹 Section 28(3) — Prima Facie Screening

Board checks if sufficient grounds exist.

🔹 Section 28(4) — Close if No Case

Can close with written reasons.

🔹 Section 28(5) — Inquiry if Grounds Exist

Board may inquire into affairs of person.

🔹 Section 28(6) — Natural Justice

Must follow fairness; record reasons.

🔹 Section 28(7) — Civil Court Powers

Summon, require documents, affidavit evidence, inspection, etc.

🔹 Section 28(8) — No Seizure/Disruption of Daily Business

Cannot prevent access or seize equipment that disrupts operations.

🔹 Section 28(9) — Can Seek Assistance

Can demand support from govt/police; they must assist.

🔹 Section 28(10) — Interim Orders

Can issue interim orders with reasons (after hearing).

🔹 Section 28(11) — Final Outcome

Close proceedings or proceed to penalties (Section 33).

🔹 Section 28(12) — Frivolous/False Complaints

Can warn or impose costs.

✅ Why Section 28 is Important:
Ensures fairness + due process + proportionate action.

📌 Example 1:
Minor delay with mitigation → lighter action.

📌 Example 2:
Repeated deliberate breaches → strict inquiry and penalties.

🔹 29(1) — Right to Appeal

Aggrieved person can appeal Board’s order/direction.

🔹 29(2) — Time Limit + Form + Fee

Within 60 days; as prescribed.

🔹 29(3) — Delay Condonation

Tribunal may allow late filing for sufficient cause.

🔹 29(4) — Tribunal’s Powers

Confirm/modify/set aside Board order.

🔹 29(5) — Copies to Parties + Board

Tribunal sends copies.

🔹 29(6) — Endeavour Disposal Within 6 Months

Speedy appeal goal.

🔹 29(7) — Reasons if Delayed

Must record reasons if exceeds 6 months.

🔹 29(8) — Procedure as Prescribed

Procedure as per rules / tribunal framework.

🔹 29(9) — Further Appeal Framework

Further appeal handled under TRAI Act mechanism.

🔹 29(10) — Digital Office

Appeal system also digital as far as possible.

📌 Example 1:
Company fined heavily → appeals to TDSAT.

📌 Example 2:
Tribunal modifies order → compliance adjusted accordingly.

🔹 30(1) — Tribunal Executes Like Civil Court

Orders executable like decree.

🔹 30(2) — Can Transfer to Civil Court

Tribunal can send to civil court for execution.

📌 Example:
Penalty order unpaid → execution proceedings to recover amount.

Provision: Board may direct parties to attempt mediation.

✅ Simple Meaning:
Instead of long litigation, parties can settle faster.

📌 Example 1:
Company agrees to improve security + compensate users → matter settles.

📌 Example 2:
Startup commits compliance improvements → mediation resolves without prolonged hearings.

🔹 32(1) — Board May Accept Undertaking

Can accept undertaking at any stage.

🔹 32(2) — Contents of Undertaking

May include actions to do, not do, timelines, and even public disclosure.

🔹 32(3) — Variation with Consent

Can vary terms with consent.

🔹 32(4) — Acceptance Bars Proceedings (Same Matter)

Once accepted, proceedings on that content stop.

🔹 32(5) — Breach of Undertaking = Breach of Act

If violated → Board can proceed under penalty section after hearing.

📌 Example 1:
Company voluntarily undertakes to delete unlawfully retained data + update policies → proceedings halted.

📌 Example 2:
Company breaches undertaking → Board reopens and imposes penalty.

📘 REFINED & REWRITTEN NOTES (Same Style) — With Correct Chapters + Correct Section/Sub-section Numbering (DPDPA 2023)

(For Sections 33 onwards, end-to-end: Chapters VIII + IX + Schedule)

Source: Official DPDPA 2023 (India Code PDF).

🔹 Section 33(1) — When the Board can impose a penalty

Provision:
If the Board concludes (after inquiry) that a person’s breach of the Act or Rules is significant, it may, after giving an opportunity of being heard, impose a monetary penalty as per the Schedule.

✅ Simple Meaning:
If the violation is serious enough, the Board can fine you — but only after inquiry + hearing, and the fine must be within the Schedule limits.

✅ Why Section 33(1) is Important:

• Makes the Act enforceable through financial consequences
• Ensures penalties follow due process (hearing required)
• Links penalties to a defined schedule → predictability

📌 Example 1:
A company repeatedly ignores data breach safeguards → Board can impose penalty (as per Schedule).

📌 Example 2:
A business violates any provision of the Act → penalty can be imposed if breach is “significant”.

🔹 Section 33(2) — Factors used to decide the penalty amount

Provision:
While deciding penalty amount, Board must consider:

• ✅ 33(2)(a) Nature, gravity, duration of breach
• ✅ 33(2)(b) Type and nature of personal data affected
• ✅ 33(2)(c) Whether breach is repetitive
• ✅ 33(2)(d) Whether the person gained / avoided loss due to breach
• ✅ 33(2)(e) Whether mitigation steps were taken + how timely/effective
• ✅ 33(2)(f) Whether penalty is proportionate and effective (for compliance + deterrence)
• ✅ 33(2)(g) Likely impact of penalty on the person

✅ Simple Meaning:
Penalty is not random. Board uses a structured checklist to ensure fair and proportional fines.

✅ Why Section 33(2) is Important:

• Prevents “one-size-fits-all” fines
• Encourages companies to mitigate quickly
• Penalises repeat offenders more harshly

📌 Example 1 (Lower):
Minor breach + quick mitigation + low impact data → smaller penalty.

📌 Example 2 (Higher):
Large breach involving sensitive personal data + repeated negligence + profit motive → higher penalty.

🔹 Section 34 — Where the penalty money goes

Provision:
All penalty sums realised under the Act are credited to the Consolidated Fund of India.

✅ Simple Meaning:
Penalty money goes to the Government’s main fund — not to the complainant.

✅ Why Section 34 is Important:

• Clarifies penalties are regulatory fines, not compensation
• Keeps collection and accounting transparent

📌 Example:
If Board fines ₹50 crore → it is deposited into Consolidated Fund of India.

🔹 Section 35 — Good faith protection

Provision:
No suit/prosecution/legal proceedings against Central Government, Board, Chairperson, Members, officers, employees for acts done/intended in good faith under the Act/Rules.

✅ Simple Meaning:
Regulators and officers can’t be personally sued for honest actions done lawfully.

✅ Why Section 35 is Important:

• Protects enforcement authorities from harassment litigation
• Encourages decisive enforcement

📌 Example 1:
Board imposes a fine after due inquiry → Members can’t be personally sued if done in good faith.

⚠️ Note: “Good faith” doesn’t protect malicious/illegal actions.

🔹 Section 35 — Good faith protection

Provision:
No suit/prosecution/legal proceedings against Central Government, Board, Chairperson, Members, officers, employees for acts done/intended in good faith under the Act/Rules.

✅ Simple Meaning:
Regulators and officers can’t be personally sued for honest actions done lawfully.

✅ Why Section 35 is Important:

• Protects enforcement authorities from harassment litigation
• Encourages decisive enforcement

📌 Example 1:
Board imposes a fine after due inquiry → Members can’t be personally sued if done in good faith.

⚠️ Note: “Good faith” doesn’t protect malicious/illegal actions.

🔹 Section 37(1) — Blocking directions after Board reference (repeat penalties + public interest)

Provision (trigger conditions): Government (or authorised officer), on receiving a written reference from the Board that:

• ✅ 37(1)(a) the Board imposed monetary penalty on a Data Fiduciary two or more times, and
• ✅ 37(1)(b) Board advises that, in general public interest, access to information in a computer resource enabling that fiduciary to offer goods/services to Data Principals in India should be blocked,

then Government may (after hearing the fiduciary + reasons in writing) direct agencies/intermediaries to block such public access.

✅ Simple Meaning:
If a company is repeatedly penalised and Board recommends blocking in public interest, Government can order blocking access to the company’s service/resource.

📌 Example 1:
A platform repeatedly violates DPDPA and keeps getting penalised → Board references Govt → Govt orders intermediaries to block access.

🔹 Section 38(1) — In addition to other laws

Provision: Act is in addition to, not in derogation of other laws.

✅ Simple Meaning:
You may have to comply with DPDPA and other laws together.

🔹 Section 38(2) — If conflict, DPDPA prevails

Provision: If conflict between DPDPA and other law, DPDPA prevails to the extent of conflict.

✅ Simple Meaning:
Where rules clash, DPDPA wins (only for the conflicting part).

📌 Example:
If another law allows disclosure but DPDPA restricts it in that context → DPDPA controls to that extent.

🔹 Section 39 — Civil courts cannot intervene

Provision:
No civil court can entertain suits for matters the Board can determine; no injunction for actions taken/to be taken under Act.

✅ Simple Meaning:
If it’s a DPDPA issue within Board’s powers, you can’t bypass and go directly to civil court.

📌 Example:
Company can’t get a civil court injunction to stop Board proceedings.

🔹 Section 40(1) — Government makes rules (with prior publication)

Provision:
Central Government may notify rules (with prior publication) not inconsistent with the Act to carry out its purposes.

✅ Simple Meaning:
Act gives framework; Government issues detailed operational rules.

🔹 Section 40(2) — Areas where rules may be made

Provision: Rules may cover (illustrative list), including:

• Notice requirements under Section 5(1), 5(2)
• Consent Manager accountability & registration under 6(8), 6(9)
• Eligible government benefits under Section 7(b)
• Breach intimation format under 8(6)
• “Specified purpose no longer served” period under 8(8)
• DPO business contact publication under 8(9)
• Verifiable parental consent under 9(1)
• Classes of fiduciaries/conditions for children’s processing under 9(4)
• DPIA process items under 10(2)
• Other SDF measures under 10(2)
• Data Principal request formats under 11(1), 12(3), 13(2), 14(1)
• Standards for research exemption under 17(2)(b)
• Board appointment, service conditions, authentication, Board staffing
• Board techno-legal measures and appeal procedures under 28 and 29
• And “any other matter” to be prescribed

✅ Simple Meaning:
Most real-world compliance details will come through these Rules.

📌 Example:
Rules may specify exact format for breach reporting or Consent Manager registration process.

🔹 Section 41 — Parliamentary control

Provision: Every rule and certain notifications (notably under Section 16 and Section 42) must be laid before both Houses of Parliament; Parliament can modify/annul; past actions remain valid.

✅ Simple Meaning:
Government makes rules/notifications, but Parliament can review and change/strike them.

🔹 Section 42(1) — Govt can amend penalty schedule, but capped

Provision: Government may amend the Schedule by notification, but cannot increase any penalty beyond 2× of original amount.

🔹 Section 42(2) — Amendment becomes part of Act

Provision: Amendment takes effect as if enacted in the Act and starts from notification date.

✅ Simple Meaning:
Penalty limits can evolve, but increases are capped.

🔹 Section 43(1) — Govt may remove implementation difficulties

Provision:
Government may issue orders (Official Gazette) not inconsistent with Act to remove difficulties.

🔹 Section 43(2) — Time limit

Provision:
No such order after 3 years from commencement.

🔹 Section 43(3) — Parliamentary laying

Provision:
Orders must be laid before Parliament.

✅ Simple Meaning:
Temporary “fix it” power for early implementation—time-bound and supervised.

🔹 Section 44(1) — TRAI Act amendment (TDSAT jurisdiction includes DPDPA)

Updates TRAI Act Section 14(c) to include Appellate Tribunal under DPDPA.

🔹 Section 44(2) — IT Act amendments

• ✅ 44(2)(a) omits Section 43A of IT Act
• ✅ 44(2)(b) amends IT Act Section 81 proviso to include DPDPA
• ✅ 44(2)(c) removes clause (ob) from IT Act Section 87(2)

🔹 Section 44(3) — RTI Act amendment

Substitutes RTI Act Section 8(1)(j) with wording: “information which relates to personal information;”

✅ Simple Meaning:
DPDPA “plugs into” existing legal ecosystem by updating older laws.