Introduction
On November 13, 2025, India’s data protection enforcement era officially began.
That was the day the Data Protection Board of India (DPBI) was formally constituted and became operational β the regulatory authority at the heart of the DPDP Act’s enforcement machinery. From that date, India has had a functioning data protection regulator capable of investigating complaints, ordering remediation, and imposing financial penalties of up to βΉ250 crore.
This is no longer a theoretical future obligation. The regulator exists, it is operational, and it has the legal tools to act.
Understanding how the DPBI works β what it can do, how it operates, who can approach it, and how to interact with it β is essential for every organisation that processes personal data in India.
What Is the Data Protection Board of India?
The Data Protection Board of India is the adjudicatory body established under Section 18 of the DPDP Act to:
- Receive and process complaints from Data Principals (individuals) who believe their data protection rights have been violated
- Investigate alleged violations of the DPDP Act and Rules
- Issue directions to Data Fiduciaries and Data Processors to remedy violations
- Impose financial penalties up to the maximum amounts specified in the Act’s Schedule
- Take suo motu action β initiating investigations on its own, without a complaint, where it becomes aware of potential violations
- Receive and process breach intimation β organisations must report personal data breaches to the DPBI
The DPBI is not a court. It is an administrative tribunal with quasi-judicial powers β the distinction matters for how its decisions are challenged (through TDSAT on appeal, then higher courts), but not for whether its decisions are binding. They are.
Composition of the DPBI
The DPBI is headed by a Chairperson appointed by the Central Government, supported by such number of Members as the Government determines. The Chairperson and Members are appointed based on their expertise in law, data protection, technology, public policy, or related fields.
Key structural features:
- The Board operates as an independent body β it is not subordinate to any ministry on its adjudicatory functions
- Members serve fixed terms with defined removal procedures, providing security of tenure
- The Board headquarters is in the National Capital Region (Delhi/NCR)
- The Board’s proceedings are entirely digital-first β all submissions, hearings, and decisions are handled through a digital portal and mobile app
The digital-first model is deliberate. It makes the DPBI accessible to ordinary citizens across India, not just organisations with legal teams in metro cities. Any individual with internet access can file a complaint.
How the DPBI Operates: The Digital-First Model
One of the most distinctive features of the DPBI β and one that significantly affects how organisations should think about compliance β is its fully digital operating model. Unlike traditional courts or tribunals, the DPBI has no requirement for physical presence.
How complaints are filed:
- Through the DPBI’s online portal (web-based)
- Through the DPBI’s dedicated mobile app (iOS and Android)
- No physical filing required; no court visits necessary
- Available in English and 22 languages under the Eighth Schedule of the Constitution
What this means for organisations: The barrier to filing a data protection complaint is extraordinarily low. A visitor who checked into your office and later asks for their data to be deleted β and is ignored for 90 days β can file a DPBI complaint from their phone in minutes. The accessibility of the system is designed to empower individuals, and organisations should plan their compliance accordingly.
What Can Trigger a DPBI Investigation?
The DPBI can act in three main ways:
1. Individual Complaint
A Data Principal can file a complaint if:
- They believe their personal data was collected or processed without valid consent or legal basis
- Their request for access, correction, or erasure was refused or ignored
- Their grievance with the Data Fiduciary was not resolved within a reasonable time (typically 30 days before escalating to the DPBI)
- They were not notified of a personal data breach affecting them
- Their consent was not obtained in a free, specific, informed, unconditional, and unambiguous manner
Important: Before filing with the DPBI, a Data Principal must first attempt to resolve the grievance with the Data Fiduciary. Only if the Fiduciary fails to respond or provides an unsatisfactory response can the complaint be escalated to the DPBI. This means every Data Fiduciary must have a functional, responsive grievance mechanism β because if it is not, the DPBI is the next stop.
2. Breach Notification
When a personal data breach occurs, the Data Fiduciary is required to notify the DPBI (initial intimation without delay; full report within 72 hours). The DPBI may then investigate the breach β even if no individual has filed a complaint β to assess whether the organisation’s security safeguards were adequate and whether its response met legal requirements.
3. Suo Motu Action
The DPBI can initiate an investigation on its own initiative β without waiting for a complaint or breach notification β if it becomes aware of a potential violation. Triggers for suo motu action might include:
- Media reports of data breaches or misuse
- Patterns identified in complaint data suggesting systemic violations
- Intelligence from other regulatory bodies (RBI, SEBI, TRAI, CERT-In)
- High-profile incidents involving large volumes of data or serious harm
The Penalty Framework: What the DPBI Can Impose
When the DPBI finds a violation, it has broad discretion in determining the appropriate penalty β but it must stay within the maximums in the Act’s Schedule.
| Violation Category | Maximum Penalty |
| Inadequate security safeguards / causing a breach | βΉ250 crore |
| Failure to notify a breach (DPBI + Data Principals) | βΉ200 crore |
| Non-compliance with children’s data protections | βΉ200 crore |
| Failure to fulfil Data Principal rights | βΉ50 crore |
| Any other violation | βΉ50 crore per instance |
The DPBI must weigh mitigating and aggravating factors when determining penalty:
- Nature, gravity, and duration of the violation
- Type and volume of personal data involved
- Number of Data Principals affected
- Whether the violation was intentional or negligent
- Whether the organisation took action to mitigate harm
- Financial benefit derived from the violation (if any)
- History of prior violations
- Degree of cooperation with the investigation
- Whether actual harm resulted
The practical implication of this discretion: Organisations that respond promptly to complaints, cooperate with investigations, take remedial action proactively, and demonstrate good-faith compliance effort are in a fundamentally different penalty position than those that ignore complaints, obstruct investigations, or have a history of repeated violations.
The Grievance Process: From Complaint to Decision
Understanding the journey from individual complaint to DPBI decision helps organisations anticipate and prepare for regulatory interactions.
Step 1: Grievance to Data Fiduciary
The Data Principal raises a concern with the Data Fiduciary through their published grievance mechanism. The Fiduciary has a reasonable opportunity to resolve the matter (typically 30 days).
Step 2: Escalation to DPBI
If unresolved, the Data Principal files a complaint with the DPBI through the online portal or app. The complaint includes the nature of the violation, steps already taken with the Fiduciary, and supporting evidence.
Step 3: DPBI Admission and Notice
The DPBI reviews the complaint for admissibility. If admitted, it issues a notice to the Data Fiduciary β requiring a response within a specified period. The Fiduciary has the opportunity to file a detailed response, provide evidence, and present its compliance position.
Step 4: Hearing
The DPBI may conduct a hearing β entirely digital β at which both the Data Principal and the Data Fiduciary can present their case. The Board may also call for documents, data, or technical assessments.
Step 5: Decision
The DPBI issues a reasoned decision: finding of violation or no violation; if violation, the nature and severity of the penalty; directions for remediation (if applicable).
Step 6: Appeals
A party aggrieved by the DPBI’s decision can appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Further appeal lies to the High Court, and ultimately the Supreme Court.
Parallel Regulatory Frameworks: The DPBI Is Not the Only Risk
The DPBI is a critical compliance risk for data protection violations. But it operates alongside other regulatory bodies that may have jurisdiction over the same incident:
| Regulator | Jurisdiction | Intersection with DPDP |
| CERT-In | Cybersecurity incidents | A data breach triggers both a DPBI 72-hour reporting obligation AND a CERT-In 6-hour reporting obligation |
| RBI | Banking and financial sector | Applies data governance requirements to banks and NBFCs alongside DPDP |
| SEBI | Capital markets | Data handling for brokers, depositories, and listed companies |
| TRAI | Telecom | Subscriber data protection; overlapping with DPDP for telecom operators |
| IRDA | Insurance | Policyholder data protection alongside DPDP |
| NCW / NCPCR | Women’s and children’s rights | May intervene in cases involving privacy violations affecting women or children |
For most organisations, the most immediate dual-clock risk is CERT-In (6 hours) + DPBI (72 hours) following a cybersecurity incident. Both clocks start running simultaneously.
What Happens If the DPBI Contacts Your Organisation
If your organisation receives a notice from the DPBI β whether triggered by a complaint, a breach report, or suo motu action β here is the immediate priority list:
Do not ignore it. The DPBI can proceed ex parte (in the absence of the organisation) and impose penalties without a hearing if the notice is ignored. Every notice demands a formal, timely response.
Engage qualified legal counsel. DPBI proceedings involve formal submissions and evidentiary standards. Professional representation with data protection and technology law expertise is essential from the first response.
Do not alter, delete, or obstruct. Any attempt to modify records, delete data, or obstruct the investigation worsens the organisation’s position significantly and may constitute a separate violation.
Cooperate fully and document that cooperation. Cooperation is explicitly listed as a mitigating factor in penalty determination. Document every step your organisation takes in response to the notice.
Assess and implement remediation immediately. If the complaint or breach notice identifies a specific deficiency, fix it before the hearing. Demonstrating that you have already remedied the issue β rather than waiting to be ordered to do so β materially affects the DPBI’s assessment.
Prepare a clear factual narrative. The DPBI’s decision will be based on the facts as presented. Prepare a clear, accurate, documented account of what happened, what your compliance posture was at the time, and what you have done since.
How Organisations Should Prepare for DPBI Oversight
The DPBI’s accessibility, digital-first model, and broad enforcement powers mean that every organisation should build DPBI-awareness into its compliance programme:
- Publish a functional, responsive grievance mechanism β if individuals cannot resolve data concerns with you, the DPBI is their next step. Make the first step work.
- Maintain a 90-day rights response SLA β the DPBI will have evidence of unresolved rights requests if complainants share their correspondence history.
- Keep thorough documentation β consent records, privacy notices, processing logs, deletion confirmations. In any investigation, documentary evidence of compliance is your primary defence.
- Build a breach response playbook and test it β when a breach triggers the 72-hour clock, you need to know exactly who does what, and when.
- Train staff who interact with personal data on their obligations β a DPBI investigation may require your reception team, security team, or HR team to explain what they did and why.
The Bottom Line
The Data Protection Board of India is not a future aspiration. It is an operational, digital-first regulatory body that began taking complaints on November 13, 2025. It can investigate any organisation, at any time, triggered by a single complaint filed from a smartphone.
The DPBI’s design β accessible, digital, multi-language, and backed by penalties up to βΉ250 crore β is specifically intended to make data protection enforcement a practical reality for ordinary individuals. That is exactly what it will be.
The organisations that will navigate DPBI oversight most successfully are not those with the largest legal teams. They are those with the cleanest compliance programmes: genuine consent mechanisms, responsive grievance handling, documented deletion workflows, and transparent privacy practices.
Build the compliance. Respect the regulator. Protect the people whose data you hold.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection professional for specific compliance guidance.
Onfra is a DPDP-aware workplace management platform designed to help Indian enterprises manage visitor, employee, and facility data responsibly β with audit trails, consent flows, and deletion mechanisms that support your DPBI compliance posture. Learn more β