Data Protection Board of India — Powers, Procedure, Appeals

The Data Protection Board of India ('DPBI' or 'Board') is the adjudicatory authority established under Chapter VI (Sections 18-26) of the Digital Personal Data Protection Act, 2023 ('DPDP Act'), operationalised by Rules 17-22 of the Digital Personal Data Protection Rules, 2025 ('DPDP Rules') notified vide G.S.R. 846(E) dated 13 November 2025. It is a digital-first statutory body with civil-court powers, a six-month inquiry clock (extendable by three months at a time), and penalty authority up to Rs. 250 crore per contravention under Section 33 read with the Schedule. Appeals lie to the Telecom Disputes Settlement and Appellate Tribunal ('TDSAT') within 60 days under Section 29 DPDP Act, and thereafter to the Supreme Court on questions of law under Section 18 of the Telecom Regulatory Authority of India Act, 1997 within 90 days.

TL;DR for founders

The DPDP Board is the authority that investigates personal data breaches, complaints from users, and DPDP non-compliance. It is a digital office — no physical appearances required. A complaint can be filed by any data principal. If the Board opens an inquiry, it must conclude within six months (extendable by three-month slices). Penalties go up to Rs. 250 crore for security failures and Rs. 200 crore for missing the 72-hour breach notification. If you disagree with a Board order, you have 60 days to appeal to TDSAT (a specialised tribunal in Delhi). You cannot sue a customer in a civil court for DPDP claims — the Board has exclusive jurisdiction. First thing to do: nominate an authorised person internally who will receive Board summons and keep a clean audit trail of every consent, breach and rights-request, because the burden of proving compliance sits on you.

Establishment and status

Section 18(1) DPDP Act establishes the Data Protection Board of India as a body corporate by the name, having perpetual succession and a common seal, with power to acquire, hold and dispose of property and to sue and be sued. Section 18(3) fixes its headquarters at a place notified by the Central Government. The Board is a statutory body and not a department of MeitY — it exercises quasi-judicial functions independently of the executive on the merits of each case, while the Central Government controls the appointment machinery under Section 19 read with Rule 17.

Commencement notifications G.S.R. 843(E) to 845(E) dated 13 November 2025 brought into force Sections 1, 2, 18-26, 27 and portions of 33-44 of the DPDP Act, together with Rules 1, 2 and 17-21 of the DPDP Rules. This means the Board's constitutional foundation — its establishment, composition, appointment method, procedure and appeal structure — is legally live as of 13 November 2025. Substantive compliance obligations on Data Fiduciaries under Sections 5 and 7-16 (read with Rules 3, 5-16, 22 and 23) commence only on 13 May 2027. The Board therefore has jurisdiction now but no large body of primary-law breaches to adjudicate until the 2027 commencement.

Composition

Section 19(1) DPDP Act provides that the Board shall consist of a Chairperson and such number of other Members as the Central Government may notify. Section 19(2) requires that a Member — including the Chairperson — be a person of ability, integrity and standing with specialised knowledge or practical experience in at least one of: data governance, administration or implementation of laws related to digital economy, technology, law, regulation, dispute resolution, information and communication technology, digital economy, administration, or finance.

Section 19(3) fixes the term at two years, with eligibility for re-appointment. Section 19(4) fixes the age limit at 65 years. Section 19(5) permits a Member to resign on three months' written notice to the Central Government; Section 19(6) requires the Member to continue till the successor assumes charge or three months whichever is earlier, for continuity.

Selection method. Rule 17 DPDP Rules operationalises the appointment architecture through two Search-cum-Selection Committees:

• For the Chairperson (Rule 17(1)) — the Cabinet Secretary as the chairperson of the selection committee, with the Secretaries of the Department of Legal Affairs and MeitY, and two experts of repute, as members.
• For other Members (Rule 17(2)) — the Secretary, MeitY as the chairperson of the selection committee, with the Secretary, Department of Legal Affairs, and two experts of repute, as members.

The Central Government, after considering the suitability of candidates recommended by the relevant committee, makes the appointment (Rule 17(3)). Rule 17(4) preserves validity of recommendations even where the committee has vacancies or composition defects.

Salary and terms. Rule 18 DPDP Rules refers to the Fifth Schedule for the salary, allowances and conditions of service of the Chairperson and Members. The Fifth Schedule aligns Chairperson pay with the Secretary-to-Government scale and Member pay with Additional-Secretary-level terms, conventional for an Indian regulatory tribunal.

Disqualifications and removal

Section 21 DPDP Act empowers the Central Government, by order, to remove from office a Member who: (a) has been adjudged as an insolvent; (b) has been convicted of an offence which in the opinion of the Central Government involves moral turpitude; (c) has become physically or mentally incapable of acting as a Member; (d) has acquired such financial or other interest as is likely to affect prejudicially her functions as a Member; or (e) has abused her position so as to render her continuance prejudicial to the public interest. Before any removal under clauses (d) or (e), the Member must be given a reasonable opportunity of being heard.

Powers and functions of the Board (Section 27)

Section 27(1) DPDP Act enumerates the Board's functions. It is directed to:

1. Determine non-compliance with the provisions of the Act and impose penalty under the Act (Section 27(1)(a)).
2. Direct urgent remedial or mitigation measures in the event of a personal data breach, and inquire into such breach (Section 27(1)(b)).
3. Receive any intimation of a personal data breach under Section 8(6).
4. Receive and inquire into complaints by an affected Data Principal.
5. Receive and inquire into references from the Central Government or a State Government.
6. Receive and inquire into references from a court.
7. Modify, suspend, withdraw or cancel the registration of a Consent Manager under Rule 4(5) read with Section 6(9).

Section 27(2) adds that the Board shall perform such other functions as the Central Government may, by rules, assign.

Procedure — digital by design (Section 28 + Rule 19, Rule 20)

Section 28(1) DPDP Act requires the Board to receive and inquire into breaches digitally. Section 28(3) provides that the Board shall, on receipt of intimation or complaint, first determine whether there are sufficient grounds to proceed with an inquiry; if it determines that there are insufficient grounds, it may close the proceedings. Section 28(4) empowers the Board, after giving an opportunity of being heard, to issue such directions as it considers just and equitable — including interim directions to control or mitigate ongoing harm. Section 28(7) vests the Board with the powers of a civil court under the Code of Civil Procedure, 1908 for: summoning and enforcing attendance of any person; examining her on oath; requiring the discovery and production of documents; receiving evidence on affidavit; and such other matters as may be prescribed.

Digital office (Rule 20). Rule 20 DPDP Rules directs that the Board shall function as a digital office — proceedings are conducted through techno-legal measures, without requiring physical presence, while preserving the summons and oath-administration powers.

Meetings and quorum (Rule 19). Rule 19(3) sets the quorum at one-third of the Board's membership. Decisions are by majority of those present and voting; Rule 19(4) gives the Chairperson (or the Member chairing in her absence) a casting vote in the event of a tie. Rule 19(5) prohibits participation or voting by a Member with an interest in the item under consideration.

Inquiry clock (Rule 19(9)). The Board's inquiry must be completed within six months from the date of receipt of the intimation, complaint, reference or direction under Section 27. Extensions are permitted only for reasons recorded in writing, for a further period not exceeding three months at a time.

Opportunity of hearing. Section 28(8) expressly applies the principles of natural justice — no penalty or direction may be imposed without a reasonable opportunity of hearing. Section 6(10) read with Section 28(6) puts the burden of proving DPDP compliance (particularly valid consent) on the Data Fiduciary.

Jurisdiction — what the Board can and cannot do

What the Board can do:

• Receive complaints from Data Principals and references from Governments and courts under Section 27(1).
• Inquire into personal data breaches intimated under Section 8(6) DPDP Act and Rule 7 DPDP Rules.
• Suspend or cancel a Consent Manager's registration under Rule 4(5) and issue consequential directions.
• Pass interim directions during an inquiry (Section 28(4)).
• Impose monetary penalties up to the Schedule caps (Section 33).
• Accept a voluntary undertaking in lieu of penalty (Section 32).

What the Board cannot do:

• Try cyber offences. Sections 66 to 67C and Section 72A IT Act offences continue to be prosecuted as criminal cases in the designated Sessions Court. Section 46 IT Act adjudication (civil contraventions up to Rs. 5 crore) runs before the adjudicating officer appointed by the Central Government, independently of the DPBI.
• Bind sectoral regulators. The Reserve Bank of India (under its Master Direction on IT Governance dated 7 November 2023, Master Direction on Digital Payment Security Controls dated 18 February 2021 and the Storage of Payment System Data Directive dated 6 April 2018), SEBI (under the CSCRF dated 20 August 2024 and the Master Circular for Mutual Funds), IRDAI (under the Information and Cyber Security Guidelines, 2023 dated 24 April 2023), and the UIDAI (under the Aadhaar (Data Security) Regulations, 2016) retain independent jurisdiction.
• Override CERT-In. Section 70B(6) IT Act read with the CERT-In Directions dated 28 April 2022 imposes a 6-hour incident reporting obligation on service providers, intermediaries, data centres, body corporates and Government organisations. A CERT-In filing does not discharge the 72-hour Section 8(6) DPDP notification, and vice versa.
• Entertain civil suits. Section 39 DPDP Act bars civil courts from entertaining any suit or proceeding in respect of any matter within the Board's competence. A Data Principal's remedial path is: Grievance Officer → DPBI → TDSAT → Supreme Court.

Filing a complaint or reference

Section 27(1)(b) DPDP Act read with Section 13(3) (right to grievance redressal) contemplates a two-step grievance path. The Data Principal must first approach the Data Fiduciary's Grievance Officer (or DPO, for Significant Data Fiduciaries) and allow the prescribed response window before escalating to the Board. Where the escalation is justified, the Data Principal may file an intimation or complaint to the Board in digital form.

The Board may, on receipt, either:

1. Determine there are insufficient grounds and close the proceedings (Section 28(3));
2. Open an inquiry and issue interim directions (Section 28(4));
3. Direct production of documents, summon witnesses and examine persons on oath (Section 28(7));
4. After hearing, pass a final order imposing penalty (Section 33), accept a voluntary undertaking (Section 32), or dismiss the complaint.

The Board may also act suo motu based on intimations received under Section 8(6), media reports, government references, or court references, subject to the sufficient-grounds threshold in Section 28(3).

Penalties — Section 33 and the Schedule

Section 33(1) DPDP Act empowers the Board to impose penalty as per the Schedule. Section 33(2) fixes the adjudication factors:

• The nature, gravity and duration of the breach.
• The type and nature of the personal data affected.
• The repetitive character of the breach.
• Gains realised or losses avoided by the person.
• Actions taken to mitigate the effect and consequences.
• Proportionality and effectiveness of the penalty.
• Such other matters as may be relevant in the facts and circumstances.

The Schedule to the DPDP Act sets eight penalty heads:

Section 32 permits the Board to accept a voluntary undertaking from the noticee, at any stage, on terms the Board considers appropriate — this is expected to be a pressure-release valve for early-stage breaches with demonstrable remediation.

Appeals — TDSAT and beyond (Section 29 + Rule 22)

Section 29(1) DPDP Act provides that any person aggrieved by an order or direction of the Board may prefer an appeal to the Appellate Tribunal within 60 days from the date of receipt of the order, extendable by the Tribunal on sufficient cause. The Appellate Tribunal is the Telecom Disputes Settlement and Appellate Tribunal constituted under the Telecom Regulatory Authority of India Act, 1997 ('TRAI Act').

Rule 22 DPDP Rules operationalises the appeal:

• Rule 22(1) — appeal filed in digital form as TDSAT may decide.
• Rule 22(2) — appeal fee of like amount as applicable under the TRAI Act, payable digitally via UPI or another RBI-authorised payment system; Tribunal Chairperson may reduce or waive.
• Rule 22(3)(a) — TDSAT is not bound by the Code of Civil Procedure, 1908 but shall be guided by principles of natural justice.
• Rule 22(3)(b) — TDSAT functions as a digital office.

Section 29(3) DPDP Act requires TDSAT to endeavour to dispose of the appeal within six months from receipt.

Further appeal. Section 29(4) DPDP Act provides that an appeal against a TDSAT order lies to the Supreme Court under Section 18 of the TRAI Act, 1997 on a question of law, within 90 days from the TDSAT order.

Writ jurisdiction preserved. Article 226 of the Constitution of India is not ousted. High Courts can entertain writ petitions against Board orders where statutory remedy is an inadequate alternative (e.g., challenge to constitutional vires of a rule, failure of natural justice, jurisdictional excess). The courts' settled discipline (Whirlpool Corporation v. Registrar of Trade Marks, (1998) 8 SCC 1) will direct appellants to exhaust the statutory remedy first, save in exceptional categories.

Interaction with other regimes

CERT-In — Section 70B IT Act. The CERT-In 6-hour incident reporting obligation under the Directions dated 28 April 2022 is independent of the 72-hour DPDP Section 8(6) breach notification. The CERT-In track covers twenty cyber-incident categories regardless of personal-data content; the DPDP track covers personal-data breaches regardless of cyber classification. A single incident with a personal-data dimension triggers both clocks simultaneously.

Section 46 IT Act adjudicating officer. Civil contraventions of the IT Act up to Rs. 5 crore remain with the adjudicating officer appointed by the Central Government. With Section 44(2) DPDP Act omitting Section 43A IT Act on 13 May 2027, the SPDI Rules 2011 lose their parent — but pre-commencement causes of action on sensitive personal data may continue under Section 43A until their limitation period lapses.

Sectoral regulators. The RBI, SEBI, IRDAI and NPCI each have parallel frameworks. An entity regulated under one or more of these continues to face that regulator's jurisdiction on the same facts. The DPBI is sectoral-neutral — it looks at DPDP compliance alone.

Section 17 exemptions. Section 17 DPDP Act removes the Board's jurisdiction from specified processing — personal-domestic use (Section 3(c)(i)); publicly made-available data (Section 3(c)(ii)-(iii)); and State-notified exemptions under Section 17(2) for sovereignty, integrity, security, friendly relations and public order. These carve-outs are structural limits on the Board's competence.

Practitioner analysis

1. Structuring a DPDP compliance-response playbook

A defensible DPDP compliance posture needs three artefacts ready for the Board: (a) a RoPA (Record of Processing Activities) linking each processing activity to a Section 6 consent basis or a Section 7 Certain Legitimate Use; (b) a Rule 6 control register listing encryption, access controls, logging, 180-day log retention, breach detection and contractual flow-down to processors; (c) a breach response kit — tabletop-tested against the 72-hour Section 8(6) clock and the 6-hour CERT-In clock. The burden of proving consent and compliance is on the Data Fiduciary under Sections 6(10) and 28(6) DPDP Act. Missing artefacts are irrebuttable evidence of breach.

2. Representing clients before the Board

Three tactical points drive representation strategy:

• Sufficient grounds threshold (Section 28(3)). An early, well-pleaded reply documenting the compliance architecture can trigger closure without an inquiry — particularly where the breach is immaterial or consent evidence is complete.
• Voluntary undertaking (Section 32). For fact patterns where liability is clear and quantifiable, a voluntary undertaking with specific remediation commitments and a compliance monitor is materially cheaper than a Schedule-cap penalty.
• Interim directions (Section 28(4)). An interim direction can compel mid-inquiry actions — data erasure, notification to data principals, operational changes — so contest interim relief vigorously when the operational cost is significant.

3. Drafting interim-relief applications

Where a Data Fiduciary is the target of an interim direction, challenge grounds are: (a) absence of reasons for the interim relief on the face of the order; (b) balance of convenience favouring the Data Fiduciary; (c) irreparable harm to ongoing service operations; (d) proportionality gap between the alleged breach and the interim measure. A reasoned written order is required by Section 28(8), and any order that fails to set out the reasoning is vulnerable on appeal.

4. Preparing for TDSAT appeals

TDSAT procedural rules (the Telecom Disputes Settlement and Appellate Tribunal (Procedure) Rules, 2005) govern the appeal; Rule 22 DPDP Rules overlays digital-office requirements. Practical pointers for appellants:

• Digital filings only — prepare the record as a unified, bookmarked PDF with exhibits cross-referenced by paragraph number.
• 60-day clock — starts from the date of receipt of the Board order. Preserve the actual receipt record (email, courier proof) from day one.
• Fee parity — Rule 22(2) pegs fee to TRAI Act. Budget for waiver applications in retail-scale grievances.
• Record preservation — TDSAT will not re-open evidence. Contemporaneous audit logs, consent artefacts and breach-response records must be in the Board record.

5. Multi-regulator incidents

When a breach simultaneously engages CERT-In (6 hours), DPBI (72 hours) and a sectoral regulator, run parallel filings on separate clocks and never substitute one for another. Consistency across filings matters — factual contradictions between the CERT-In report and the DPBI notification are the clearest path to an adverse inference.

Founder checklist

• Nominate an authorised representative for Board correspondence by 30 June 2026 — a named director or senior executive with email forwarding and escalation SLA.
• Tabletop the 72-hour clock against a realistic data-breach scenario at least twice in the 12 months before 13 May 2027, with CERT-In and sectoral filings running in parallel.
• Maintain a single breach ledger that records Board, CERT-In, sectoral and foreign-regulator timestamps — inconsistency is an adverse-inference magnet.
• Budget Rs. 25-75 lakh annually for an external privacy-counsel panel from the first SDF-designation window; the cost of a single Entry-1 proceeding dwarfs the retainer.
• Calendar the 60-day appeal clock for every Board order — lose it and TDSAT's discretion to condone is narrow.

Frequently asked questions

Can I settle with the complainant before the Data Protection Board of India takes up the matter?

Yes — but not privately. Section 32 of the Digital Personal Data Protection Act, 2023 empowers the Data Protection Board of India to accept a voluntary undertaking from a person against whom proceedings are initiated, at any stage, which may include undertakings to take or refrain from taking specified actions within a specified period. Once accepted by the Board, the proceedings are closed and no monetary penalty is imposed. Private settlement with a Data Principal does not close Board proceedings because the complaint can still be pursued as a reference to the Board under Section 27(1)(b).

Does the Data Protection Board have criminal jurisdiction?

No. Section 27 of the Digital Personal Data Protection Act, 2023 confers only civil adjudicatory powers. Cyber offences continue to be governed by Sections 66 to 67C of the Information Technology Act, 2000 (prosecuted in the designated Sessions Court) and the adjudicating-officer track under Section 46 of the IT Act for adjudicable civil contraventions up to Rs. 5 crore. The DPBI adjudicates penalties on Data Fiduciaries, Data Processors and Consent Managers for breach of the DPDP Act and Rules; it does not prosecute cyber offences.

What is the standard of proof before the Data Protection Board?

Section 28(6) of the Digital Personal Data Protection Act, 2023 places the burden on the Data Fiduciary to demonstrate compliance — most notably, Section 6(10) requires the Data Fiduciary to prove that consent given by the Data Principal was free, specific, informed, unconditional and unambiguous. Section 28(7) vests the Board with the same powers as a civil court for summoning, document production and examination under oath. The standard is the civil preponderance of probabilities, not the criminal beyond-reasonable-doubt standard.

Can I appeal a Data Protection Board order directly to a High Court?

No. Section 29(1) of the Digital Personal Data Protection Act, 2023 read with Rule 22 of the DPDP Rules, 2025 requires appeals against Board orders to be filed in digital form before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days. A further appeal on questions of law lies to the Supreme Court under Section 18 of the Telecom Regulatory Authority of India Act, 1997 within 90 days. Constitutional writ jurisdiction of High Courts under Article 226 is not ousted, but courts will ordinarily direct the appellant to exhaust the statutory remedy first.

Does a Data Protection Board order bind sectoral regulators like RBI, SEBI or IRDAI?

No. The Data Protection Board of India has jurisdiction only over Data Fiduciaries, Data Processors and Consent Managers for breach of the Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. Sectoral regulators — the Reserve Bank of India (under the RBI Act, 1934 and Payment and Settlement Systems Act, 2007), SEBI (under SEBI Act, 1992 and the Cybersecurity and Cyber Resilience Framework dated 20 August 2024), and IRDAI (under the IRDAI Act, 1999 and IRDAI Information and Cyber Security Guidelines dated 24 April 2023) — retain independent jurisdiction over regulated entities. A single incident can trigger parallel DPDP, sectoral and CERT-In proceedings, each on its own standard.

Sources

• Digital Personal Data Protection Act, 2023 — MeitY PDF
• Digital Personal Data Protection Rules, 2025 — MeitY (G.S.R. 846(E))
• India Code — Act 22 of 2023
• Telecom Regulatory Authority of India Act, 1997 — India Code
• Telecom Disputes Settlement and Appellate Tribunal — official website
• Information Technology Act, 2000 — India Code
• CERT-In Directions dated 28 April 2022
• eGazette of India — notification search

This explainer is part of Veritect's Digital, Data & AI Law vertical. Statutory citations are current as of 21 April 2026 and verified against the MeitY-hosted text of the DPDP Act, 2023 and the DPDP Rules, 2025 (G.S.R. 846(E), 13 November 2025). It is an original analysis and does not reproduce or paraphrase any third-party commentary. For the phased-rollout calendar of the DPDP Rules, see dpdp-rules-2025-phased-rollout. For the operational SOP on cross-border transfer, see cross-border-data-transfer-dpdp-sop.