(1) If the Board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the Schedule.
(2) While determining the amount of monetary penalty to be imposed under sub-section (1), the Board shall have regard to the following matters, namely:-
(a) the nature, gravity and duration of the breach;
(b) the type and nature of the personal data affected by the breach;
(c) repetitive nature of the breach;
(d) whether the person, as a result of the breach, has realised a gain or avoided any loss;
(e) whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
(f) whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and
(g) the likely impact of the imposition of the monetary penalty on the person.
Digital Personal Data Protection Act, 2023
Section 31 Alternate dispute resolution
Section 32 Voluntary undertaking
Section 34 Crediting sums realised by way of penalties to Consolidated Fund of India
Section 35 Protection of action taken in good faith
Section 36 Power to call for information
Section 37 Power of Central Government to issue directions
Section 38 Consistency with other laws
Section 39 Bar of jurisdiction
Section 40 Power to make rules
Section 41 Laying of rules and certain notifications
Section 42 Power to amend Schedule
Section 43 Power to remove difficulties
Section 44 Amendments to certain Acts