BACK TO DPDP ACT
DPDP Act 2023

Section 26

Voluntary Undertaking

THE STATUTE

Original Text

(1) Any Data Fiduciary or Data Processor who is the subject of an inquiry under this Act may, at any time before the conclusion of such inquiry, offer a voluntary undertaking to the Board with respect to any matter related to such inquiry. (2) The Board may, after considering such voluntary undertaking, accept or reject it. (3) Where such voluntary undertaking is accepted by the Board, the Board may close the proceedings and publish the voluntary undertaking, and the Data Fiduciary or Data Processor shall not be liable to any penalty in respect of the matter contained in the voluntary undertaking.

Simplified

Section 26 provides a voluntary undertaking mechanism — a structured route for Data Fiduciaries to proactively commit to remedying a contravention and avoid a formal penalty. The mechanism works as follows: at any point before an inquiry concludes, the Data Fiduciary (or Data Processor) can offer the Board a voluntary undertaking — essentially, a binding commitment to take specific corrective action to remedy whatever contravention is under investigation. The Board has discretion to accept or reject the undertaking. If accepted: the Board closes proceedings, publishes the undertaking (creating a public record of the commitment), and the Data Fiduciary is not liable to any penalty for that matter. If rejected: inquiry proceedings continue to their conclusion. Publication of accepted undertakings serves multiple purposes: it creates accountability (the Data Fiduciary's commitment is on public record), it provides regulatory transparency (others can see what remediation the Board considered adequate), and it creates a body of regulatory guidance about acceptable compliance remedies. The voluntary undertaking mechanism is an important enforcement tool that creates incentives for early proactive remediation — Data Fiduciaries who take meaningful corrective action before the conclusion of inquiry can avoid penalties entirely. This is similar to the 'consent order' or 'undertaking' mechanisms used by SEBI, the CCI, and other Indian regulators. It also reduces the Board's case load, freeing resources for more serious or complex matters.

Common Queries

Yes — if the Board accepts the undertaking. Section 26(3) provides that an accepted undertaking results in closed proceedings and no penalty for the matters covered. However, the Board has discretion to reject inadequate undertakings.
The DPDP Rules will address this. Typically in regulatory law, breach of an accepted undertaking reopens the investigation and may result in higher penalties, as the breach compounds the original contravention with a failure to honour a regulatory commitment.
Yes. Section 26(3) requires the Board to publish accepted voluntary undertakings — creating a transparent public record of what was admitted and what remediation was committed to.

Legal Context

Voluntary undertaking mechanisms appear across Indian regulatory law — SEBI uses consent orders, CCI uses commitment decisions, and the RBI accepts voluntary compliance arrangements. The DPDP Act's voluntary undertaking provision brings this regulatory flexibility to data protection enforcement.

Key Rules & Provisions

Accepted undertaking closes proceedings with no penalty — strong incentive for early remediation.

Published undertakings create a public record and regulatory guidance.

Board has discretion to accept or reject — prevents voluntary undertakings from becoming a tool to avoid accountability for serious violations.

Related Case Laws

SEBI v. Shriram Mutual Fund (2006)

(2006) 5 SCC 361
RELEVANCE

The Supreme Court upheld SEBI's consent order mechanism — where a regulated entity agrees to specified remedial measures in lieu of formal penalty proceedings — as a valid enforcement tool. Section 26's voluntary undertaking provision is the DPDP Act's equivalent mechanism, with the same rationale of enabling faster compliance without contested proceedings.