BACK TO DPDP ACT
DPDP Act 2023

Section 30

Offences by Companies

THE STATUTE

Original Text

(1) Where a Data Fiduciary that is a company has committed a contravention under this Act, then, every person who at the time of such contravention was in charge of, and was responsible to the company for the conduct of its business as well as the company shall be deemed to be guilty of such contravention and shall be liable to be proceeded against accordingly: Provided that nothing contained in this sub-section shall render any such person liable to any penalty if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention. (2) Notwithstanding anything contained in sub-section (1), where a contravention under this Act has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of such contravention and shall be liable to be proceeded against and punished accordingly.

Simplified

Section 30 establishes corporate officer liability for DPDP Act contraventions — one of the most practically significant provisions for boards of directors, CEOs, CISOs, DPOs, and general counsels of companies operating as Data Fiduciaries. The provision operates on the same dual-track model as Section 85 of the IT Act. Track 1 — Deemed liability (Section 30(1)): every person who was 'in charge of and responsible to the company for conduct of its business' at the time of a contravention is automatically deemed guilty alongside the company. This is a reverse burden: the individual must affirmatively prove either that the contravention occurred without their knowledge, or that they exercised all due diligence to prevent it. The 'due diligence' defence requires demonstrating actual concrete preventive steps — a data protection policy that exists on paper but is never implemented will not suffice. Track 2 — Consent or connivance (Section 30(2)): even a director or officer who was not 'in charge of the business generally' is personally liable if the contravention happened with their consent, connivance, or due to their personal neglect. This catches IT heads who approved insecure data architectures, legal officers who cleared non-compliant consent flows, and DPOs who failed to flag obvious violations to the board. For companies notified as Significant Data Fiduciaries, Section 30 creates a particularly important dynamic: the DPO (who reports to both the board and the Data Protection Board) could be personally liable if a contravention occurs through their neglect. Section 30 creates strong incentives for boards to invest in genuine data protection compliance infrastructure, not just nominal compliance programmes.

Common Queries

Yes, under Section 30(1), if they were in charge of the company's business at the time of the breach. They can avoid liability by proving the breach occurred without their knowledge and that they exercised all due diligence to prevent it.
The officer must show they took concrete, active steps to prevent the contravention — not just that a policy existed on paper. Evidence of implemented security measures, regular audits, staff training, and documented compliance reviews would support this defence.
Yes. A DPO whose neglect contributed to a contravention could be liable under Section 30(2). This is one reason why companies must ensure DPOs have real authority, adequate resources, and genuine access to decision-making — not just a nominal title.
Yes. Section 30 applies to companies that are Data Fiduciaries under the DPDP Act, which includes foreign companies processing Indian data under Section 3(2). Officers in charge of those companies at the time of contravention are equally exposed.

Legal Context

Section 30 follows the standard corporate criminal liability model used across Indian economic legislation — Companies Act, FEMA, SEBI Act, Environment Protection Act, and the IT Act Section 85. The dual-track model (deemed liability + consent/connivance) is the most common formulation. Section 30 applies it to data protection, making DPDP Act compliance a personal board-level responsibility.

Key Rules & Provisions

Officers 'in charge of the business' are automatically liable — reverse burden to prove due diligence.

Directors and named officers liable for contraventions with their consent, connivance, or attributable to their neglect.

DPOs of Significant Data Fiduciaries face particular personal exposure under Section 30.

Creates strong board-level incentives for genuine compliance investment.

Related Case Laws

Avnish Bajaj v. State (NCT of Delhi) (2005)

2005 Cri LJ 4025 (Delhi HC)
RELEVANCE

Foundational Indian case on corporate officer liability for platform contraventions — the Section 85 IT Act framework that Section 30 DPDP mirrors. Delhi HC's analysis of 'in charge and responsible' is directly relevant to Section 30 interpretation.