BACK TO DPDP RULES INDEX
DPDP Rules 2025 Phase 3 (13 May 2027 (DPBI inquiry powers fully operative from Phase 3)) ENFORCEMENT

Rule 13–16

Data Protection Board — Complaint, Inquiry, and Appeal Procedures

Practical Note

Rules 13–16 establish the procedural architecture for DPBI enforcement. Key operational fact: the DPBI operates as a 'digital office' — all proceedings, filings, and communications are electronic. No physical attendance at the DPBI required. An internal grievance mechanism with the Data Fiduciary must be exhausted before complaint to DPBI — important for businesses to build this first-line defence.

THE STATUTE

Original Text

Rule 13: A Data Principal who has a grievance regarding any act or omission of a Data Fiduciary may, after exhausting the grievance redressal mechanism of the Data Fiduciary, submit a complaint to the Board. Rule 14: The Board shall, upon receipt of a complaint, examine it and may call for a response from the Data Fiduciary. Rule 15: The Board may, after giving the Data Fiduciary an opportunity of being heard, impose such financial penalty as it thinks fit. Rule 16: Any person aggrieved by an order of the Board may prefer an appeal to the Telecom Disputes Settlement and Appellate Tribunal.

Analysis & Details

Rules 13–16 establish the end-to-end enforcement procedure for the DPDP Act. COMPLAINT PROCEDURE (Rule 13): A Data Principal must first exhaust the Data Fiduciary's internal grievance mechanism under Act Section 13. Only if unsatisfied can they approach the DPBI. This exhaustion-first requirement is an important liability filter for businesses — a robust internal grievance mechanism will deflect many potential DPBI complaints. INQUIRY PROCEDURE (Rule 14): The DPBI is a 'digital office' — all proceedings are electronic. The DPBI will examine the complaint and may require the Data Fiduciary to submit a response. Inquiry may involve calling for records, asking for technical explanation, and conducting virtual hearings. PENALTY IMPOSITION (Rule 15): Before imposing any penalty, the DPBI must give the Data Fiduciary an opportunity to be heard — a codification of the audi alteram partem principle from Maneka Gandhi (1978). Penalties range from ₹10,000 (minor infractions) to ₹250 crore (major violations) as specified in Act Section 33's penalty schedule. APPEAL (Rule 16): DPBI orders are appealable to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) — an existing regulatory appellate body previously handling telecom and broadcasting disputes. The use of TDSAT (rather than a new dedicated appellate body) is a pragmatic infrastructure reuse decision. TDSAT appeals add a judicial layer above the DPBI's quasi-judicial proceedings.

GDPR Parallel

Articles 57–63 (DPA Tasks and Powers) + Articles 77–80 (Remedies and Complaints)

IT Act Impact

The DPBI replaces the Adjudicating Officers under IT Act Section 46 as the primary regulatory enforcement body for digital personal data violations. Once DPDP fully comes into force, IT Act Section 43A violations (relating to sensitive personal data) will be subsumed by the DPDP framework.

Common Queries

Step 1: File a complaint with the Data Fiduciary (company) through its internal grievance mechanism under Act Section 13. Step 2: If unsatisfied with the response (or no response within the specified period), file a complaint with the Data Protection Board of India (DPBI) — entirely online through the DPBI's digital platform. Step 3: If unsatisfied with the DPBI's order, appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Step 4: Further appeal to the Supreme Court. The internal grievance step (Step 1) is mandatory before approaching the DPBI.
The maximum penalty is ₹250 crore per violation for the most serious breaches (such as failure to implement security safeguards). Other penalty tiers include: ₹200 crore for child data processing violations; ₹200 crore for breach notification failures; ₹150 crore for data erasure failures; ₹10,000 for minor violations. Penalties are imposed by the Data Protection Board of India after giving the accused an opportunity to be heard.
The DPBI operates as a 'digital office' — all proceedings, filings, notices, and orders are electronic. No physical attendance at the DPBI is required. This is a novel administrative arrangement for a regulatory body in India and reflects the government's commitment to the 'digital-first' principle in the DPDP Act.

Key Rules & Provisions

Internal grievance exhaustion mandatory before DPBI complaint — first-line defence for businesses.

DPBI operates as digital office — no physical proceedings.

Audi alteram partem before penalty — natural justice guaranteed.

Appeal to TDSAT (Telecom Disputes Settlement and Appellate Tribunal).

Further appeal from TDSAT to Supreme Court.