Data Protection Board of India
The statutory authority established under the DPDP Act 2023 to adjudicate complaints, conduct inquiries, and impose penalties for violations of the Act.
Full Definition
The Data Protection Board of India (DPBI) is established under Section 18 of the DPDP Act 2023. It is a digital-first adjudicatory body: proceedings are conducted online, complaints are filed digitally, and inquiries can be conducted virtually. The Board has the power to: receive and inquire into complaints from Data Principals, conduct suo motu inquiries into data breaches, direct Data Fiduciaries to take remedial measures, and impose financial penalties under the Schedule. It is not a traditional regulatory authority like GDPR's Supervisory Authorities — it is primarily an adjudicatory body that resolves disputes between Data Principals and Data Fiduciaries, rather than an investigative regulator that proactively monitors compliance.
In Indian Law
DPDP Act 2023, Sections 18–27. Phase 1 of the DPDP Rules (November 2025) constituted the Board. Chairperson and members are government-appointed — a point of contrast with GDPR's constitutionally independent DPAs. Appeals from Board decisions lie to the High Court. Penalties under the Schedule range from up to ₹50 crore for breach notification failures to up to ₹250 crore for inadequate security safeguards causing data breaches. Unlike GDPR's turnover-based fines, DPDP penalties are fixed caps — applicable equally regardless of company size.
Related Legal Sections
Frequently Asked Questions
How is the Data Protection Board different from GDPR's Supervisory Authorities?
The DPBI is primarily an adjudicatory body (like a tribunal) — Data Principals file complaints and the Board resolves disputes. GDPR's DPAs are independent regulatory authorities with broader investigative, advisory, and enforcement powers including the ability to conduct proactive audits and issue binding guidance. GDPR DPAs are also constitutionally independent; the DPBI is government-appointed.