Skip to main content

Q5 - Are SDFs subject to stricter penalties compared to ordinary Data Fiduciaries?

Answer

Yes. Under the Digital Personal Data Protection Act, 2023 (DPDPA), Significant Data Fiduciaries (SDFs) are subject to stricter penalties and compliance scrutiny than ordinary Data Fiduciaries. This is because SDFs handle larger volumes or more sensitive types of personal data, and their operations have a higher potential impact on individuals and public interest.

The DPDPA explicitly provides additional obligations for SDFs under Section 10(2), such as:

  • Appointment of a Data Protection Officer (DPO) based in India.
  • Engagement of an independent Data Auditor.
  • Conducting periodic Data Protection Impact Assessments (DPIAs) and compliance audits.

Failure to meet these obligations is classified as a specific breach category under the Schedule of the Act and carries higher penalty ceilings.

2. Comparative Penalty Structure

Type of BreachRelevant SectionApplicable EntityMaximum Penalty
Breach of general provisions of the ActSection 33(1) & Schedule (Entry 7)Any Data Fiduciary₹50 crore
Breach of obligations relating to children’s dataSection 9Any Data Fiduciary₹200 crore
Breach of security safeguards (data breach)Section 8(5)Any Data Fiduciary₹250 crore
Breach of additional obligations of SDFsSection 10(2)Significant Data Fiduciary₹150 crore

These penalty caps are drawn from the Schedule attached to the DPDPA, which specifies penalties for each type of violation.

3. Why SDFs Are Held to a Higher Standard

The Central Government designates certain organizations as SDFs under Section 10(1) based on factors such as:

  • Volume and sensitivity of data processed.
  • Risk of harm to Data Principals.
  • Impact on sovereignty, democracy, or public order.

Because of these heightened risks, SDFs are expected to demonstrate advanced accountability and governance measures, and any breach of these duties attracts proportionally higher penalties.

4. How Penalties Are Determined

Under Section 33(2), the Data Protection Board of India considers the following while determining the fine amount:

  • Nature, gravity, and duration of the breach.
  • Type and sensitivity of personal data involved.
  • Whether the SDF acted negligently or repeatedly.
  • Steps taken to mitigate harm and cooperate during inquiry.
  • Whether the penalty is proportionate and effective for deterrence.

5. Practical Implication

Ordinary Data Fiduciaries may face compliance audits occasionally or upon complaint, but SDFs are:

  • Regularly audited,
  • Monitored for DPIA compliance, and
  • More likely to face higher penalties for lapses due to their critical role and risk exposure.
Example

A fintech company classified as a Significant Data Fiduciary fails to perform its annual independent audit and launches a new AI credit-scoring tool without a DPIA. The Data Protection Board investigates the lapse and imposes a penalty of ₹90 crore, citing breach of obligations under Section 10(2). A smaller startup processing limited customer data, by contrast, would likely face a lighter penalty or warning for similar non-compliance.

Referenced Provisions:

  • Section 10(1)–(2) – Additional obligations for Significant Data Fiduciaries.
  • Section 33(1)–(2) – Penalties and determining factors.
  • Schedule (Entries 1–7) – Specific penalty amounts and categories.
  • Section 27–28 – Board’s powers to investigate and enforce compliance.