Module 6 Quiz: Enforcement & Penalties | CDPL

Q1Part 1: DPB Structure

Under Section 18, the Data Protection Board of India is established as:

A.A department under MeitY B.A body corporate with perpetual succession C.A constitutional body D.A division of TDSAT

Explanation

Section 18(2) establishes the DPB as a "body corporate by the name aforesaid, having perpetual succession and a common seal" with power to acquire property and sue/be sued.

Q2Part 1: DPB Structure

According to Section 19(3), what is a mandatory requirement for DPB composition?

A.At least one technology expert B.Equal representation from industry and government C.At least one expert in the field of law D.Minimum of 5 Members

Explanation

Section 19(3) specifies that "at least one among them shall be an expert in the field of law" — this is the only mandatory composition requirement.

Q3Part 1: DPB Structure

What is the term of office for the Chairperson and Members under Section 20?

A.2 years, eligible for re-appointment B.3 years, not eligible for re-appointment C.5 years, eligible for one re-appointment D.Until age 65

Explanation

Section 20(2): "The Chairperson and other Members shall hold office for a term of two years and shall be eligible for re-appointment."

Q4Part 1: DPB Structure

Under Section 28(1), the Board is mandated to function as:

A.A traditional court with physical hearings only B.A regulatory agency with inspection powers C.A rule-making authority D.A digital office with digital-by-design processes

Explanation

Section 28(1) mandates the Board to "function as a digital office, with the receipt of complaints and the allocation, hearing and pronouncement of decisions in respect of the same being digital by design."

Q5Part 1: DPB Structure

What is the cooling-off period for Members before accepting employment with Data Fiduciaries?

A.6 months B.1 year C.2 years D.No cooling-off period exists

Explanation

Section 22(3): Members "shall not, for a period of one year from the date on which they cease to hold such office, except with the previous approval of the Central Government, accept any employment" with DFs against whom proceedings were initiated.

Q6Part 2: Powers & Procedures

Which is NOT a trigger for DPB action under Section 27(1)?

A.Personal data breach intimation under Section 8(6) B.Data Principal complaint about DF obligation breach C.Suo moto cognizance based on media reports D.Reference from Central Government

Explanation

Section 27(1) lists five specific triggers — intimations, complaints, references, court directions. The DPB does not have suo moto powers based on media reports; it operates on a complaint-driven model.

Q7Part 2: Powers & Procedures

Under Section 28(7), the Board has powers equivalent to a civil court under CPC in respect of:

A.Summoning witnesses, receiving evidence, inspecting documents B.Arresting defaulters and seizing property C.Issuing criminal warrants D.Granting injunctions

Explanation

Section 28(7) grants CPC powers for: (a) summoning and examining on oath, (b) receiving evidence/requiring documents, (c) inspecting data/books/documents, (d) other prescribed matters. Criminal powers like arrest are not included.

Q8Part 2: Powers & Procedures

What does Section 28(8) protect during Board inquiries?

A.Personal data of Board Members B.Trade secrets of complainants C.Government classified information D.Day-to-day business operations of the person under inquiry

Explanation

Section 28(8): "The Board or its officers shall not prevent access to any premises or take into custody any equipment or any item that may adversely affect the day-to-day functioning of a person."

Q9Part 2: Powers & Procedures

According to Rule 18(9), what is the timeline for completing DPB inquiries?

A.3 months, extendable by 1 month B.6 months, extendable by 3 months at a time C.1 year, no extensions D.No timeline specified

Explanation

Rule 18(9): Inquiry "shall be completed within a period of six months from the date of receipt... unless such period is extended by it, for reasons to be recorded in writing, for a further period not exceeding three months at a time."

Q10Part 2: Powers & Procedures

What happens if the Board finds a complaint to be false or frivolous under Section 28(12)?

A.The complaint is referred to police for criminal prosecution B.The complainant is permanently banned from filing future complaints C.The Board may issue a warning or impose costs on the complainant D.No action can be taken against complainants

Explanation

Section 28(12): "if the Board is of the opinion that the complaint is false or frivolous, it may issue a warning or impose costs on the complainant."

Q11Part 3: Penalties

What is the maximum penalty for breach of security safeguards under Section 8(5)?

A.₹250 Crore B.₹200 Crore C.₹150 Crore D.₹50 Crore

Explanation

Schedule Item 1: Breach of reasonable security safeguards obligation under Section 8(5) attracts the highest penalty — "May extend to two hundred and fifty crore rupees."

Q12Part 3: Penalties

What is the maximum penalty for breach of Data Principal duties under Section 15?

A.₹50 Crore B.₹1 Lakh C.₹1 Crore D.₹10,000

Explanation

Schedule Item 5: "Breach in observance of the duties under section 15" — penalty "May extend to ten thousand rupees." This is the lowest penalty, reflecting Data Principal responsibilities.

Q13Part 3: Penalties

Under Section 33(1), when can the Board impose penalty?

A.For any violation of DPDPA B.Only when breach is determined to be significant C.When requested by the complainant D.Automatically upon complaint filing

Explanation

Section 33(1): "If the Board determines on conclusion of an inquiry that breach of the provisions of this Act... is significant, it may... impose such monetary penalty." The "significant" threshold is mandatory.

Q14Part 3: Penalties

How many factors must the Board consider under Section 33(2) when determining penalty amount?

A.3 factors B.5 factors C.7 factors D.10 factors

Explanation

Section 33(2) lists 7 factors (a) through (g): nature/gravity/duration, type of data, repetitive nature, gain/loss avoided, mitigation actions, proportionality/deterrence, and impact on person.

Q15Part 3: Penalties

Under Section 42, the Central Government can amend Schedule penalties up to:

A.Twice the original amount B.Three times the original amount C.Any amount without limit D.Cannot amend penalty amounts

Explanation

Section 42(1): "no such notification shall have the effect of increasing any penalty specified therein to more than twice of what was specified in it when this Act was originally enacted."

Q16Part 4: Appeals

Appeals against DPB orders lie to:

A.High Court B.Telecom Disputes Settlement and Appellate Tribunal (TDSAT) C.National Consumer Disputes Redressal Commission D.Central Information Commission

Explanation

Section 29(1): "Any person aggrieved by an order or direction made by the Board under this Act may prefer an appeal before the Appellate Tribunal" — which is TDSAT as per DPDPA.

Q17Part 4: Appeals

What is the limitation period for filing appeal under Section 29(2)?

A.30 days B.45 days C.60 days D.90 days

Explanation

Section 29(2): "Every appeal under sub-section (1) shall be filed within a period of sixty days from the date of receipt of the order or direction appealed against."

Q18Part 4: Appeals

What is the effect of Board accepting a voluntary undertaking under Section 32(4)?

A.Reduced penalty is automatically imposed B.Matter is referred to mediation C.Inquiry is postponed for 6 months D.It bars penalty proceedings regarding undertaking contents

Explanation

Section 32(4): "The acceptance of the voluntary undertaking by the Board shall constitute a bar on proceedings under the provisions of this Act as regards the contents of the voluntary undertaking."

Q19Part 4: Appeals

What triggers the blocking power under Section 37?

A.Board reference after penalty in 2+ instances B.Single penalty exceeding ₹100 Crore C.Any Data Principal complaint D.Failure to pay penalty within 30 days

Explanation

Section 37(1): Requires Board reference that "(a) intimates the imposition of monetary penalty by the Board on a Data Fiduciary in two or more instances" plus advice that blocking is in public interest.

Q20Part 4: Appeals

Under Section 29(7), appeals to Supreme Court from TDSAT are limited to:

A.Any error in TDSAT order B.Substantial questions of law under Section 100 CPC C.Constitutional questions only D.Factual disputes only

Explanation

Section 29(7): Appeal to Supreme Court "on any one or more of the grounds specified in section 100 of the Code of Civil Procedure, 1908" — i.e., substantial questions of law only.

Q21Part 5: Practical Compliance

Which Section 33(2) factor relates to swift remediation actions taken by the Data Fiduciary?

A.Factor (b) - Type of data B.Factor (c) - Repetitive nature C.Factor (e) - Mitigation actions and timeliness D.Factor (g) - Impact on person

Explanation

Factor (e): "whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action." This rewards swift remediation.

Q22Part 5: Practical Compliance

Under Section 34, where do penalties collected by the Board go?

A.To the affected Data Principals as compensation B.To the Board's operational fund C.To state governments based on complainant location D.To the Consolidated Fund of India

Explanation

Section 34: "All sums realised by way of penalties imposed by the Board under this Act, shall be credited to the Consolidated Fund of India." Penalties are not compensation to victims.

Q23Part 5: Practical Compliance

What is the primary purpose of the "significant breach" threshold in Section 33(1)?

A.To provide prosecutorial discretion and prevent over-penalization B.To limit Board's jurisdiction to large companies C.To require minimum penalty amounts D.To exclude startups from penalties

Explanation

The "significant breach" requirement gives the Board discretion — minor, technical violations without real harm may not attract penalties. This prevents over-criminalization while maintaining deterrence for serious breaches.

Q24Part 5: Practical Compliance

Section 39 bars civil court jurisdiction. Does this bar High Court writ jurisdiction?

A.Yes, completely bars all court jurisdiction B.No, constitutional writ jurisdiction under Article 226 is not barred C.Only Supreme Court jurisdiction remains D.Writ jurisdiction is available only after exhausting statutory remedies

Explanation

Section 39 bars civil court jurisdiction for matters within DPB's purview, but constitutional writ jurisdiction under Articles 226 and 32 cannot be ousted by statute. However, courts typically require exhaustion of statutory remedies first.

Q25Part 5: Practical Compliance

What happens if a person breaches voluntary undertaking terms under Section 32(5)?

A.A warning is issued B.Undertaking is simply cancelled C.Breach is deemed breach of DPDPA, Board may impose full penalty D.Matter is referred to criminal courts

Explanation

Section 32(5): "such breach shall be deemed to be breach of the provisions of this Act and the Board may... proceed in accordance with the provisions of section 33." Full penalty exposure returns.

Enforcement, Penalties & Data Protection Board