Penalties for contravening certain provisions of the Act
57. (1) Where the data fiduciary contravenes any of the following provisions,
(a) obligation to take prompt and appropriate action in response to a data security breach under section 25;
(b) failure to register with the Authority under sub-section (2) of section 26,
(c) obligation to undertake a data protection impact assessment by a significant data fiduciary under section 27;
(d) obligation to conduct a data audit by a significant data fiduciary under section 29;
(e) appointment of a data protection officer by a significant data fiduciary under section 30, it shall be liable to a penalty which may extend to five crore rupees or two per cent. of its total worldwide turnover of the preceding financial year, whichever is higher; (2) Where a data fiduciary contravenes any of the following provisions,
(a) processing of personal data in violation of the provisions of Chapter II or Chapter III;
(b) processing of personal data of children in violation of the provisions of Chapter IV;
(c) failure to adhere to security safeguards as per section 24; or
(d) transfer of personal data outside India in violation of the provisions of Chapter VII, it shall be liable to a penalty which may extend to fifteen crore rupees or four per cent. of its total worldwide turnover of the preceding financial year, whichever is higher.
(3) For the purposes of this section,
(a) the expression “total worldwide turnover” means the gross amount of revenue recognised in the profit and loss account or any other equivalent statement, as applicable, from the sale, supply or distribution of goods or services or on account of services rendered, or both, and where such revenue is generated within India and outside India.
(b) it is hereby clarified that total worldwide turnover in relation to a data fiduciary is the total worldwide turnover of the data fiduciary and the total worldwide turnover of any group entity of the data fiduciary where such turnover of a group entity arises as a result of the processing activities of the data fiduciary, having regard to factors, including
(i) the alignment of the overall economic interests of the data fiduciary and the group entity;
(ii) the relationship between the data fiduciary and the group entity specifically in relation to the processing activity undertaken by the data fiduciary; and
(iii) the degree of control exercised by the group entity over the data fiduciary or vice versa, as the case may be.
(c) where of any provisions referred to in this section has been contravened by the State, the maximum penalty shall not exceed five crore rupees under sub-section (1), and fifteen crore rupees under sub-section (2), respectively.