A company leaks your Aadhaar number. Your bank details. Your medical records.

There's a government body that can fine them ₹250 crore for it.

Most Indians have never heard its name.

What Is DPBI?

DPBI stands for the Data Protection Board of India. It's a government body created under the DPDP Act, 2023 — India's main data protection law — to punish companies that mishandle your personal data.

It's not a helpline. It's not a support ticket system. It's a quasi-judicial body — meaning it has real legal power to investigate, penalise, and force a company to change how it handles your data.

What DPBI Can Actually Do

DPBI can investigate a company, demand documents, run a formal inquiry, and order immediate fixes if your data is at risk.

If it finds a serious violation, it can fine that company up to ₹250 crore. Per violation.

That's not a symbolic number. That's enough to show up on a company's earnings call and worry its investors.

The Board can also accept a written promise from a company to fix its practices, in exchange for a lighter penalty. This is called a voluntary undertaking.

Where Does the Fine Money Go?

Here's the part that surprises people.

The fine doesn't come to you. It goes to the Consolidated Fund of India — the government's account.

India's data protection law doesn't give you a right to sue for damages, and it doesn't build in compensation for you personally. Every penalty DPBI hands out stays with the government.

So if DPBI fines a company ₹100 crore over your leaked data, you get the satisfaction of watching them get punished. You don't get a cheque.

What Counts as a Violation

Here's what this looks like in the real world, not legal theory.

You ask an app to delete your account and your data. It stalls or ignores you without a valid reason. That's something DPBI can examine.

A fintech app suffers a breach exposing KYC details — Aadhaar, PAN, bank information. If it delayed reporting the breach or had no real security in place, DPBI can investigate and penalise.

An app collects your data at onboarding, then quietly starts using it for marketing without asking again. That's a consent violation too.

How to Actually File a Complaint

Before you can go to DPBI, you have to raise the issue with the company itself first. Most apps bury a grievance officer's email somewhere in their privacy policy — go find it.

Only if the company ignores you, or gives you an unsatisfactory response, can you escalate to the Board.

From there, everything is digital. You file through DPBI's online portal, get a case number and timestamp, and the entire process — hearings, responses, orders — happens without a courtroom. No lawyer required.

If you disagree with the ruling, you can appeal to the Telecom Disputes Settlement and Appellate Tribunal, TDSAT, within 60 days.

One Thing to Know Right Now

DPBI is still being staffed. As of April 2026, its Chairperson and Members hadn't been appointed. MeitY only opened applications for those posts in May 2026, and there's no confirmed appointment as of this writing.

That means the law has ₹250 crore penalties written into it, and the body meant to hand them out is still being assembled. Some courts have already had to redirect data complaints elsewhere because DPBI wasn't ready to take them yet.

Keep an eye on MeitY's notifications for when that changes.

The Bottom Line

Every fintech app holding your PAN card. Every delivery app tracking your location. Every social app that "accidentally" leaked a database.

DPBI is the body built to hold all of them accountable.

Most Indians have never filed a single privacy complaint. Not because nothing's gone wrong. Because nobody told them where to go.

Now you know.