What does the DPDP Schedule actually prescribe?
The penalty architecture of the Digital Personal Data Protection Act 2023 lives in one place: the Schedule, read with Section 33. There is no flat fine and no percentage-of-turnover formula as in the GDPR. Instead, the Schedule lists breach categories with a rupee ceiling for each, applied per instance of violation after an inquiry by the Data Protection Board of India.
- Up to Rs 250 crore — failure to take reasonable security safeguards to prevent a personal data breach (Section 8(5)).
- Up to Rs 200 crore — failure to give the Board and affected Data Principals intimation of a personal data breach (Section 8(6)).
- Up to Rs 200 crore — breach of the additional obligations relating to children (Section 9) — rarely the employer scenario, but it exists.
- Up to Rs 150 crore — breach of the additional obligations of a Significant Data Fiduciary (Section 10).
- Up to Rs 50 crore — breach of any other provision of the Act or its rules: notice, consent, purpose limitation, erasure, grievance redressal and more.
For a CFO or CISO, the practical reading is this: the two biggest numbers attach not to monitoring itself but to how you secure and handle the data your monitoring produces. The figures below are statutory maximums, not automatic awards — verify with counsel.
Which monitoring failures map to which penalty tier?
The Schedule speaks in sections of the Act; your risk register speaks in tools and configurations. This table translates between the two for the most common employee-monitoring failure modes we see in India IT services, BPO and GCC environments.
| Monitoring scenario | Likely DPDP breach | Schedule ceiling |
|---|---|---|
| Unencrypted screenshot/keystroke archive exposed in a breach | Failure of reasonable security safeguards — Section 8(5) | Up to Rs 250 crore |
| Monitoring vendor breached; Board and employees never informed | Failure of breach intimation — Section 8(6) | Up to Rs 200 crore |
| Large employer notified as SDF runs monitoring with no DPIA, DPO or audit | Breach of SDF obligations — Section 10 | Up to Rs 150 crore |
| Monitoring deployed silently — no notice, no consent record | Breach of notice/consent provisions — Sections 5–6 | Up to Rs 50 crore |
| Ex-employee screenshots and logs retained years after exit | Breach of erasure/purpose limitation — Section 8(7) | Up to Rs 50 crore |
| Employee’s erasure or correction request ignored | Breach of Data Principal rights — Sections 11–13 | Up to Rs 50 crore |
Mapping is indicative: the Board characterises violations on the facts, several rows can apply to one incident, and each instance is penalised separately. Verify with counsel.
The Rs 250 crore tier: security failures in the monitoring store
Monitoring tools are data factories. A screenshot-heavy deployment across a 2,000-seat BPO can generate millions of images a month — each one personal data, many capturing customer records, passwords, medical portals or personal chats that happened to be on screen. The Schedule’s highest ceiling, Rs 250 crore, attaches to failing to protect that store with reasonable security safeguards.
The exposure scales with the capture surface. An unencrypted screenshot bucket, a shared admin login to the monitoring console, keystroke logs replicated to an unsecured analytics warehouse, or a vendor holding Indian employee data with undisclosed sub-processors are all variations of the same failure. The cheapest mitigation is architectural: collect less. A platform that scores productivity from outcome signals — calendar, repo, ticket and focus artefacts — rather than screen content has no screenshot store to breach. That is the design position gStride takes, and it converts this tier from a live exposure into a largely empty category.
Key figures for the board deck — DPDP Schedule ceilings: Rs 250 crore (security safeguards), Rs 200 crore (breach intimation), Rs 150 crore (SDF obligations), Rs 50 crore (residual, incl. notice and retention failures) — per instance, set by the Data Protection Board under Section 33. Model your own stack with the free DPDP Penalty Exposure Calculator. Verify with counsel.
The Rs 200 crore tier: breach-notification lapses
This is the tier that punishes silence. If monitoring data leaks — your own database, a vendor’s cloud bucket, an insider exfiltration — the Act requires intimation of the breach to the Data Protection Board and to each affected Data Principal. Your employees are those Data Principals. The DPDP Rules, 2025 prescribe the form and timelines of that intimation; the working assumption should be prompt notification with a fuller report to follow, on the timeline the Rules fix.
Two things make monitoring data nasty here. First, discovery is hard: screenshot archives are rarely inventoried, so teams often cannot say what leaked or whose data it contained. Second, notifying employees that their recorded screens leaked is an internal-trust event as much as a legal one. The lapse itself — not the breach — carries the Rs 200 crore ceiling, and it stacks on top of any Rs 250 crore security-failure finding from the same incident. Verify current Rules timelines with counsel.
Rs 150 crore: when the SDF tier catches large employers
The Central Government can notify classes of Data Fiduciaries as Significant Data Fiduciaries based on volume and sensitivity of data, risk to Data Principals and similar factors. Large IT services exporters, BPOs and GCC operators processing workforce data at scale are realistic candidates. SDF status brings additional duties: appointing a Data Protection Officer based in India, periodic independent data audits, and Data Protection Impact Assessments — which would squarely cover an employee monitoring programme.
Running an intrusive monitoring stack while skipping the DPIA, the DPO or the audit is a breach of Section 10 with a ceiling of Rs 150 crore. If SDF designation is plausible for your organisation, the monitoring DPIA is the artefact to commission first; our DPIA template and process guide walks through it. Verify designation status with counsel.
The Rs 50 crore residual tier: missing notice and stale data
Everything else lands in the residual tier — up to Rs 50 crore per instance — and this is where most everyday monitoring violations live. Deploying an agent without the itemised notice Sections 5–6 require. Holding no demonstrable consent or other lawful basis for each capture category. Using attendance data collected for payroll to feed a covert productivity score, in tension with purpose limitation. Ignoring an employee’s request to access, correct or erase their data. And the quiet classic: retaining ex-employee monitoring data — screenshots, keystrokes, scores — years after the person left and every employment purpose ended.
Rs 50 crore sounds like the “small” tier until you remember it applies per instance and that a silent deployment across thousands of employees is not obviously one instance. The fix is procedural and cheap relative to the exposure: itemised notices per capture category, a consent ledger, a retention schedule with automated deletion at exit plus any statutory holds. Verify with counsel.
How the Board sets the actual number
The Schedule gives ceilings; Section 33(2) gives the dial. After an inquiry, the Data Protection Board weighs the nature, gravity and duration of the breach, the type and nature of the personal data affected, whether the violation is repetitive, whether the person gained or avoided loss from it, the mitigation actions taken and their timeliness, and the proportionality and deterrent effect of the penalty. Section 32 also lets a fiduciary offer a voluntary undertaking that the Board may accept, which can bar further proceedings on those facts.
Translated into a monitoring posture: an employer that captured narrowly, encrypted what it held, noticed transparently, deleted on schedule and notified fast sits at the bottom of every range. An employer running covert screenshot capture on an unencrypted store with no retention policy sits at the top of several ranges at once. The penalty regime effectively prices your architecture — which is the strongest business case for privacy-first monitoring there is. Verify with counsel.
Frequently asked questions
What is the maximum DPDP penalty for an employee monitoring violation?
Up to Rs 250 crore per instance, which the DPDP Act 2023 Schedule attaches to a Data Fiduciary's failure to take reasonable security safeguards to prevent a personal data breach. For a monitoring programme, that is the tier an unencrypted or poorly access-controlled screenshot, keystroke or activity-log store falls into if it is breached. The Data Protection Board sets the actual amount after an inquiry. Verify with counsel.
Is there a separate DPDP fine for monitoring employees without notice?
Monitoring without the notice and consent the Act requires is not in a named Schedule tier of its own; it falls under the residual tier for breach of any other provision of the Act or its rules, capped at Rs 50 crore per instance. Several distinct failures, such as no notice, no consent record and no grievance channel, can each count separately. Verify with counsel.
What penalty applies if our monitoring database is breached?
Two tiers can stack. Failure of reasonable security safeguards carries up to Rs 250 crore, and a separate failure to notify the Data Protection Board and affected employees of the breach carries up to Rs 200 crore. A single leaked monitoring archive that is both poorly secured and quietly handled can therefore engage both. Verify with counsel.
Do we have to tell employees if their monitoring data leaks?
Yes. The DPDP Act requires a Data Fiduciary to give intimation of a personal data breach to the Data Protection Board and to each affected Data Principal, which includes employees whose screenshots, logs or scores were exposed. The DPDP Rules prescribe the timelines and content of that intimation, and skipping it sits in the Rs 200 crore tier. Verify current rules with counsel.
Does retaining ex-employee monitoring data attract a DPDP penalty?
It can. Once the employment purpose is served and no legal retention duty applies, the Act expects personal data to be erased; old screenshots and activity logs of people who left years ago are hard to justify. A breach of that obligation falls in the residual tier of up to Rs 50 crore, and stale archives also enlarge your Rs 250 crore security-failure exposure. Verify retention schedules with counsel.
Are DPDP penalties automatic at the maximum amount?
No. The Schedule figures are ceilings, not fixed fines. The Data Protection Board conducts an inquiry and weighs the factors in Section 33, including the nature, gravity and duration of the breach, the type of data affected, whether the violation is repetitive, gains or losses involved, and your mitigation efforts. Voluntary undertakings under Section 32 can also resolve proceedings. Verify with counsel.
Price your monitoring stack against the Schedule
Run your current capture surface through the free DPDP Penalty Exposure Calculator, then see what a no-screenshot, outcome-signal architecture removes from the register. Free, instant, no email to score.
Disclaimer: This article is general information, not legal advice. Penalty figures are the statutory ceilings in the DPDP Act 2023 Schedule as enacted; actual penalties are determined case-by-case by the Data Protection Board, and the DPDP Rules continue to evolve. Verify classification, timelines and exposure for your specific facts with qualified counsel before acting.