8.17 Complaint Filing & Initial Processing
Who Can Complain?
Section 27(1)(b) identifies the parties who can initiate Board proceedings:
| Complainant Type | Basis | Typical Scenarios |
|---|---|---|
| Data Principal | Personal data breach or obligation breach | Consent violation, access denial, erasure refusal |
| Central Government | Reference to Board | Systemic violations, policy enforcement |
| State Government | Reference to Board | State-level data protection concerns |
| Courts | Direction to Board | Arising from civil/criminal proceedings |
Before approaching the DPB, a Data Principal should first exercise their rights directly with the Data Fiduciary under Section 12 (within the response period specified). The DPB is the appellate forum when the Data Fiduciary fails to adequately respond, not the first point of contact.
Digital Complaint Submission
Given the Board's "digital by design" mandate (Section 28(1)), complaints will be filed through the DPB's online portal. A well-structured complaint should include:
- Complainant Identity: Name, contact details, and identity verification (Aadhaar/other ID)
- Respondent Details: Data Fiduciary name, registration details, contact information
- Nature of Breach: Specific provision of DPDPA or Rules allegedly violated
- Factual Statement: Chronological account of events with dates
- Prior Communication: Evidence of rights exercise with Data Fiduciary
- Response/Non-response: Data Fiduciary's reply or proof of no response
- Supporting Documents: Consent records, communications, screenshots, etc.
- Relief Sought: Specific remedy requested (correction, erasure, penalty)
Initial Scrutiny: Section 26(b)
Upon receipt, officers authorized by the Chairperson scrutinize complaints to assess:
- Jurisdictional validity: Is the matter within DPDPA scope?
- Completeness: Are all required particulars provided?
- Prima facie merit: Does the complaint disclose a cognizable breach?
- Limitation: Is the complaint timely? (while DPDPA doesn't specify limitation, unreasonable delay may be considered)
- Routing decision: Assignment to appropriate bench based on complexity and subject matter
8.18 Grounds Assessment: Section 28(3)-(5)
After initial scrutiny, the Board undertakes a formal assessment of whether sufficient grounds exist to proceed with a full inquiry. This is a crucial threshold determination.
(4) In case the Board determines that there are insufficient grounds, it may, for reasons to be recorded in writing, close the proceedings.
(5) In case the Board determines that there are sufficient grounds to proceed with inquiry, it may, for reasons to be recorded in writing, inquire into the affairs of any person for ascertaining whether such person is complying with or has complied with the provisions of this Act."
"Sufficient Grounds" Standard
The Act doesn't define "sufficient grounds," but analogizing from administrative law jurisprudence:
| Factor | Consideration | Example |
|---|---|---|
| Prima facie case | Does the complaint, if taken at face value, disclose a breach? | Allegation of processing without consent, if true, violates Section 6 |
| Jurisdictional clarity | Is the matter clearly within DPDPA scope? | Digital personal data of Indian resident processed in India |
| Respondent identification | Is the Data Fiduciary identifiable and reachable? | Registered company with known address |
| Public interest | Does the matter warrant Board's limited resources? | Widespread breach affecting many Data Principals |
| Alternative remedy | Could the matter be resolved otherwise? | Simple miscommunication vs. systemic violation |
M/s Premium Granites v. State of T.N. (1994) 2 SCC 691: The Supreme Court held that at the threshold stage, authorities need not conclusively prove allegations but must find a reasonable basis for proceeding. This "reasonable basis" standard likely applies to DPB's Section 28(3) determination.
Closure for Insufficient Grounds
If the Board finds insufficient grounds under Section 28(4):
- Reasons must be recorded in writing—this is mandatory, not discretionary
- The closure order should be communicated to the complainant
- The complainant may be able to appeal to TDSAT if closure was arbitrary
- Closure doesn't bar a fresh complaint if new facts emerge
If representing a complainant whose matter was closed at the threshold stage, examine the recorded reasons carefully. Arbitrary closure without proper reasoning, or closure despite clear prima facie case, may be challengeable on grounds of failure to exercise jurisdiction or violation of natural justice (if no hearing was provided before closure).
8.19 Inquiry Conduct & Natural Justice
Once the Board determines sufficient grounds exist, the inquiry proper begins. Section 28(6) provides the guiding framework.
Components of Natural Justice
| Principle | Requirement | DPB Application |
|---|---|---|
| Audi alteram partem | Hear the other side | Notice to respondent, opportunity to file reply, hearing before adverse order |
| Nemo judex in causa sua | No one should be judge in own cause | Member recusal for conflict of interest, Rule 18(5) exclusion mechanism |
| Reasoned decision | Adequate reasons for decision | Written reasons mandatory at every stage per Section 28(6) |
| Fair procedure | Equal treatment, reasonable opportunity | Both parties can present evidence, examine witnesses, make submissions |
| Evidence disclosure | Party must know the case against them | Complainant's evidence shared with respondent, adverse material disclosed |
A.K. Kraipak v. Union of India (1969) 2 SCC 262: The Supreme Court held that even where a statute is silent, principles of natural justice must be read into the procedure. Since Section 28(6) explicitly mandates natural justice, any deviation creates clear grounds for appellate reversal.
Inquiry Process Timeline
Notice to Respondent
Data Fiduciary receives formal notice with complaint copy, specific allegations, and timeframe for response. Notice must clearly identify the DPDPA provisions allegedly violated.
Respondent's Reply
Data Fiduciary files written reply addressing each allegation, with supporting documents. May raise preliminary objections (jurisdiction, limitation, etc.) or defend on merits.
Complainant's Rejoinder
Complainant may respond to respondent's defense, address new facts raised, and counter preliminary objections.
Evidence Gathering
Board exercises civil court powers to summon witnesses, require document production, inspect records. Both parties may adduce evidence.
- Summons for witness attendance
- Document discovery orders
- Digital evidence inspection
- Expert opinion on technical matters
Hearing
Video conference hearing where parties present arguments, examine witnesses (if any), and make final submissions. Legal representation permitted.
Final Order
Board issues reasoned order either closing proceedings or proceeding to penalty determination under Section 33.
8.20 Evidence Types & Collection
Data protection inquiries present unique evidentiary challenges. Understanding the types of evidence and how to present them is crucial for effective advocacy.
Examples:
- Privacy policy versions
- Consent records with timestamps
- Data subject requests and responses
- Processing agreements
Examples:
- Access logs showing data retrieval
- Consent capture timestamps
- Data flow logs
- Breach notification records
Examples:
- DPO testimony on procedures
- IT expert on security measures
- Data Principal's account of events
- Third-party processor statements
Examples:
- Breach forensics report
- VAPT assessment results
- Third-party security audit
- Data mapping documentation
Digital Evidence Admissibility
For electronic records to be admissible, practitioners should ensure compliance with the Indian Evidence Act, 1872 (as amended) and IT Act, 2000:
| Requirement | Provision | Practical Step |
|---|---|---|
| Certification | Section 65B IEA | Section 65B certificate for computer output |
| Authenticity | Section 85A IEA | Hash values, chain of custody documentation |
| Integrity | Section 85B IEA | Timestamping, tamper-evident storage |
| Attribution | Section 88A IEA | IP logs, user authentication records |
Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020) 7 SCC 1: A three-judge Supreme Court bench confirmed that Section 65B(4) certification is mandatory for electronic evidence admissibility. While DPB may take a less formal approach than courts, practitioners should still comply with Section 65B requirements to ensure evidence is given full weight.
8.21 Interim Orders: Section 28(10)
During the inquiry, urgent situations may require immediate Board action. Section 28(10) empowers the Board to issue interim orders.
Requirements for Interim Orders
Section 28(10) mandates three prerequisites:
- Necessity: Board must "consider it necessary"—discretionary but must be justifiable
- Reasoned: Reasons must be recorded in writing—enables appellate review
- Hearing: Opportunity to be heard must be given—natural justice compliance
Types of Interim Relief
| Order Type | Circumstance | Example |
|---|---|---|
| Processing Suspension | Ongoing harm from continued processing | Stop selling data to third parties pending inquiry |
| Breach Mitigation | Active data breach requiring containment | Implement specific security measures immediately |
| Data Preservation | Risk of evidence destruction | Preserve logs and records for specified period |
| Status Quo | Prevent alteration pending determination | Maintain current data access arrangements |
| Disclosure Direction | Immediate transparency needed | Notify affected Data Principals of breach |
An e-commerce platform is alleged to be sharing customer purchase data with third-party advertisers without proper consent. During the inquiry, the complainant demonstrates that the data sharing is ongoing and causing harm (targeted advertisements based on sensitive health product purchases).
Remember that Section 28(8) prohibits the Board from "prevent[ing] access to any premises or tak[ing] into custody any equipment or any item that may adversely affect the day-to-day functioning." Even interim orders cannot include dawn-raid style seizures or actions that would halt business operations entirely.
8.22 Final Determination: Section 28(11)
Upon completing the inquiry, the Board reaches its final determination. Section 28(11) provides the framework.
Two Possible Outcomes
| Outcome | Circumstance | Effect |
|---|---|---|
| Close Proceedings | No breach established, or breach not significant | No penalty; matter concludes |
| Proceed to Section 33 | Significant breach established | Penalty determination phase begins |
Reasoned Order Requirements
The final order must contain:
- Factual findings: What facts were established by evidence
- Legal analysis: Which DPDPA provisions apply and how
- Finding on breach: Whether breach is established, and if so, its nature
- Significance assessment: Whether the breach is "significant" per Section 33(1)
- Reasons for conclusion: Why the Board reached its determination
If representing the Data Fiduciary, ensure submissions clearly address the "significance" threshold. Even if a technical breach is established, argue that it wasn't "significant" considering factors like: number of Data Principals affected, nature of data involved, harm caused, mitigating actions taken. The Board must find the breach "significant" before proceeding to penalties under Section 33.
8.23 Frivolous Complaints: Section 28(12)
To deter abuse of the complaint mechanism, the Board has powers to address false or frivolous complaints.
False vs. Frivolous Complaints
| Type | Characteristic | Example |
|---|---|---|
| False | Factual allegations known to be untrue | Claiming data breach when none occurred; fabricating consent denial |
| Frivolous | Lacking legal merit or proper basis | Complaint about publicly available information; demanding erasure of legally retained records |
Board's Options
- Warning: Formal caution to complainant about misuse—appropriate for first-time offenders or less egregious cases
- Costs: Monetary penalty on complainant—compensates Board resources wasted, deters future abuse
Section 28(12) must be applied carefully to avoid chilling legitimate complaints. A complaint that ultimately fails is not automatically frivolous—genuine grievances may not succeed on evidence or law. The provision targets clearly abusive complaints, not unsuccessful ones. Practitioners should advise clients to file only well-founded complaints to avoid costs.
8.24 Key Takeaways
🎯 Essential Points to Remember
- Complaint Requirements: Digital filing with complete particulars; should show prior rights exercise with Data Fiduciary
- Grounds Assessment: Board determines "sufficient grounds" before full inquiry; closure requires recorded reasons
- Natural Justice Mandatory: Section 28(6) explicitly requires natural justice—notice, hearing, fair procedure, reasoned decision
- Evidence Types: Documentary, digital, oral, technical reports all admissible; Section 65B certification for electronic records
- Interim Orders: Available under Section 28(10) with necessity, reasons, and hearing; but cannot prevent premises access or seize equipment (Section 28(8))
- Final Determination: Two outcomes—close proceedings or proceed to penalty under Section 33
- "Significant" Threshold: Only significant breaches attract penalties; argue significance factors if representing Data Fiduciary
- Timeline: 6 months default under Rule 18(9), extendable by 3 months at a time with reasons
- Frivolous Complaints: Section 28(12) allows warning or costs—deter abuse but don't chill legitimate complaints
- Appeals Available: All Board orders appealable to TDSAT under Section 29—ensure reasoned orders for effective appeal