What are my rights if my personal data has been breached?
Updated · 6 July 2026
When is my personal data 'breached' under the DPDP Act?
Section 2(u) of the DPDPA defines 'personal data breach' as any unauthorised processing of personal data, or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
Common scenarios: a hacker accesses a company's database containing your phone, address or payment details (the recent breaches affecting Indian e-commerce, telecom, fintech and government portals); an employee insider leak where staff share your data with third parties; a lost or stolen device with your data; misdirected emails exposing one customer's data to another; mistaken publication on a public website; ransomware attacks encrypting your data; and phishing attacks tricking the Data Fiduciary into giving up access.
Both deliberate breaches and accidental ones count. The Data Fiduciary's intent isn't relevant — what matters is whether your data was exposed without authorisation.
What must the company do when they detect a breach?
Section 8(6) and the upcoming Rules impose strict obligations on the Data Fiduciary once a breach is detected.
Notify the Data Protection Board (DPB) without undue delay — of the breach, its nature, the categories of data affected, the affected persons, the consequences and the measures taken. Notify each affected Data Principal individually, in clear and plain language, explaining what happened, what data is affected, what risks you face, and what they're doing about it.
Take reasonable security safeguards under Section 8(5) to mitigate harm and prevent recurrence. Cooperate with the DPB in any inquiry. Provide mitigation — credit monitoring, password reset, or other appropriate remediation. Maintain a breach register with details for inspection.
Failure to notify is itself a separate violation attracting up to ₹200 crore penalty. Companies trying to hide breaches face the highest penalties. If you suspect your data has been breached but received no notification, send a formal request to the Data Protection Officer or grievance handler asking specifically whether you were affected by any recent breach.
How do I file a complaint with the Data Protection Board?
Filing a DPB complaint runs through five steps.
Step 1 — raise the grievance with the Data Fiduciary's Grievance Officer or Data Protection Officer (DPO) first — mandatory under Section 13. Wait the prescribed time (typically the company's SLA plus a reasonable period).
Step 2 — approach the Data Protection Board of India (DPB): once operational (notification awaited as of early 2026), file online or by post. Specify the Data Fiduciary, the alleged violation, timeline, your prior grievance with the company, and the relief sought. Attach supporting documents — communications with the Data Fiduciary, any notification received, evidence of harm.
Step 3 — inquiry: the DPB has wide powers to summon witnesses, require production of records and impose penalties. Step 4 — order: the DPB can direct the Data Fiduciary to take specific actions; impose monetary penalties (up to ₹250 crore for serious breaches); order remediation for you; and issue cease-and-desist orders.
Step 5 — appeal: Section 29 provides appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days, and thereafter to the Supreme Court. For interim relief, engage a reputable, specialised cyber / privacy lawyer.
Can I claim compensation for the breach?
The DPDP Act does not itself provide monetary compensation to affected individuals (a notable gap from the EU's GDPR) — penalties imposed go to the government, not victims. But parallel remedies exist.
Section 43A of the IT Act, 2000 (still operative for older breaches): compensation for negligent handling of 'sensitive personal data' by a body corporate. Section 66 of the IT Act: criminal action against unauthorised access. Consumer Protection Act, 2019: deficiency of service if you're a customer of the breached company — file on E-Daakhil (see our consumer complaint guide). Tort law / civil suit for damages: for negligence resulting in identifiable financial loss or distress.
Right to privacy under Article 21: a writ petition in the High Court for serious systemic breaches affecting fundamental rights, per K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1. RBI Master Direction on Customer Liability, 2017: for financial breaches via banking or payment systems where you can claim zero or limited liability refund — see our UPI fraud guide.
Document all financial losses meticulously. Compensation claims are easier when consequential loss is specific — fraudulent transactions, identity theft expenses, time off work.
What practical steps should I take after a breach notification?
Move quickly after a breach notification — a time-sensitive checklist.
Change passwords for the breached account and for any other account using the same password (a major risk after breaches). Enable two-factor authentication (2FA) wherever possible — preferably app-based (Authenticator) rather than SMS-based. Freeze your credit: request CIBIL, Experian, CRIF and Equifax to alert you on any new credit enquiry (see our credit score guide). Monitor bank statements for unauthorised transactions, and set up SMS or email alerts on every transaction.
Watch out for phishing: breached data is often used to craft personalised scams targeting you — be skeptical of unexpected calls, emails or SMS. Update your security questions on critical accounts (banking, email, social media). Check 'have I been pwned'-style services for what data was exposed. Document the breach notification: keep emails, screenshots and the company's announcement.
Report to authorities if financial fraud follows — call 1930 and file at cybercrime.gov.in. Consider legal action for substantial damages. For severe identity theft incidents, engage a reputable, specialised cyber / privacy lawyer.
Disclaimer: Content provided here is for general legal knowledge only and does not constitute formal legal advice. If you have an urgent or specific matter, please consult a registered advocate.