How to file with the Data Protection Board of India.

The Data Protection Board of India (DPB), set up under Section 18 of the Digital Personal Data Protection Act, 2023, began intake of individual complaints in early 2026. As of the date of this article (May 2026) the Board's e-filing portal is operational for most categories of complaints; for those it is not yet operational, intake is via Speed Post and email to the Board secretariat.

This article walks you through the filing as it stands in 2026, with the practical detail you need rather than the textbook version.

When you can file.

You can approach the Board under Section 27 of the Act when one of the following has happened.

1. A Data Fiduciary has failed to respond to your erasure or access request within the ninety-day window prescribed by Rule 14.
2. A Data Fiduciary has refused your request and you believe the refusal is not legally sustainable.
3. A Data Fiduciary has acted on your request but the action was incomplete (for example, data was removed from the public interface but is still indexed in third-party caches, and the Fiduciary has not requested those caches to update).
4. A Data Fiduciary has experienced a personal data breach affecting your data and has not notified you within the seventy-two-hour window required by the breach-reporting rule.
5. A Data Fiduciary has misused your data in a manner inconsistent with the consent you provided.

For (1), the rule of thumb is to wait until day ninety-five to file, allowing for a small buffer for the Fiduciary's last-minute action. For (2), file as soon as you receive the refusal. For (3), file once you have evidence of the incomplete action. For (4) and (5), file as soon as you become aware.

What to include in a filing.

A complete filing has eight components. The Board has discretion to dismiss incomplete filings, so include all eight if they apply to your case.

1. Identification of the complainant.

Name, address for service of notice, phone, and email. The Board's notices are sent to the address for service; keep it current.

2. Identification of the Data Fiduciary.

Registered name, address, and any known identifying detail (CIN if a company, registered office address, primary website). The Board uses this for service of notice to the Fiduciary.

3. The original request.

A copy of the Section 11 or Section 12 request you sent, with the date of sending and the channel used. If you sent multiple requests, include all of them in chronological order.

4. The Fiduciary's response (if any).

Any communication you received from the Fiduciary, including out-of-office auto-replies, generic acknowledgements, the refusal letter, or an explicit statement of intent to act. If the Fiduciary did not respond, state this explicitly: "No response was received."

5. The chain-of-custody evidence.

Screenshots of the exposure (the data that should not be there), with timestamps and URLs visible. Vault.in's evidence packs include SHA-256 hashes of each screenshot and the original HTML; the Board's experience to date suggests it does treat hashed evidence as more weighty than bare screenshots.

6. Statement of the violation.

A clear statement of which provision of the Act or Rules has been violated, and why. Use plain language: "The Fiduciary has failed to act within the ninety-day window required by Rule 14" is sufficient.

7. Relief sought.

What you want the Board to order. Typically: an order directing erasure within a specified timeline (we usually request fourteen days), and a finding of contravention by the Fiduciary that may attract penalty under Section 33. Keep it simple. The Board will not award damages to you personally under the DPDP Act; the penalty regime is regulatory.

8. Authorisation, if filing through a representative.

If you are filing through Vault.in or another representative, include a signed authorisation letter naming the representative and the scope of the authority.

How to submit.

For most categories of complaints, the Board's e-filing portal accepts uploads of all the above as a single PDF. The portal generates a unique reference number on submission and emails you a copy.

For categories not yet on the portal, submit by Speed Post to the Board secretariat (address current as of May 2026 is on the Board's official website at databoard.gov.in; we keep this updated in our internal directory) and by email to the secretariat's official ID.

Always retain proof of submission. Keep the Speed Post receipt; keep the email send confirmation; keep the portal-generated PDF.

What happens next.

The Board's published timelines and our observed experience to date are roughly aligned.

Within 7 working days: Acknowledgement of receipt and assignment of a case number.

Within 30 working days: Initial review. The Board may dismiss the complaint as outside its jurisdiction or as incomplete; ask for additional information; or take cognisance and issue notice to the Fiduciary.

Within 60 to 90 days from notice to the Fiduciary: The Fiduciary's response. The Board may choose to mediate, asking the Fiduciary to act within a defined timeline. In most individual erasure cases we have seen to date, mediation has produced compliance within thirty days.

If mediation fails, hearings begin: The Board sets hearing dates and either party may be represented by counsel. Hearings are typically virtual. Decisions issue within 30 days of conclusion of the hearing.

Section 33 penalty proceedings: If the Board finds the Fiduciary in contravention, separate penalty proceedings may follow. These are at the Board's discretion and not at the complainant's request.

What does not happen at the DPB.

The Board does not award you personal damages. The DPDP Act is a regulatory statute, not a tort statute. If you have suffered financial harm because of a Fiduciary's breach, you have a separate cause of action in civil court; the Board's finding can be used as evidence there but the relief flows from the civil court.

The Board does not handle criminal complaints. If your data was used for impersonation, identity theft, or fraud, file a complaint at cybercrime.gov.in or with the local cyber cell. The Board can run in parallel but is not the right primary forum.

The Board does not handle journalistic content disputes about public figures. There is a separate, narrower right-to-be-forgotten jurisprudence developing in Indian courts.

What we do for you.

When a Section 12 notice we sent on your behalf passes the ninety-day mark without compliance, Vault.in does the following automatically:

1. Generates the DPB filing PDF, including all eight components above, drawn from our evidence pack and your record.
2. Notifies you with a single-tap "Review and file" action.
3. Submits via the appropriate channel for your case category, retains all submission proofs, and tracks the case through the Board's process.
4. Updates your dashboard at each milestone (acknowledgement, notice to Fiduciary, mediation, decision).
5. Includes the case in your monthly privacy report so you have a clean record.

The whole flow, from initial scan to DPB decision, sits inside your Vault.in account. You can export it at any time for your own records or for a future legal proceeding.

If you would like to see whether you have any active exposures that would warrant a DPB filing today, run a free scan.