As per section 33(2) while determining the amount of monetary penalties, the Board shall consider the following factors:
- The nature, gravity and duration of the breach
- The type and nature of the personal data affected by the breach
- Repetitive nature of the breach;
- Whether the person, as a result of the breach, has realized a gain or avoided any loss;
- Whether any action was taken to mitigate the effects and consequences of the breach and timeliness and effectiveness of the such action
- Whether monetary to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions
- The likely impact of the imposition of the penalty on the person
