(1) Where the Board, on conclusion of an inquiry under this Act, determines that a person who is a party to the proceedings has breached any provision of this Act or the rules made thereunder, the Board may, after giving such person a reasonable opportunity of being heard, impose such penalty as specified in the Schedule in respect of such breach.

(2) While determining the amount of the penalty to be imposed under sub-section (1), the Board shall have due regard to the following factors, namely:—

1. the nature, gravity and duration of the breach;
2. the type and nature of the personal data affected by the breach;
3. repetitive nature of the breach;
4. whether the person has, as a result of the breach, realised a gain or avoided any loss;
5. whether the person has taken any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action;
6. whether the amount of penalty imposed is proportionate and effective, having regard to the need to ensure that it serves as an effective deterrent against the commission of such breach; and
7. the likely impact of the imposition of the penalty on the person.