Unlawful disclosure of personal data (1) Any controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purpose for which such data has been collected shall commit an offence. (2) Any processor who, without lawful excuse, discloses personal data processed by him without the prior authority of the controller on whose behalf the data are being or have been processed shall commit an offence. (3) Subject to subsection (4), any person who – (a) obtains access to personal data, or obtains any information constituting such data, without the prior authority of the controller or processor by whom the data are kept; and (b) discloses the data or information to another person, shall commit an offence. (4) Subsection (3) shall not apply to a person who is an employee or agent of a controller or processor and is acting within his mandate. (5) Any person who offers to sell personal data where such personal data has been obtained in breach of subsection (1) shall commit an offence. (6) For the purpose of subsection (5), an advertisement indicating that personal data is or may be for sale constitutes an offer to sell the personal data. Offence for which no specific penalty provided (1) Any person who commits an offence under this Act for which no specific penalty is provided or who otherwise contravenes this Act shall, on conviction, be liable to a fine not exceeding 200,000 rupees and to imprisonment for a term not exceeding 5 years (2) In addition to any penalty referred to in subsection (1), the Court may – (a) order the forfeiture of any equipment or any article used or connected in any way with the commission of an offence; (b) order or prohibit the doing of any act to stop a continuing contravention.
| 
