Compliance Infrastructure V1.0

Every frame you capture is personal data under DPDPA.

DPDPAReady is the compliant media management layer for organizations that capture, process, or publish photos and videos of identifiable individuals.

See How It Works Download Templates
Nov 2025

DPB Established

Nov 2026

Consent Rules Live

May 13, 2027

Full Enforcement

The Reality Check

You're already a Data Fiduciary. Here's the impact.

Photos with identifiable faces constitute personal data under Section 2(t) of DPDPA.

The "publicly available" exemption is not a legal safe harbor for event or office media.

Non-compliance penalties reach ₹250 crore — per violation, not per year.

Scope of Impact

Any organization that creates visual media is in scope.

Corporate Events

Every attendee photo becomes a consent obligation requiring documentation.

View Framework

Weddings & Social

Planners act as Data Fiduciaries; Photographers are Data Processors.

View Framework

Sports & Marathons

Bib-to-face AI tagging requires explicit consent and a clear audit trail.

View Framework

Schools & Education

Student photos trigger strict Section 9 verifiable verifiable consent rules.

View Framework

Retail & Hospitality

CCTV footage combined with customer media creates continuous obligations.

View Framework

Trade Shows

Badge scans plus event photography result in double data collection risks.

View Framework
The Lifecycle

From capture to compliance.

STEP 01

Consent at Collection

Deliver compliant privacy notices and secure affirmative consent before the camera rolls.

STEP 02

Tag & Process

Automatically tag every media file with consent status, purpose, and retention windows.

STEP 03

Controlled Delivery

Distribute media exclusively to consented recipients via encrypted, compliant channels.

STEP 04

Audit & Removal

Enable one-click right-to-erasure and maintain board-ready compliance audit logs.

94%

of Indian organizations capturing event or employee media have no DPDPA-compliant workflow.

The enforcement window closes May 2027.
Build your compliant media layer today.

Book an Architecture Review
Start Today

Free Compliance Resources

Template

Event Photography Privacy Notice

Framework

Capture-Stage Consent Form

Agreement

Data Processor Agreement for Vendors

Risk Assessment

Calculate your DPDPA media exposure.

50
500
Estimated Penalty Exposure Band ₹50L – ₹2Cr

Processing ~25,000 data subjects annually.

Get a Full Infrastructure Audit
Schedule Consultation

Book an Audit

Legal

Privacy Policy

Last Updated: April 2026

DPDPAReady (a product of Memorylane Digital LLP) respects your privacy. This policy outlines our obligations as a Data Fiduciary under the Digital Personal Data Protection Act (DPDPA), 2023.

1. Data Collection & Purpose

We collect standard contact details (Name, Email, Company) solely when you explicitly provide them to request resources or audits. The purpose is strictly limited to fulfilling your request and delivering related compliance updates.

2. Processing & Storage

Your data is processed securely within India. We do not sell your personal data to third parties. We utilize industry-standard encryption for data at rest and in transit.

3. Your Rights (Section 11)

  • Right to Access: You may request a summary of the personal data we hold about you.
  • Right to Correction & Erasure: You may request corrections to inaccurate data or request total erasure of your personal data from our systems.
  • Right of Grievance Redressal: You may contact our Data Protection Officer for any disputes.

To exercise any of these rights, please contact us at privacy@dpdpaready.com.

Legal

Terms & Conditions

Last Updated: April 2026

By using the DPDPAReady website and downloading our free resources, you agree to the following terms and conditions.

1. Educational & Informational Purpose

DPDPAReady provides compliance infrastructure templates and informational guidelines. We are not a law firm, and our content does not constitute legal advice. Always consult with qualified legal counsel regarding your specific DPDPA compliance requirements.

2. Use of Templates

The templates provided (Consent Forms, Notices, DPAs) are "as-is" starting points. You are granted a non-exclusive license to adapt and use these templates for your internal organizational compliance. You may not resell these templates.

3. Limitation of Liability

To the maximum extent permitted by applicable law, Memorylane Digital LLP shall not be liable for any direct, indirect, or consequential damages, including but not limited to regulatory fines, penalties, or legal fees arising from the use of our educational materials or platform.

Industry Compliance Framework

Corporate Events

Corporate conferences and town halls are high-risk zones for visual data capture because attendees often wear lanyards displaying personally identifiable information (PII) directly alongside their faces.

Key DPDPA Mandates

  • Notice at Registration: Section 5 mandates a clear, itemized notice of what media will be captured and its specific purpose *before* registration is completed.
  • Opt-Out Zoning: You must provide physical "no-photo" zones or distinct colored lanyards to allow individuals to actively exercise their right not to be processed.
  • Employee Consent: Employers cannot rely on standard "employment contract" clauses for external marketing media. Specific, granular consent is required for the promotional use of an employee's image.
Industry Compliance Framework

Weddings & Social

Under the DPDPA, private events that engage commercial vendors (planners, photographers, caterers) cross the threshold into regulated commercial data processing.

Key DPDPA Mandates

  • Data Fiduciary Status: The individual or entity paying for the service and determining the purpose of data collection acts as the Fiduciary.
  • Vendor Contracts: Photographers act as Data Processors. A valid Data Processing Agreement (DPA) must restrict them from using wedding media for their own portfolio without separate, explicit consent from the subjects.
  • Guest Notice: Physical signage at the venue entrances is highly recommended to establish implicit consent and inform guests of active commercial media capture.
Industry Compliance Framework

Sports & Marathons

Marathons and sporting events heavily rely on AI facial recognition and bib-number OCR to sort and sell participant photos, creating complex, sensitive data linkages.

Key DPDPA Mandates

  • Biometric Profiling: Using AI to map and sort photos by face constitutes advanced processing. Explicit, unbundled consent for this specific technological purpose is mandatory.
  • Public Space Exemption Limits: While marathons occur in public, the *targeted cataloging* and monetization of specific individuals removes the "publicly available" safe harbor defense.
  • Right to Erasure: Participants must have an accessible mechanism to request the deletion of all their linked media and biometrics with a single request.
Industry Compliance Framework

Schools & Education

Media containing minors falls under the strictest regulated category of the DPDPA (Section 9), requiring heightened security and verification protocols.

Key DPDPA Mandates

  • Verifiable Parental Consent: Standard paper waivers at the start of the year are no longer sufficient. Institutions must use mechanisms to actively verify the identity of the consenting parent/guardian.
  • No Behavioral Tracking: Any media used for monitoring, analyzing, or tracking a child's behavior without explicitly mandated cause is strictly prohibited.
  • Granular Approvals: Parents must have the technological option to consent to internal use (e.g., yearbooks, ID cards) while actively opting out of external use (e.g., social media marketing).
Industry Compliance Framework

Retail & Hospitality

Retail stores and hotels constantly capture media via CCTV and promotional shoots, creating a complex blend of security operations and marketing liabilities.

Key DPDPA Mandates

  • Strict Purpose Limitation: Media captured explicitly for security (CCTV) cannot be repurposed for marketing or foot-traffic behavioral analytics without fresh, explicit consent.
  • Notice Visibility: Multi-lingual signage must be prominently displayed at eye level indicating active recording, the specific purpose, and contact info for the Data Protection Officer (DPO).
  • Retention Schedules: Security footage must be systematically and securely deleted after the stated purpose expires, requiring automated retention architecture.
Industry Compliance Framework

Trade Shows & Exhibitions

Trade shows feature complex, multi-party data sharing between organizers, sponsors, and exhibitors, often linked via badge scans and booth photography.

Key DPDPA Mandates

  • Data Fiduciary Matrix: Organizers must clearly delineate what media they control as Fiduciaries versus what media individual booth exhibitors control.
  • Secondary Sharing Consent: If an organizer photographs an attendee at a sponsor's booth, sharing that photo dataset with the sponsor requires explicit, unbundled consent from the attendee.
  • Synced Withdrawal Mechanisms: Opt-out mechanisms must instantly sync across all processor nodes (exhibitors/sponsors) if an attendee revokes their media consent at the central registration desk.