Industry Hub · Corporates, HR & Internal Comms

DPDPA Compliance for Corporates, HR & Internal Communications Teams

Employee photos, townhall reels, LinkedIn shout-outs, CCTV feeds, and BGV files are all Personal Data. Get HR DPDPA-ready before 2026 enforcement.

HR and internal comms teams hold the largest pool of employee Personal Data in any Indian company — offsite photos, townhall recordings, LinkedIn advocacy posts, CCTV feeds, BGV files, payslips, biometric attendance, exit interviews. DPDPA 2023, enforcement live from 2026, treats each as Personal Data requiring free, specific, informed, unambiguous consent under Section 6. The old one-line clause in the employment contract is now legally void. Penalties run up to ₹250 crore per instance. This hub maps obligations, common violations, and the consent and retention workflows HR, IC, and Talent teams must operationalise before the Data Protection Board starts issuing orders.

Critical sections for Corporates, HR & Internal Comms

Section 6 — Consent must be free, specific, informed, unconditional, unambiguous (kills bundled employment-contract consent)Section 5 — Notice obligations: itemised purpose, rights, withdrawal mechanism, DPB complaint routeSection 8(5) — Retention only as long as purpose is served (mandates exit-time deletion of employee imagery)Section 8(7) — Breach notification to Data Protection Board and affected employees without delaySection 8(10) — Mandatory grievance officer for every Data FiduciarySection 33 — Penalties up to ₹250 crore per instance for failure to safeguard personal data

Your DPDPA obligations

Standalone, granular employee consent

Replace blanket employment-contract clauses with purpose-specific consent capture: internal newsletter, external LinkedIn, recruitment marketing, alumni use. Each toggle independently revocable via HRMS or Consent Manager.

Section 6(1), Section 6(4)

Vernacular notice to every employee

Issue the DPDPA notice in English plus the employee's chosen Eighth Schedule language. Cover purpose, rights, withdrawal, grievance officer, and Data Protection Board complaint route.

Section 5(1), Section 5(3)

Exit-time data deletion SOP

Offboarding checklist must trigger removal of ex-employee imagery from website, LinkedIn carousels, intranet, Slack/Teams archives, and recruitment microsites within a defined SLA.

Section 8(5), Section 12

CCTV notice and retention policy

Display CCTV notices at all entry points, restrict access logs, cap retention at 30-90 days, and never repurpose feeds for performance monitoring without fresh consent.

Section 5, Section 7, Section 8(5)

Processor agreements with BGV, payroll, EAP, HRMS vendors

Update contracts with DPDPA-compliant Data Processor clauses: purpose limitation, breach notification within hours, sub-processor disclosure, audit rights, deletion on contract end.

Section 8(2)

Grievance Officer and breach notification readiness

Name a grievance redressal officer in HR policy with email published on intranet. Build a 72-hour breach notification runbook covering Data Protection Board and affected employees.

Section 8(7), Section 8(10)

DPIA for employee monitoring and biometric attendance

Conduct and document Data Protection Impact Assessments before deploying screen recorders, keystroke loggers, biometric attendance, or AI-based productivity tools.

Section 10 (Significant Data Fiduciary obligations)

Common violation scenarios

IT services firm published 500+ employee photos on 'Life at Company' microsite without specific consent for external publication

Up to ₹50 crore plus mandatory takedown

Section 6(1) — Consent not specific or informed

Manufacturing company retained cafeteria CCTV for 18 months and used it in an HR misconduct hearing without notice

Up to ₹150 crore aggregate

Section 8(5) — Retention beyond purpose; Section 5 — Notice failure

BGV vendor exposed 12,000 candidate Aadhaar and PAN scans via misconfigured S3 bucket; corporate had no DPA in place

Up to ₹250 crore

Section 8(2) — Processor oversight; Section 8(4) — Security safeguards

Ex-employee's photo remained on company LinkedIn carousel 8 months after exit despite written deletion request

Up to ₹50 crore plus daily compounding

Section 12 — Right to erasure; Section 6(4) — Withdrawal mechanism

Townhall with 200 employees' faces and Q&A audio uploaded to public YouTube for employer branding

Up to ₹50 crore

Section 6(1) — No specific consent for external publication

Employee monitoring software on 3,000 laptops capturing screenshots every 90 seconds without notice or DPIA

Up to ₹200 crore

Section 5 — Notice failure; Section 8(4) — Reasonable safeguards

Industry-specific risks

Bundled consent in employment contracts — invalid under Section 6, exposes every photo, video, LinkedIn post to retroactive challenge
Exit-time data persistence: ex-employees still on 'Our Team' pages, LinkedIn carousels, recruitment microsites, Glassdoor branding
Unconsented CCTV usage for productivity monitoring or HR investigations beyond stated safety purpose
BGV vendor breaches leaking PAN, Aadhaar, salary slips, address proofs — Data Fiduciary remains liable
Townhall recordings and offsite reels on YouTube/LinkedIn without specific external-publication consent
Employee monitoring tools (keystroke loggers, screen recorders, biometric attendance) deployed without DPIA or notice

Consent capture checklist

Standalone consent notice issued to every employee (not buried in employment contract) before capturing photos/videos at offsites, townhalls, training — Section 6(1)
Notice in English plus employee's preferred Eighth Schedule language per Section 5(3)
Granular opt-ins per purpose: internal newsletter, LinkedIn/external social, recruitment marketing, alumni — no bundling
Documented lawful basis for CCTV in offices, cafeterias, parking (Section 7 legitimate use with entry-point notice)
Consent Manager or HRMS module letting employees withdraw consent as easily as given — Section 6(4)
Exit-time data deletion SOP: revoke LinkedIn posts, remove from Team page, purge Slack/Teams photo libraries within SLA
BGV, payroll, EAP vendor contracts updated as Data Processor agreements under Section 8(2)
DPIA completed for employee monitoring (Hubstaff, Teramind, Viva, biometric attendance)
Grievance redressal officer named in HR policy with email on intranet — Section 8(10)
Annual refresher training for HR, IC, TA teams on consent capture and breach reporting

→ Generate a bilingual DPDPA consent form for Corporates, HR & Internal Comms

Frequently asked questions

Can we keep using employee photos already on our website and LinkedIn from before DPDPA?

No grandfathering. Under Section 6, you need fresh, granular consent for continued processing. Audit your 'Our Team', 'Life at [Company]', and LinkedIn employee-advocacy posts now and either re-consent or take them down before enforcement bites.

Does CCTV in our office need employee consent?

CCTV for safety and asset protection can run under Section 7 (legitimate uses) without explicit consent, but you must display notice at entry points, restrict access logs, define retention (30-90 days), and never use feeds for performance monitoring without separate consent.

An employee resigned and wants their townhall photos removed. Are we obligated?

Yes. Section 12 gives Data Principals the right to erasure once purpose is fulfilled. Resignation ends the employment purpose. Your offboarding checklist must scrub internal photo galleries, LinkedIn tags, intranet bios, and Slack/Teams archives.

What about BGV vendors and payroll processors — are we liable for their breaches?

Yes. As Data Fiduciary you remain accountable under Section 8(2) even when a Processor (BGV firm, payroll SaaS, EAP) is at fault. Update DPAs, audit security posture, ensure breach notification flows back within hours.

Can we publish Employee of the Month or birthday wishes on social media?

Only with specific, documented consent for external channels. Internal Slack/intranet falls under employment-purpose processing, but external LinkedIn, Instagram, or X is a separate purpose requiring opt-in under Section 6(1).

What's the actual penalty exposure for HR getting this wrong?

Up to ₹250 crore per instance under Section 33 for failed safeguards, plus ₹200 crore for breach notification failures and ₹50 crore for general consent violations. The Board treats each affected employee as a separate count in aggravated cases.

Get a Corporates, HR & Internal Comms-specific compliance audit

Free 48-hour DPDPAReady audit — we map your exact workflow against every applicable Section and ship the consent forms, retention schedules, and breach playbooks you need.

Get your free audit →

VERIFIED • DPDPAReady Editorial Desk • 20 JUN 2026

Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.