Employee Photos on LinkedIn: India's Biggest Hidden DPDPA Risk

Your HR team just posted 18 photos from the Diwali office party on LinkedIn. New joinee welcome post with a headshot. The annual team photo on the company website. The CEO’s town hall video on YouTube. The Slack channel with 300 employees sharing photos from the Bengaluru offsite.

Every identifiable face in every one of those images is personal data under the Digital Personal Data Protection Act 2023. And in every one of those scenarios, there is almost certainly no documented consent notice — because most Indian companies don’t know they need one. Section 6 of DPDPA requires explicit, informed consent before any personal data is collected and processed. A photo of someone’s face is personal data the moment it’s captured. Posting it to LinkedIn without a proper consent notice is a Section 6 violation. The penalty ceiling: ₹50 crore.

The LinkedIn HR Problem Nobody Is Talking About

Sprinto, Leegality, and every enterprise compliance platform in India is focused on IT security, data breach notifications, and cloud vendor agreements. None of them have addressed what HR teams in Indian companies do every single day: photograph employees and post them online.

Here’s what makes this particularly risky under DPDPA:

Employment contracts don’t cover this. A standard Indian employment agreement covers work obligations, confidentiality, and IP assignment. It does not constitute a DPDPA-compliant consent notice. For a consent notice to be valid under Section 6, it must specifically state: the purpose of the photography, who will see the images, how long they’ll be stored, and how the employee can withdraw consent. An employment contract written in 2019 says none of this.

“Company property” doesn’t apply. HR teams sometimes argue that office photos taken during work hours, on company premises, are “company property.” Under DPDPA, this argument fails. The law protects individuals’ faces — not the company’s right to the image. The data principal is the employee, and they hold the right to consent, regardless of where the photo was taken.

WhatsApp groups are a data processing channel. Sharing a team photo in a 300-person company WhatsApp group is processing personal data. Each recipient can screenshot, forward, or re-post it. Sharing group photos without consent notices, in a channel you don’t control, creates liability for every image that goes further.

LinkedIn specifically is a problem. When your HR team posts “Welcome to the team, Priya Sharma! 🎉” with Priya’s photo on LinkedIn, that photo is now indexed by Google, crawled by recruitment platforms, and visible to anyone permanently. The DPDPA Section 6 violation isn’t the posting itself — it’s posting without a prior consent notice that specifically listed “LinkedIn publication” as a purpose.

Building a Corporate Photography Consent Policy: Step-by-Step

Step 1: Create a standing photography consent notice for employees

This is a one-time document for all current and future employees. It must cover every situation where employee images are used:

PHOTOGRAPHY AND IMAGE CONSENT NOTICE
[Company Name] | [Date Issued]

We may capture and use photographs, video recordings, or other images of
you in the following contexts:

Purpose 1 — Internal communications: team photos, intranet profiles,
internal newsletters, internal Slack/Teams channels.

Purpose 2 — External communications: LinkedIn posts, company website,
press releases, client presentations, recruitment materials.

Purpose 3 — Events: offsite, conferences, festivals (Diwali, Holi),
team-building activities.

Data recipients: HR team, Marketing team, external social media agency
(if applicable), LinkedIn platform, website host.

Retention: Images retained for duration of employment + 2 years, then
deleted from all company-controlled systems. Social media posts will
be removed within 30 days of employment end, unless you consent to
continued use.

How to withdraw: Email [hr@company.com] specifying the image(s) and
context. We will acknowledge within 72 hours and comply within 30 days.

Consent is voluntary. Declining does not affect your employment.

Distribute this during onboarding. Collect a signed copy (physical or digital via DocuSign, Zoho Sign, or Jotform). Store it linked to the employee record in your HRMS.

Step 2: Differentiate consent by use case

Not every employee consents to the same things. Your consent notice should let employees choose:

• ☐ Internal communications only (intranet, internal newsletters, private Slack)
• ☐ External company website (About Us page, team page)
• ☐ LinkedIn and social media marketing
• ☐ Press releases and media coverage
• ☐ Recruitment materials (job ads, campus placement decks)
• ☐ Video recording (town halls, webinars, YouTube)

If an employee ticks only the first box, you cannot post their photo on LinkedIn. Using an image beyond what was consented to is a fresh Section 6 violation — not just a paperwork issue.

Step 3: Handle new joinees and contractors separately

A new joinee’s consent notice must be signed before HR takes their headshot for the company website. Before — not after. Most companies photograph new employees on Day 1 orientation and worry about paperwork later. Under DPDPA, the photo taken without a prior consent notice is already a violation.

Contractors, vendors, and interns require the same notice. They’re not employees, so their employment contract doesn’t cover them at all. If you photograph a vendor’s team at a joint event and post it on LinkedIn, you needed their consent first.

Step 4: Create a photo withdrawal process

Any employee (or former employee) can request that their images be removed from all company systems and public channels. You must:

• Acknowledge within 72 hours — send a confirmation email.
• Comply within 30 days — remove from website, LinkedIn, internal drives, printed materials where feasible.
• Document the deletion — screenshot, export log, or email confirmation from your social media manager.
• Handle the LinkedIn edge case — LinkedIn doesn’t let you delete posts from another user’s account. If a contractor’s image was posted by your marketing agency’s account, you need the agency to delete it. Set this expectation in your vendor agreement.

Step 5: Audit your current LinkedIn and website images

Before you’re compliant going forward, you need to know your current exposure. Run a quick audit:

1. Go to your company LinkedIn page → scroll through the last 2 years of posts → flag every post with identifiable employee faces.
2. Cross-check against your consent records. If there are no consent records (there almost certainly aren’t), every flagged post is a potential liability.
3. Prioritise removal of posts featuring employees who have since left the company (most likely to complain, least likely to have valid consent on file).
4. For current employees: retroactively collect consent for existing posts, or remove the posts. Both are valid — removing is faster and cleaner.

DPDPAReady’s compliance audit covers exactly this workflow: mapping your existing image library against consent records, identifying your highest-risk posts, and generating the consent notice templates your HR team needs. Most audits complete in 48 hours.

The Exposure You’re Already Carrying

A 500-person IT services company in Hyderabad:

• HR posts team photos on LinkedIn 3–4 times per month (±40 identifiable employees/month)
• No standing consent notice; no records
• 2 employees who left in Q1 2026 notice their photos still on LinkedIn
• One files a complaint with the Data Protection Board citing Section 6 (no consent notice) and Section 18 (erasure request ignored after 6 weeks)

The Board’s analysis:

• Section 6 violation: processing personal data without valid consent notice for every employee in every LinkedIn post since the Act’s enforcement window opened
• Section 18 violation: failure to respond to erasure request within 72 hours
• Potential scope: not 2 complainants — the Board can review the broader practice

Penalty ceiling: ₹50 crore per violation type. Legal defence costs in India for a Data Protection Board matter: ₹15–30 lakh minimum. Reputational fallout among job seekers: measurable.

⚠ DPDPA Section 6 Penalty for Corporate Photography: Using employee or contractor images for LinkedIn, company website, or marketing materials without a documented consent notice = up to ₹50 crore fine. The Data Protection Board accepts complaints from any data principal — including former employees. There is no minimum threshold of harm required to file.

The HR risk here is also an employment relations risk. Employees who feel their images were used without consent are more likely to escalate — both to the Board and on Glassdoor.

FAQ

Does an employment contract satisfy DPDPA consent requirements for employee photos?

No. An employment contract is not a consent notice under DPDPA Section 6. The Act requires a consent notice that specifically states: the purpose of collecting the image (e.g., “LinkedIn marketing”), who will see it, how long it’s retained, and how the employee can withdraw consent. A contract written for work obligations, IP, and confidentiality does not satisfy these requirements. You need a separate photography consent notice, signed before you take the photo.

Can I post team photos from a company event on LinkedIn without individual consent under DPDPA?

No. A company offsite, Diwali party, or team-building event is not a public event — attendees have a reasonable expectation of privacy. Even if employees voluntarily attended, their presence at an event is not consent to have their face published on LinkedIn. You need a prior consent notice specifically listing “LinkedIn publication” as a permitted use. If an employee didn’t consent to LinkedIn use, you must either crop them out or not post the photo.

What happens to employee photo consent when someone leaves the company?

Consent doesn’t automatically expire when employment ends. If a former employee consented to LinkedIn marketing use during their tenure, that consent technically remains valid. However, most employees expect their photos to be removed when they leave. Best practice: include in your consent notice that “images will be removed from external channels within 30 days of employment end.” This avoids complaints and aligns with reasonable expectations. If a former employee requests erasure, you must comply regardless of the consent terms.

Do DPDPA consent requirements apply to contractor and vendor photos at company events?

Yes. Contractors, interns, and third-party vendors are data principals under DPDPA — they have the same rights as employees. If you photograph a vendor’s team at a joint event and post it on LinkedIn, you needed their consent first. Their employment with another company doesn’t transfer to you any right to use their image. Add a photography consent clause to your vendor agreements and event briefing documents.

---

The fix is simpler than most HR teams expect: one standing consent notice, added to the onboarding pack, with a checkbox per use case. That single document covers every LinkedIn post, website update, and offsite album — indefinitely. It takes an afternoon to draft and permanently closes the exposure.

DPDPAReady generates HR photography consent notices and full onboarding data protection packs, mapped to your specific company size and use cases — get your free audit at dpdpaready.in.