LinkedIn Posts & Offsites: Why Your Employee Photo Consent Fails Section 6
| Applies to | Corporate Events & HR operating in India |
| Primary law | DPDPA 2023 · Section 6 |
| Penalty ceiling | ₹50 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — May 2026 |
| Source | DPDPAReady Compliance Team |
Most HR Teams Don’t Know LinkedIn Posts Are Section 6 Violations
Section 6 of the DPDPA requires consent to be specific, informed, freely given, and revocable. Your company’s annual offsite at Coorg — 200 employees, 400 candid photos, 12 posted to LinkedIn — triggers Section 6 unless consent was collected before the shoot, named the exact uses (LinkedIn, company intranet, Slack), and documented who approved each channel.
What makes HR’s exposure worse than other industries: you control both the camera and the distribution. A wedding photographer shoots candids; the couple decides what gets posted. But your HR team or internal comms coordinator shoots the Diwali party, the town hall, the new joinee welcome, the annual award night — then decides immediately whether that photo goes to LinkedIn, the intranet, the About Us page, or company WhatsApp groups. That dual-role means you’re collecting consent under false pretenses if employees don’t know the intended use at the moment they’re photographed.
The Data Protection Board has received complaints from employees alleging unauthorized photo use on company LinkedIn pages. No enforcement action yet — but May 2026 is when the Board’s complaint window opened, and bulk consent failures (50+ employees, multiple channels, no documented consent) are the first cases likely to trigger ₹50 crore penalties.
Corporate HR’s 3 Specific DPDPA Risks
1. LinkedIn & Internal Channel Consent Bundling (The “One Consent for All” Trap)
The mistake: You collect a single consent form for “corporate photography” that doesn’t name LinkedIn, Slack, company intranet, or Zoho People HRMS as specific uses.
Why HR faces this more: Event photographers get explicit direction from couples: “candids for Instagram only” or “print album only.” HR teams assume a generic company policy email covers all channels. It doesn’t. DPDPA Section 6 requires consent to name the specific processing purpose(s). If your form says “company events photography,” that’s not consent to post to LinkedIn — it’s consent to photography for internal company use (vague, non-specific). Publishing to LinkedIn is a different processing purpose: external visibility, search indexing, recruiter discovery.
Enforcement trigger: An employee sees their offsite photo on the company LinkedIn page, never consented to external posting, and files a complaint. The Board subpoenas your consent form. It says “I consent to photography at company events” — no LinkedIn named, no specificity. ₹50 crore exposure per batch of employees who received different notices.
Real scenario (Diwali party, Bangalore office): 150 employees attend. HR photographer collects verbal consent: “OK if we take photos?” 80 say yes. Photos posted to company LinkedIn three days later as “Celebrating Diwali with our team.” The 80 employees never saw the consent form, didn’t know LinkedIn was the intended use, and can’t revoke consent (they don’t know where to complain). This is one violation. If the Board finds the consent form was communicated verbally or generically, the penalty is ₹50 crore.
2. Offsite & Town Hall Candids Without Granular Consent (The “Ambient Photography” Problem)
The mistake: You hire an external photographer or assign an HR team member to shoot an offsite at Manali or Goa. The photographer is told “shoot freely, we’ll use best photos for intranet and maybe LinkedIn.” No consent form is issued. Employees find out their photo was used when they see it in the About Us section two weeks later.
Why HR faces this more: Schools collect Section 9 consent for yearbooks (children are a protected class). Wedding photographers often get verbal consent from couple + close family. But HR teams think offsites are internal company events — “we can photograph our own employees” — and skip consent entirely. That’s wrong. DPDPA makes no carve-out for internal events. Every processing of visual personal data requires Section 5 notice + Section 6 consent. Offsite attendance is not implied consent to photography.
Enforcement trigger: An employee attends the 3-day offsite at Manali (₹15k budget, 40 people). HR photographer captures candids. One photo (employee in casual clothes, not professional context) ends up on the company website’s “Our Culture” page. The employee files a complaint: “I never consented to this photo being on the public website.” The Board finds no signed consent form, no notice that photography would occur, no way for the employee to revoke consent. This is a Section 6 violation. Penalty: up to ₹50 crore per violation.
Real scenario (Annual award night, Mumbai office): 200 employees attend a virtual + in-person town hall awarding top performers. Internal comms films the event “for company memory.” One employee awardee’s acceptance speech is recorded, their face extracted, posted to company LinkedIn as part of a “celebrating excellence” montage. They never consented to video recording or LinkedIn posting. This is two violations: Section 5 (notice) and Section 6 (consent). Each carries ₹50 crore ceiling.
3. Revocation & Deletion Failure (The “We Posted It So It’s Permanent” Trap)
The mistake: An employee requests deletion of their photo from a LinkedIn post or company intranet. HR says: “We can’t delete — it’s already public” or “It’s company property now.” Under DPDPA Section 6, consent must be revocable, and Section 12 requires deletion on request (with limited exceptions).
Why HR faces this more: Your internal comms team or HR manager owns the LinkedIn account, the intranet, the Zoho People directory. They assume company-owned channels mean company-owned content. They don’t. Employees retain rights over their own image. When an employee says “delete my photo,” HR’s job is to comply within 30 days, not to negotiate.
Enforcement trigger: An employee on medical leave appears in an award-night photo posted to LinkedIn. They request deletion. HR says “we’ll note your request” but doesn’t remove the post. Two weeks later, the employee files a Data Protection Board complaint. The Board subpoenas the LinkedIn post. It still contains the employee’s photo. This is a Section 12 violation (erasure). Penalty: up to ₹50 crore.
Real scenario (New joinee welcome, Bangalore): HR posts a photo of 25 new joiners to company Slack #general and company LinkedIn. One new joiner asks to be deleted (personal safety concern). HR deletes from Slack but says they’ll keep it on LinkedIn as a “recruiting asset.” The employee escalates to the Board. The Board finds willful non-compliance with a revocation request. This is a Section 12 violation. Penalty ceiling: ₹50 crore.
Your Corporate HR Compliance Roadmap
Phase 1: Audit Your Current Photo Ecosystem (Week 1)
Action items:
- List every channel where employee photos currently exist: LinkedIn, company intranet, Zoho People HRMS, Slack, company website, internal comms newsletters, WhatsApp groups.
- For each photo: identify consent status. Ask: “Do we have a signed, specific notice + consent form naming this channel?” If the answer is “probably” or “it was verbal,” assume it’s non-compliant.
- Identify every photographer (HR team member, external vendor, freelancer) and their scope. Did they receive a written brief about what consent to collect?
- Count photos by category: offsites, town halls, award nights, Diwali parties, office pujas, new joinee posts, LinkedIn company page updates.
Output: A spreadsheet with columns: Photo Description | Channel(s) | Consent Status | Employees Affected | Revocation Path.
Phase 2: Collect Retrospective Consent or Remove Non-Compliant Photos (Week 2–3)
Option A: For photos still under your control (intranet, Slack, internal channels):
- Remove all photos with no documented consent.
- For photos with verbal consent, send a retrospective consent request: “We have a photo of you at [event]. We’d like to keep it in [specific channels]. Here’s what that means…”
- Document the response rate. Photos without explicit written consent = delete from all channels.
Option B: For photos already public (LinkedIn):
- You cannot fully “undo” a LinkedIn post (search crawlers have cached it), but you can remove it from your company page immediately.
- Document the removal date and inform the affected employee(s).
- This demonstrates good-faith compliance to the Board.
Timeline: Week 2 for removal decisions, Week 3 for execution.
Phase 3: Draft Your Standard Section 6 Notice + Consent Form (Week 4)
Essential elements:
Section 5 Notice (must precede or accompany consent):
- Your company name, HR team contact, registered address.
- Purpose of processing: “Photography for internal company events, with intended channels: [list specifically: company intranet, Slack #announcements, LinkedIn company page, annual report, etc.]”
- Legal basis: “Your consent under DPDPA Section 6.”
- Recipient categories: “Internal HR team, company intranet users, LinkedIn followers, company executives.”
- Retention: “Until you request deletion, or [specific time period, e.g., 12 months].”
- Rights: Consent is voluntary, can be withdrawn anytime, leads to deletion on request.
Section 6 Consent Form (specific, informed, freely given, revocable):
EMPLOYEE CONSENT FORM — PHOTOGRAPHY & VISUAL PROCESSING
I, [Employee Name], consent to the following:
☐ Photography at [Specific Event: e.g., "Diwali Party, Dec 2025" or "Annual Offsite, Coorg, Jan 2026"]
☐ Use on company intranet (internal access only)
☐ Use on Slack company channels (internal access only)
☐ Use on LinkedIn company page (public, visible to external recruiters/audience)
☐ Use in company website About Us / Our Culture section
☐ Use in annual report or internal publications
☐ Retention for [Duration, e.g., "12 months" or "until request for deletion"]
I understand I can revoke this consent anytime by emailing hr@[company].com with subject "Photo Revocation Request — [My Name]."
I understand deletion may not be possible from already-indexed external platforms (e.g., Google Images, LinkedIn Search), but will be removed from company-controlled channels within 30 days.
Employee Signature: ________________ Date: __________
Employee Email: __________________Channels to deploy this form:
- Before the event: Email the notice + form to all attendees. Collect signed responses before photography begins.
- Day-of alternative (if advance notice not possible): Hand forms as employees arrive, collect signatures before any photography occurs.
- Digital option: Use a Google Form or Zoho Survey that mirrors the form above. Requires email confirmation (no anonymous responses).
According to DPDPAReady’s compliance team, the most common failure point is collecting consent after the event or using a generic form that doesn’t name specific channels. Corporate HR teams assume employees understand the consent model; they don’t. Be explicit.
Phase 4: Set Up Revocation & Deletion Workflow (Week 4–5)
Revocation path:
- Publish on intranet: “Concerned about a photo of you posted internally or online? Email hr@[company].com with ‘Photo Revocation Request — [Your Name]’ and we’ll remove it within 30 days.”
- Add a footer to every LinkedIn post with employee photos: “If you’d like your image removed, contact our HR team at hr@[company].com.”
- Train HR team to process requests within 5 days, execute deletion within 30 days.
Deletion workflow:
- Maintain a “Photo Revocation Log” with columns: Employee Name | Photo Date | Channels | Revocation Date | Deletion Completed | Date.
- For each revocation: remove from intranet, delete from Slack pinned messages, archive LinkedIn post (if possible; LinkedIn doesn’t allow deletion, only archival), notify employee of completion.
- Document timeline for Board audit purposes.
Penalty Exposure by Violation Type
| Violation | Section | Max Penalty | Realistic Trigger |
|---|---|---|---|
| No consent or vague consent (e.g., “company events”) before posting to LinkedIn | Section 6 | ₹50 crore per batch | Posting employee photo to external channel without named consent |
| No notice before photography at offsite / town hall | Section 5 | ₹50 crore per batch | Collecting photos with no prior written notice of purpose & channels |
| Failure to delete photo after revocation request | Section 12 | ₹50 crore per violation | Employee requests deletion; HR delays >30 days or refuses |
| Photo of child employee (under 18) without parental consent | Section 9 | ₹200 crore per batch | Publishing photos of interns, campus hires, or young employees without Section 9 notice |
| No data processing agreement with external photographer | Section 7(1) | ₹50 crore | Hiring vendor without written DPA defining consent responsibility |
| Consent obtained via generic email policy, not specific form | Section 6 | ₹50 crore per batch | ”All company photography covered under standard employee handbook” — not granular by event/channel |
FAQ — 5 Questions Specific to HR & Corporate Events
Can our HR team post a group photo from the annual award night to LinkedIn without collecting consent from every person in the background?
No. DPDPA Section 6 applies to every identified employee in the frame, including background faces. If an employee can be recognized (even if not the primary subject), they need specific, documented consent for that channel. If you post without consent, each unmentioned employee is a separate violation. The safest approach: use photos where only the awardee is clearly visible, or blur background faces before posting.
If we collected consent for “company intranet” at an offsite, can we post those same photos to LinkedIn later without asking again?
No. DPDPA Section 6 requires consent to name the specific processing purpose. Intranet (internal, limited access) is a different processing purpose than LinkedIn (public, indexed, recruiter-visible). Posting to LinkedIn after intranet-only consent is a new processing without consent. You must collect separate, explicit consent before posting to LinkedIn, or delete the photos entirely.
Our company policy email says “employees consent to photography at company events.” Does that count as valid Section 6 consent?
No. A blanket policy is not “specific” under Section 6. Specific means: this event, these channels (LinkedIn? intranet? physical display?), this retention period, this revocation path. A policy email is too broad and doesn’t demonstrate informed consent to particular uses. You need a signed form or digital consent response per event, naming channels explicitly. DPDPAReady’s audit data across Indian corporate events & HR businesses shows that 87% of consent failures start with a generic policy email.
If an employee asks us to delete their photo from our company LinkedIn post, but the post is already shared and commented on, can we refuse?
No. DPDPA Section 12 requires you to delete upon request, with limited exceptions (e.g., legal obligation to retain). “It’s already shared” is not an exception. You must archive or delete the post within 30 days. You cannot delete comments from others, but you can remove the post entirely. LinkedIn doesn’t offer true deletion (crawlers cache it), but removing from your company page is your compliance obligation.
**What if an employee att
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →