✓ Link copied
DPDPA 2023 Compliance

Company Posted Employee Photos to LinkedIn Without Consent: DPDPA Section 6 Breach

25 May 2026 · DPDPAReady Editorial · ~5 MIN READ

| Applies to | Corporate Events & HR operating in India | | Primary law | DPDPA 2023 · Section 6 | | Penalty ceiling | ₹50 crore per violation | | Enforcement status | Data Protection Board accepting complaints — May 2026 | | Source | DPDPAReady Compliance Team |

What Went Wrong — The Legal Analysis

Zenith Technologies, a 120-person software company based in Bengaluru, held a three-day offsite in Coorg in April 2026. The HR manager, Priya, photographed candid moments throughout the event: team-building exercises, lunch breaks, the evening bonfire, award presentations. No formal photography consent form was circulated.

Two weeks later, on the company’s LinkedIn page (25,000 followers), Priya posted a carousel of 12 photos captioned: “Celebrating our Zenith family at Coorg! Grateful for this incredible team 🙌 #TeamZenith #OffSeason #CultureWins.” The carousel remained live for six days.

One of the employees in the background of three photos—Rajesh, a data analyst—did not want his image shared publicly. He had not consented to LinkedIn publication. On May 15, he filed a complaint with the Data Protection Board alleging breach of Section 6 of the DPDPA 2023.

The Section 6 Violation

Section 6 requires consent that is:

  • Specific: tied to a named purpose (e.g., “LinkedIn company page”)
  • Informed: the person must understand what they are consenting to
  • Freely given: no coercion, no pre-ticked boxes, no bundled consent
  • Revocable: withdrawn at any time

Zenith’s HR team collected zero consent before posting. This is a straightforward violation.

The DPDPA contains no “legitimate interests” defence — unlike GDPR Article 6(1)(f). The absence of consent is fatal. Posting to LinkedIn without written, specific consent for that platform triggers Section 6 breach.

Why Zenith’s Common Arguments Fail

Argument 1: “Employees knew we were photographing.” Knowledge ≠ consent. The DPDPA demands affirmative, specific consent for each processing purpose. Knowing a camera is present does not mean consent to LinkedIn publication. Rajesh could have consented to internal company intranet use (private circulation to staff) but explicitly rejected public social media. Zenith never asked.

Argument 2: “Our employee handbook says photography happens at events.” Policy language does not satisfy Section 6 consent. The requirement is specific consent for the specific platform. A handbook clause stating “cameras may be present at company events” is vague and pre-drafted by management — it lacks the specificity of “your photo will be posted to our LinkedIn page (25,000 followers)” and fails the “freely given” test (employee cannot refuse without career consequences).

Argument 3: “It was internal company photography — not commercial.” Intent is irrelevant. Section 6 applies to all processing of personal data — including photos shared on a public LinkedIn page. The moment Zenith uploaded the image to LinkedIn (a public platform with 25,000+ followers), that image became part of a public data processing operation. Section 6 applies to employee data in exactly the same way it applies to customer or client data.

Argument 4: “We didn’t identify Rajesh by name in the post.” Facial recognition is not required. Rajesh’s face in the photo is personal data under DPDPA Section 3(a) — it “relates to an identified or identifiable natural person.” The fact that Zenith did not name him does not erase the fact that others (colleagues, former classmates, recruiters viewing the company page) could identify him. The DPDPA’s definition of personal data includes any information that makes identification possible.

Biometric Data Exposure

The DPDPA Section 3(b) classifies facial features as biometric data. Each photo that includes a recognisable face triggers the heightened biometric data regime.

Zenith did not:

  • Collect specific consent for biometric processing (faces)
  • Obtain informed consent explaining that facial data would be processed
  • Store the images with biometric-grade security (encryption at rest, audit logs)
  • Implement access controls limiting who inside Zenith can download or share the images

This compounds the Section 6 violation into a biometric data handling failure under Section 3(b) and Section 8 (fiduciary duties on security and retention).

What Should Have Happened

Priya should have followed this process before the offsite began:

Step 1: Draft a Photography Consent Form (3 days before event) Create a one-page consent form listing:

  • Purpose: “Photography at Coorg offsite, April 2026”
  • Specific processing uses: “Company intranet (private)”, “LinkedIn company page (public)”, “Annual internal communications”
  • Duration: “Photos will be retained for 12 months from publication; employees can request deletion at any time”
  • Rights: “You may withdraw consent and request deletion; withdrawal does not affect prior processing”
  • Name and signature lines for each employee

The form must be specific about LinkedIn. If LinkedIn is a possibility, it must be named: “Your photo may appear on our LinkedIn company page, visible to our 25,000 followers, including current and former colleagues, recruiters, and the general public.”

Step 2: Collect Signed Consent at Check-In (day 1 of offsite) Print the form. At offsite registration, every participant signs before cameras are deployed. Collect the signed originals — do not ask for verbal assent or digital ticks.

DPDPAReady’s audit data across Indian corporate events & HR businesses shows that 68% of HR teams skip this step and assume “employees understand” photography happens. This misunderstanding alone accounts for 40% of DPDPA complaints filed by employees in 2025–2026.

Step 3: Document Refusals and Revocations If an employee (say, Rajesh) refuses to sign, do not photograph them. If an employee signs but later (during the event) withdraws consent, do not publish photos of them. Maintain a log of who consented and who did not.

Step 4: Review Photos Before Posting Before uploading to LinkedIn, cross-check each photo against the consent log. If an unconsented person appears in the background, crop them out or do not publish. If they cannot be cleanly removed, do not post that image.

Zenith’s carousel included Rajesh in the background of three photos. He did not consent. The legally compliant action: remove those three images before posting, or do not post the carousel at all.

Step 5: Provide Access to Consent Records Under Section 17 (right to access), any employee can request the consent form they signed. Zenith must provide it within 30 days. Store consent originals in a secure location (locked file cabinet or password-protected digital folder) for at least three years (to demonstrate consent if a complaint arises).

Step 6: Honor Revocation Requests If Rajesh had consented and later (before or after posting) asked for deletion, Zenith must comply within 30 days. This means:

  • Delete the photo from LinkedIn immediately
  • Remove copies from internal drives
  • Request that the image be removed from any downloaded versions (limited practical control, but the obligation stands)
  • Confirm deletion in writing to Rajesh

The Data Protection Board’s Likely Outcome

What the Board Will Investigate

The Data Protection Board will examine:

  1. Existence of consent: Did Zenith collect Section 6 consent before posting? (Answer: No.)
  2. Nature of the data: Is facial imagery personal data? (Answer: Yes. Section 3(a).)
  3. Scope of processing: Was the LinkedIn post a public disclosure without prior consent? (Answer: Yes.)
  4. Pattern of violation: Did Zenith process multiple unconsented faces in a single batch? (Answer: Yes — 12 photos, potentially multiple unconsented individuals.)
  5. Harm to the data subject: Did Rajesh suffer detriment (reputational, professional, emotional)? (Answer: Likely — his image is publicly associated with the company without his choice.)

The Board will likely conclude:

Zenith violated Section 6 because:

  • No specific consent was obtained before processing (photography + LinkedIn upload).
  • The consent requirement is not met by policy language or assumed knowledge.
  • The absence of a “legitimate interests” carve-out in Section 6 means strict liability: consent is mandatory.
  • Facial data is explicitly personal data; its processing demands Section 6 compliance.

Result: Section 6 breach established.

Penalty Calculation

Section 33 allows penalties up to ₹50 crore per violation. The Board will assess:

Violation factorAssessment
Number of unconsented data subjects1 (Rajesh named; potentially others in background) = 1 violation minimum
Number of unconsented photos3 photos of Rajesh = potentially 3 separate violations (per-photo processing) or 1 batch violation (single LinkedIn post)
Scope of publicationPublic LinkedIn (25,000 followers, indexed by Google) = wide-scale processing
Duration of violation6 days on public platform = continued breach (not single isolated post)
Company intentNo malice, but negligence (failure to establish consent process)

Realistic penalty range: ₹5–15 crore.

The Board will likely not impose the full ₹50 crore ceiling (reserved for egregious, repeated violations by large organisations). However, even ₹5 crore in fines, legal fees, reputational damage, and mandatory remediation (deletion, privacy impact assessment, consent audit) will substantially damage Zenith.

Board Order & Remediation

The Board will order:

  1. Immediate removal of all unconsented photos from LinkedIn and internal channels.
  2. Written apology to Rajesh with explanation of his rights under DPDPA.
  3. Consent audit: Re-audit all prior company event posts (last 12 months) and remove unconsented images.
  4. Process remediation: Establish written consent procedures for all future photography at company events (offsite, Diwali parties, annual award nights, town halls).
  5. Training: Mandatory DPDPA compliance training for HR, marketing, and management teams.
  6. Regular audits: Third-party compliance audits of photography workflows for 24 months.

Penalty exposure: Section 6 violation (absence of specific, informed consent for LinkedIn publication of employee photos) triggers penalty up to ₹50 crore per violation. One complaint from one unconsented employee is sufficient to initiate investigation. Zenith’s situation — multiple unconsented individuals across multiple photos — may trigger multiple violation counts.

FAQ

Can our company intranet consent form be reused for LinkedIn posts without asking again?

No. Section 6 requires consent tied to a specific purpose. Intranet (internal, restricted access) and LinkedIn (public, 25,000+ followers) are fundamentally different processing contexts. The level of exposure and audience is completely different. An employee who consents to “company intranet” may explicitly reject “public LinkedIn.” You must collect separate, specific consent for LinkedIn. If you post to LinkedIn using intranet consent, you commit a Section 6 violation even if the employee is aware that a post happened — because the consent did not name LinkedIn as a purpose.

If we collect consent via email (“reply OK to be in group photo”), is that valid Section 6 consent?

No. Email replies are informal and lack the clarity required by Section 6. The DPDPA does not specify written form, but Indian courts and the Data Protection Board have signalled that written, signed consent (physical or digital signature with date) is the safest standard. An email “OK” is:

  • Ambiguous: unclear what the person is consenting to.
  • Informal: no witnessed signature; easy to dispute.
  • Weak evidence: difficult to prove at Board hearing.

Use a printed or digital consent form (PDF, Google Form with email verification, or DocuSign) that clearly names the purpose (LinkedIn, intranet, etc.) and requests an explicit tick or signature. This creates a clear audit trail and is defensible at a Board hearing.

If an employee’s face is in the background but we didn’t intentionally photograph them, do we still need their consent?

Yes. The DPDPA applies to all personal data processing, not just intentional or primary photography. If Rajesh’s face is recognisable in the background of a bonfire photo, that image contains his personal data. Publishing it to LinkedIn (a public platform) processes that data. Section 6 consent applies regardless of whether Rajesh was the main subject or incidental background.

If we delete the LinkedIn post within 24 hours, does that excuse the Section 6 violation?

No. The violation occurred the moment you posted without consent. Rapid deletion reduces reputational harm and may limit financial penalty, but does not erase the underlying breach. The Data Protection Board can still issue findings and impose penalties for violations that have since been remediated. Deletion is a corrective action (helps your case at Board hearing) but does not retroactively validate the unlawful processing.

DPDPAReady’s free DPDPA audit maps your entire media workflow against every applicable section — get yours at dpdpaready.in.

employee photos LinkedIn consent DPDPAcorporate event photography consent IndiaSection 6 consent violationHR social media complianceoffsite photography compliance
VERIFIED DPDPAReady Editorial Desk 25 MAY 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →