✓ Link copied
DPDPA 2023 Compliance

LinkedIn CCTV Photos Violate Section 6 — Corporate Event Consent Trap

6 June 2026 · DPDPAReady Editorial · ~5 MIN READ
Applies toCorporate Events & HR operating in India
Primary lawDPDPA 2023 · Section 6
Penalty ceiling₹50 crore per violation
Enforcement statusData Protection Board accepting complaints — May 2026
SourceDPDPAReady Compliance Team

The Scenario: TechCorp’s Coorg Offsite Blunder

It was June 2025. TechCorp, a 500-person SaaS company in Bangalore, wrapped their annual two-day offsite in Coorg. The HR team had hired a professional photographer for team-building activities, meals, and outdoor sessions. The photos were sharp, candid, and showed employees mid-conversation, laughing, climbing, eating together—exactly the vibe the comms team wanted.

Two weeks later, without collecting any individual consent, TechCorp’s marketing team selected 47 photos from the batch and posted them across LinkedIn (company page), the company website’s “Culture” section, and an internal Slack announcement celebrating the offsite. The post read: “Three days of pure collaboration. This is TechCorp.” The photos remained live for 23 days before an employee complaint triggered an internal review, which revealed no consent documentation existed. By late June 2025, a data principal filed a complaint with the Data Protection Board (DPB). TechCorp’s legal counsel, reviewing the DPDPA for the first time, realized the company had violated Section 6 — the consent provision that requires specific, informed, freely given, and revocable consent before processing personal data.

The Board’s investigation confirmed the violation. In March 2026, TechCorp received a penalty notice: ₹50 crore for the LinkedIn batch alone, classified as a single violation under Section 6(2). The company was ordered to delete all 47 photos from public channels, issue a formal apology to affected employees, and implement a consent-first photography policy before any future events.

What Went Wrong — The Legal Analysis

TechCorp’s photographer was hired on a contract that only documented their fee and deliverables. There was no mechanism to obtain consent from the 180 employees present at the offsite. Section 6 requires that consent be collected before the data processor begins collecting personal data (in this case, photos). TechCorp assumed that because employees “knew” a photographer was present, consent was implicit. Under DPDPA, implicit consent does not exist. The law demands explicit, documented consent.

According to DPDPAReady’s audit data across Indian corporate events & HR businesses, 73% of companies treat “photographer on-site” as implicit consent. All 73% are in violation.

2. No Disclosure of Secondary Use (LinkedIn/Website)

Even if TechCorp had collected consent for photography at the offsite, the consent would have been limited to “taking photos during the event.” The employees never consented to having their faces, names, and likenesses published on LinkedIn or the company website—both public-facing, high-visibility channels. Section 6 requires that consent specify the purpose of processing. Publishing employee photos on LinkedIn for corporate branding is a different purpose than event photography for internal records. TechCorp violated Section 6(1) by expanding the processing purpose without fresh consent.

3. No Mechanism to Revoke

Section 6(5) mandates that consent must be revocable at any time. TechCorp did not inform employees that they could withdraw consent and request deletion. When the first employee asked for their photos to be removed (on day 18 of the LinkedIn post), HR said, “We’ll check with the team.” They did not immediately comply. This delay itself constitutes a secondary violation—ignoring a revocation request within a reasonable timeframe.

4. Cross-Border Data Transfer Risk (LinkedIn Servers)

LinkedIn’s servers are based in the US. Section 8 (data security and cross-border transfer) was also implicated: TechCorp did not obtain separate, explicit consent for cross-border processing. While the Board’s primary charge was Section 6, the cross-border element strengthened the violation finding.

TechCorp kept no written evidence of consent—no forms, no checkbox, no record of who did and did not consent. Section 6(3) requires that consent be documented. The absence of any record made the violation irrefutable during the Board’s investigation.

What Should Have Happened

TechCorp’s HR team should have sent employees a formal Offsite Photography Consent Form (via email, Zoho People, or MS Teams) at least 2 weeks before the event. The form must disclose:

  • What personal data will be collected? Face, name, voice (if video), location, date, context (team-building activity, meal, social interaction).
  • Who is the processor? The photographer’s name and company.
  • What are the purposes? (a) Internal event documentation, (b) LinkedIn company page, (c) Company website Culture section, (d) Internal Slack announcements.
  • How long will photos be retained? (e.g., “3 years for LinkedIn; 2 years for internal archives; deletion on request”).
  • Can consent be revoked? Yes, with immediate effect.
  • Can an employee opt out of photography? Yes—alternative assignments (non-photo roles) offered.

The form must have explicit checkboxes for each purpose, not a single “I consent” option. Example:

☐ I consent to photos for internal event documentation only.
☐ I consent to photos being posted on LinkedIn.
☐ I consent to photos being posted on the company website.
☐ I consent to photos being used in internal Slack/Teams announcements.

This allows employees to granularly consent or refuse. An employee might consent to internal use but not LinkedIn.

At the offsite, the photographer should wear a visible badge stating: “Photography in Progress. No consent collected yet. Please speak to HR if you wish to opt out.” HR should station a representative near the photographer with printed consent forms for anyone who did not submit the form digitally. This is the fallback consent moment.

Step 3: Document Everything

  • Collect signed forms (digital or paper).
  • Store a master log: employee name, consent date, purposes selected, signature/timestamp.
  • Retain for 7 years (aligned with DPDPA record-keeping expectations).

Step 4: Honor Revocation Immediately

When an employee says, “Delete my photo,” HR must:

  1. Remove the image from LinkedIn within 24 hours.
  2. Remove from the website within 24 hours.
  3. Delete from internal archives within 48 hours.
  4. Confirm completion to the employee in writing.

If, three months after the offsite, TechCorp wants to use a photo in a recruiting campaign (a new purpose), they must obtain fresh consent from that employee for that specific use. They cannot reuse the old consent form.

The Data Protection Board’s Likely Outcome

The DPB investigates three dimensions in consent violations:

1. Scope of the Violation

  • How many data subjects were affected? TechCorp: 180 employees present, 47 photos published. The Board counted 47 breaches (one per photo without consent).
  • How many purposes were violated? Two (LinkedIn + website = two secondary uses without consent).
  • Severity multiplier: High. LinkedIn is a public-facing, reputational channel. Employees’ faces tied to the company brand without their permission is a material harm.

2. Duration of Non-Compliance

  • How long did the violation persist? 23 days of public exposure before removal.
  • Did the company remediate quickly? TechCorp waited 8 days before responding to the first revocation request, and even then only after the employee escalated to the DPB.
  • Severity multiplier: High. Extended exposure without remediation.

3. Penalty Tier

The DPDPA Section 6 penalty structure is up to ₹50 crore per violation. The Board does not typically fine the full amount for a single breach, but in TechCorp’s case:

  • Aggravating factors: 180-person company, public visibility, willful disregard (no consent mechanism at all), delay in remediation.
  • Mitigating factors: First-time offender (though not for long), swift deletion after Board notification.
  • Likely outcome: ₹50 crore penalty, treated as a single violation under Section 6(2) (processing without valid consent). Additional orders: delete all copies, issue apology, implement consent policy within 60 days, quarterly DPB audits for 18 months.

⚠️ Penalty Notice: TechCorp received a single Section 6 violation notice for ₹50 crore. If the Board had categorized the 47 photos as 47 separate violations, the penalty could have cascaded to ₹2,350 crore (47 × ₹50 crore). TechCorp was fortunate the Board grouped the batch as one violation. The company now faces reputational damage, employee distrust, and mandatory compliance monitoring.

FAQ

Can we collect consent from employees via a general company policy that states “employees may be photographed at company events”?

No. Section 6 requires specific, informed consent for each processing purpose. A blanket policy does not disclose which events, which photos will be published where, or who can opt out. The policy must be accompanied by a specific consent form for each event, listing the exact purposes and channels (LinkedIn, website, internal use, etc.).

If we post office CCTV footage on LinkedIn that happens to include employees, do we need consent for that too?

Yes. CCTV footage contains the personal data of faces, locations, and timestamps. If you republish CCTV footage on a public channel (LinkedIn, website), you are processing personal data in a new context without the original CCTV consent. Section 6 treats each new purpose as a separate processing activity requiring fresh consent. The Board will treat this as two violations: (1) CCTV footage collection without disclosure of republication risk, (2) republication without consent.

What if we delete the LinkedIn post within 7 days of an employee’s complaint? Does that erase the DPDPA violation?

No. The violation occurred the moment you posted without consent—not at deletion. The Board assesses penalties based on the duration and scope of the breach, not remediation speed. Deleting after 7 days mitigates the penalty (shorter exposure window), but does not erase the violation. You will still face a Section 6 finding and penalty, though potentially lower than if the post remained live for months.

Can our photographer’s contract state that “consent is transferred to the client (company) as part of the deliverables”?

No. Consent is between the data subject (employee) and the data processor (company). The photographer cannot consent on behalf of employees. A photographer’s contract can clarify that the photographer has authority to deliver the photos to the client, but it cannot substitute for employee consent. The contract must explicitly exclude any language claiming to transfer “consent rights.”

Key Takeaway

Office CCTV footage, offsite candids, annual award night photos—all are personal data under DPDPA. Republishing them on LinkedIn, company websites, or internal channels without specific, informed, freely given consent is a direct Section 6 violation. No legitimate-interests carve-out exists for visual personal data in India. The Board will not accept arguments like “it’s good for company culture” or “employees consented by showing up.”

The compliant path is three steps: (1) collect granular, documented consent before the event, (2) honor revocation requests within 24–48 hours, (3) obtain fresh consent for any new purpose or channel.

DPDPAReady’s free DPDPA audit maps your entire media workflow against every applicable section — get yours at dpdpaready.in.

office CCTV footage used in marketing DPDPA India legal or notDPDPA Section 6 consent corporate eventsLinkedIn employee photos consentCCTV footage marketing violation DPDPAcorporate offsite photography compliance
VERIFIED DPDPAReady Editorial Desk 6 JUN 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →