✓ Link copied
DPDPA 2023 Compliance

Corporate Events Need HR Photography Consent Under DPDPA Section 6

14 June 2026 · DPDPAReady Editorial · ~5 MIN READ
Applies toCorporate Events & HR operating in India
Primary lawDPDPA 2023 · Section 6
Penalty ceiling₹50 crore per violation
Enforcement statusData Protection Board accepting complaints — May 2026
SourceDPDPAReady Compliance Team

The Problem: Your Diwali Party Photos Are Unconsented Personal Data

Your HR team shoots the Diwali party at the Coorg offsite. Marketing posts 47 candid shots to the company LinkedIn page. Three days later, a finance employee files a complaint with the Data Protection Board alleging no one asked her permission before her face appeared in a company post.

Under DPDPA Section 6, every photograph of an identifiable person is personal data. Consent must be:

  • Specific — not buried in a master privacy policy
  • Informed — the person knows exactly what you’ll do with the photo
  • Freely given — no coercion, no employment-linked conditions
  • Revocable — they can withdraw consent anytime

This post gives you the exact checklist and template to collect that consent before the town hall, annual award night, or new joinee welcome photo session.

Your consent form must contain these five mandatory elements. If even one is missing, the Board will treat it as no consent at all.

1. Explicit Purpose Statement
Name each specific use: “LinkedIn company page,” “internal company intranet,” “email newsletter to all staff,” “awards night photo gallery for attendees only.” Don’t write “marketing purposes” or “company communications.” Be granular.

2. Identifiable Data Captured
State that you will collect face/biometric data. The DPDPA treats facial recognition as sensitive personal data in Section 3(36). Say: “We will photograph your face and may use facial recognition technology to match you with your job title in our HR system.”

3. Retention Period
How long will the photo stay on the company LinkedIn page? In email archives? In your HR management system (Zoho People, Workday)? Specify: “12 months on LinkedIn, permanently in our internal intranet, deleted from email after 90 days.” Without this, you’re in violation of Section 8 (data security and retention).

4. Right to Refuse and Withdraw
Make it clear: “You may refuse photography at the event without any employment impact. If a photo is already posted, you may request deletion within 30 days, and we will comply within 5 business days.” No conditions like “only if the photo looks bad” or “only if you ask before publishing.”

5. No Legitimate Interest Carve-Out
Do NOT write: “We may photograph you for legitimate business interests in team building or internal communications without consent.” The DPDPA removed the legitimate interest exception for photography. Section 6 consent is mandatory. Full stop.

6. Data Processor / Third-Party Disclosure
If your event photographer is external, say so: “ABC Photography Ltd. (our vendor) will receive untagged image files. They will not use your photos for their portfolio without separate consent.” If marketing intern gets the files, name them.

7. Data Subject Rights
Include: “You have the right to access, correct, or erase your photograph. Contact hr@company.com to exercise these rights. We will respond within 30 days.”

The Template

Use this exact form. Replace bracketed text with your details. Print or deploy via Google Form (but link the form response to actual image metadata — see the FAQ below).

EMPLOYEE PHOTOGRAPHY CONSENT

Event: [Diwali Party / Annual Awards Night / Offsite in Coorg / Town Hall / New Joinee Welcome / Annual Day / Puja]
Date: [DD/MM/YYYY]
Organized by: [Company Name]

I, [Full Name], Employee ID [XXXX], consent to the following:

  1. Photography Collection: I consent to being photographed (including facial images) during the above event by [Company Name]‘s in-house team / [Vendor Name, external photographer].

  2. Specific Uses (check all that apply):

    • ☐ Posted on company LinkedIn page (12-month retention)
    • ☐ Posted on company internal intranet / Slack / Microsoft Teams (indefinite retention)
    • ☐ Sent via email to all employees (90-day retention in email system)
    • ☐ Printed in company annual report (permanent retention)
    • ☐ Used for HR onboarding materials for new joiners (12-month retention)
    • ☐ Used in town hall presentation slides (12-month retention)
    • ☐ Shared with [other location/subsidiary, if applicable] (specify retention: _____)

  3. Facial Recognition: I understand that [Company Name] may use facial recognition technology to match my photograph with my HR system records (Zoho People / Workday) for identification and archival purposes only. This data will not be shared with third parties for behavioral analysis or surveillance.

  4. Data Processor Disclosure: The photographer ([In-house team] / [ABC Photography Ltd., external vendor]) will receive untagged image files. They will not use my photographs for their own portfolio, website, or social media without my separate written consent.

  5. Withdrawal & Deletion: I may withdraw this consent at any time by emailing hr@company.com. If my photograph is already published, I may request deletion within 30 days of publication, and [Company Name] will remove it within 5 business days.

  6. Refusal Without Impact: I understand that refusing photography will not affect my employment, benefits, or standing in the organization.

  7. Data Subject Rights: I have the right to access, correct, or request erasure of my photograph. Contact hr@company.com with requests; we will respond within 30 days.

Signature: ________________
Print Name: ________________
Date: ________________
Employee ID: ________________
Email: ________________

For HR/Event Team:
Date consent collected: ________________
Method (print / digital form / verbal + witnessed): ________________
Collected by (name): ________________
Witness (if verbal): ________________
Stored in: [HR system folder / compliance folder]

How to Deploy This

Who Signs It:
Every employee or contractor photographed at a corporate event must sign before the event begins. External attendees (vendor partners, clients) also need consent — use the same form with “Guest” replacing “Employee.”

When to Collect It:
Collect consent at event registration or in the 48 hours before the event. Do not rely on event-day sign-ups where employees feel rushed. If you’re a recurring event host (monthly town halls), collect annual standing consent in writing and store it in your HR management system.

How to Store Records:

  • Keep signed (or digitally submitted) consent forms in a dedicated HR folder inside your HR system (Zoho People, Workday, or local drive with access control).
  • Link the consent to the actual photo file. Use metadata tagging: filename 2026-06-14_diwali_party_john_doe_consent_yes.jpg or a spreadsheet with [photo filename] → [employee email] → [consent date].
  • Without this link, you cannot prove you had consent for that specific photograph if the Board audits you.

What to Do If Someone Refuses:

  • Do not photograph them, or if already photographed, delete the file immediately and document the deletion date and reason.
  • Update your consent spreadsheet: “John Doe | Refused | Deleted [date].”
  • Do not ask them to leave the event; refusal has no employment consequences.

If Someone Asks for Deletion Post-Publication:

  • Check the withdrawal date against your deletion SLA (this template promises 5 business days).
  • Remove the photo from LinkedIn, intranet, email archives, and any website or print materials.
  • Document: “Photo removed | Employee request | Date of deletion | Deleted by [person].”
  • If the photo was already distributed (e.g., printed in a 500-copy annual report), you cannot retrieve all copies, but you must remove it from all future and digital versions. Document the effort.

What Happens Without This Document

Scenario: One complaint, no consent form.

An employee reports to the Data Protection Board: “My photograph was posted on the company’s LinkedIn page without my permission.” The Board opens an investigation.

You search your records. No consent form. No metadata linking consent to the photo. The HR team says “everyone consents verbally” — but verbal is not documented, and the DPDPA requires written proof under Section 6.

The Board’s findings:

  • ✓ Violation of Section 6 (no documented consent).
  • ✓ Violation of Section 8 (no retention/deletion policy for the photo).
  • ✓ Potential violation of Section 3(36) (facial biometric data processed without safeguards).

Penalty: Up to ₹50 crore per violation. One unconsented photo batch = one violation. If 47 photos were posted without consent, that’s 47 violations × ₹50 crore = ₹2,350 crore exposure.

In practice, the Board issues a show-cause notice and may impose ₹2–10 crore for a first offense depending on severity and your remediation efforts. But there’s no ceiling once the complaint lands.

Even if you delete the photo immediately after the complaint, the Board still has grounds to fine you for the period it was published unconsented.

FAQ — HR Photography Consent Under DPDPA

Can we collect photography consent at the event itself, or must it be before?

Pre-event is safer. Collecting consent at the event (via printed form or QR code) is legally valid, but employees feel cornered—“the photographer is right here; if I refuse, it looks weird.” This weakens the “freely given” requirement under Section 6. Collect consent in the 48 hours before the event via email or in-person during a meeting. If you must collect at the event, have HR (not the photographer) approach each person privately with the form and a clear statement: “You can say no, and there’s no impact.”

If an employee signs the consent form for LinkedIn posting, can we later post to Instagram without asking again?

No. Section 6 requires consent to be specific to each use. If the form says “LinkedIn,” you can only post to LinkedIn. To post to Instagram, you need a new, separate consent from that employee. Collect multi-channel consent upfront: “LinkedIn, Instagram, company website, internal intranet” with separate checkboxes. If the employee only ticks LinkedIn, honor that.

What if we collect consent via Google Form sent through WhatsApp?

Google Form is acceptable if you do two things: (1) link the form response to the actual image file with metadata or a spreadsheet, and (2) keep the form response PDF saved in your compliance folder for 6 years (DPDPA statute of limitations). Do not rely on the form submission alone; the Board will ask for proof that you matched consent to the specific photo. If your spreadsheet shows “John Doe | Consent form ID #123 | Photo file: john_diwali_2026.jpg,” you’re compliant. If it shows “John Doe | Yes,” you’re not.

If we delete a photo from LinkedIn after an employee asks, do we also delete it from our internal HR system and email archives?

Yes. “Deletion” under Section 12 means removal from all systems where the photo is stored. If you keep the photo in your HR intranet “just in case,” and the employee’s deletion request is ignored in that system, you’re still in violation. Delete from LinkedIn, delete from internal intranet, delete from email backups (or confirm with IT that backup retention policies will auto-delete after 90 days). Document each deletion point.

Start Your Compliance Record Today

DPDPAReady’s Template Library deploys consent forms, privacy notices, and data processing agreements for corporate events and HR teams in 48 hours — start at dpdpaready.in.

HR photography compliance checklist India DPDPA 2025corporate event photography consentDPDPA Section 6 consentemployee photography rights Indiaoffsite photography compliance
VERIFIED DPDPAReady Editorial Desk 14 JUN 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →