HR Photography & Event Consent Under DPDPA: 10 Critical Questions

Applies to	Corporate Events & HR operating in India
Primary law	DPDPA 2023 · Section 6
Penalty ceiling	₹50 crore per violation
Enforcement status	Data Protection Board accepting complaints — May 2026
Source	DPDPAReady Compliance Team

---

Section 6 of India’s Digital Personal Data Protection Act is not optional for corporate HR teams—yet most treat employee and guest photography as internal administration exempt from consent rules. It isn’t. Whether your Diwali party photographer posts to LinkedIn, your offsite at Coorg produces a company YouTube video, or your annual award night goes live on MS Teams, Section 6 requires specific, informed, freely given, revocable consent before any processing. This FAQ addresses the 10 most common compliance gaps DPDPAReady’s team identifies during HR audits.

---

Can we collect consent for event photography at the event itself, or must it be before?

Consent must be collected before or at the point of photography—not after. If employees arrive at a Diwali party and a photographer is already shooting, you’ve already violated Section 6 unless consent was collected in advance (via email, onboarding docs, or a pre-event form). Collecting consent “after the fact” is not valid under DPDPA’s requirement for freely given, informed consent. The safest practice: send a privacy notice and consent request 3–5 days before the event, with a reminder link at check-in.

---

If an employee signed the employee handbook acknowledgment that includes “consent to company photography,” does that cover LinkedIn posting?

No. A blanket consent buried in a 40-page handbook is neither specific nor informed under Section 6. DPDPA requires consent for a defined processing purpose—LinkedIn posting, internal HR database, annual report, or portfolio use must each be explicitly stated and separately consentable. If the handbook says “the company may photograph you,” an employee cannot reasonably infer their photo will appear on the company’s LinkedIn page with their name tagged. Separate, visible consent for each distribution channel is required.

---

What if we collect consent via a Google Form sent through WhatsApp, but we don’t link the form response to the actual image files?

This creates a critical compliance gap. Section 6 requires consent to be linked to the specific personal data being processed. If your Google Form collects “I consent to LinkedIn posting” but the photographer’s camera roll contains 500 uncoded images, you cannot prove which images the form respondent actually consented to. Best practice: assign a unique identifier or QR code at the event linking each photo to the consenting individual, or collect consent after showing a contact sheet of specific images.

---

If an employee consents to photography for internal use (annual report), can we later post the same photos to Instagram without fresh consent?

No. Each distinct processing purpose requires fresh consent. Internal HR archive processing and public Instagram distribution are fundamentally different—the former is controlled, the latter exposes the employee to an unlimited audience. Posting to Instagram without a separate, explicit consent request is a Section 6 violation and carries penalties up to ₹50 crore per violation. One batch of unconsented photos = one violation.

---

Can we use a checkbox at event registration (“I agree to photography and media coverage”) to satisfy Section 6 consent?

Only if the checkbox is separate from the registration agreement, appears on a standalone page, uses plain language that names the specific processors (photographer, social media platforms, company), and is not pre-ticked. A checkbox buried in terms & conditions or pre-selected does not satisfy the “freely given” requirement. Additionally, if the checkbox lists multiple purposes (internal use + LinkedIn + portfolio use), it is not specific enough—each purpose should have its own checkbox.

---

If we delete a photo from LinkedIn after an employee requests deletion, do we also have to delete it from our internal HR database and email archives?

Yes. Section 6 consent is not revoked on a per-platform basis. If an employee revokes consent, you must delete the personal data across all systems where you’ve stored it—LinkedIn, internal HR database, Gmail archives, cloud backups, and archived emails. Deleting only from LinkedIn while keeping the image in Zoho People HRMS or company backup drives means consent has been revoked but the data still exists under your control. This violates Section 6 and can trigger additional Section 12 (data erasure) violations with penalties up to ₹50 crore.

---

What if we get consent from the employee but a guest (spouse, family member) is also visible in the photo?

You need separate consent from every identifiable individual. If your annual award night photo includes an employee’s spouse in the background and that spouse’s face is clearly visible, you must collect consent from the spouse before posting that image anywhere. At corporate offsites in Coorg or Goa, this means implementing a guest consent process—either via a Google Form at check-in or a separate consent email sent to registered guests before the event. Failure to do so is a Section 6 violation for each unconsented individual.

---

Can we collect consent from the employee to cover all visible family members in offsite photos?

No. Consent is individual and non-transferable. An employee cannot consent on behalf of their spouse, child, or parent. Each person whose biometric data (face, gait, voice in video) appears in an image must provide their own consent. If your Manali offsite includes spouses and you post family photos to LinkedIn, you need written consent from every person visible. DPDPAReady’s audit data across Indian corporate events & HR businesses shows this gap affects 70% of companies posting candid offsite photography.

---

If we livestream a town hall and the recording goes to an unlisted YouTube link shared only with employees, do we still need consent?

Yes. Storage on YouTube constitutes processing, regardless of privacy setting. An “unlisted” link is not encrypted; anyone with the link can access and download the video. If you plan to stream and record a town hall, you must collect consent before the livestream begins. This is particularly critical if the town hall includes new joinee introductions, where the individual is explicitly identified. Post-livestream, you must retain the video only as long as consented—typically 30–90 days—then delete, unless consent specifies archival.

---

What happens if our contracted event photographer posts photos to their own portfolio without consent or explicit contractual restriction?

Your company remains liable under Section 6. You are the data controller (the organization responsible for the processing), and the photographer is a processor (acting under your instructions). If you failed to contractually restrict the photographer’s use of images, or if you didn’t collect consent from subjects that clearly states the photographer’s portfolio use, you bear the Section 6 violation risk—not the photographer. A professional services agreement must explicitly state: “Images are for [Company] use only and may not be shared to the photographer’s portfolio, website, or social media without separate written consent from each subject.”

---

Can we use a signed photo release from an employee during onboarding as perpetual consent for all future events?

No. Consent is specific to a defined purpose and can expire. A blanket photo release saying “the company may photograph me at any time for any purpose” is vague and does not meet the specificity requirement of Section 6. Best practice: send a fresh consent request 3–5 days before each event, specifying the event name, processing purposes (internal use, LinkedIn, annual report, etc.), retention period, and recipient list. This approach respects the employee’s right to revoke consent and ensures compliance with the “informed” standard—an employee knows what they’re consenting to for a specific event.

---

Are we liable if a guest at a corporate event takes their own photo and posts it to Instagram without asking for our permission?

No—not under Section 6. Your liability arises only when you process personal data (collect, store, use, share). If a guest independently photographs and posts, they are the data controller, not your company. However, if your company then reposts that guest’s photo to your corporate Instagram account without fresh consent from the guest, you become a processor and violate Section 6. Additionally, if you publicly tag or identify the guest in your repost, you are processing their personal data.

---

If we have written consent but the employee later claims they didn’t understand what they were consenting to, are we protected?

Written consent is evidence, but not absolute protection if the consent language was ambiguous. “I consent to photography” is weaker than “I consent to photography for the company’s LinkedIn page, retained for 6 months, visible to all LinkedIn followers (approximately 50,000 users).” If an employee disputes that they understood the scope, your burden is to show the consent was informed—meaning you provided a clear, accessible privacy notice in simple language that explained exactly what processing would happen, who would see the data, and for how long. A privacy notice hidden in a PDF attachment is not sufficiently informed.

---

What if we collect consent via SMS or WhatsApp instead of email or a form?

SMS and WhatsApp are valid if you can prove consent was given. The constraint is audit trail. If you send a WhatsApp message saying “Do you consent to photography at tomorrow’s Diwali party for LinkedIn posting?” and the recipient replies “Yes,” you must save that exchange (screenshot + metadata showing date/time) as proof. A conversational consent via messaging is legally valid but riskier because: (1) consent can be ambiguous (“Ok” might mean acknowledgment, not consent), (2) the message may be deleted, and (3) you cannot scale this to 100+ employees. Use SMS/WhatsApp only as a reminder; primary consent should be via form or email with a clear consent statement and a checkbox or digital signature.

---

Your HR compliance isn’t just about policy—it’s about proof. Every photo posted, every consent collected, and every employee notified must be traceable. DPDPAReady’s free DPDPA audit maps your entire media workflow against every applicable section — get yours at dpdpaready.in.