Exhibitor Data Processor Agreements Under DPDPA: Trade Show Photography Template

Applies to	Trade Shows & Exhibitions operating in India
Primary law	DPDPA 2023 · Section 8
Penalty ceiling	₹250 crore per violation
Enforcement status	Data Protection Board accepting complaints — May 2026
Source	DPDPAReady Compliance Team

---

The Risk: Photography Without a Processor Agreement

The moment your exhibition photographer takes a candid shot of a visitor badge—complete with name, company, designation—they are processing personal data on your behalf. Under Section 8 of the DPDPA, you remain liable for their security practices, retention timelines, and deletion compliance, even if they are a freelancer or external agency. Without a written Data Processor Agreement (DPA), you cannot prove you exercised due diligence.

This template defines exactly what exhibitor photographers, PTI/ANI wire services, and event PR teams must agree to before accessing visitor or stall data at Bharat Mandapam, CIDCO, BEC, Auto Expo, India International Trade Fair, Real Estate Expo, or franchise expos. It covers data minimisation, secure storage, deletion on request, and liability caps—five elements the Data Protection Board now expects to see in audits.

---

What a Compliant Data Processor Agreement Must Include

• Scope of Processing: List exact personal data types (names, company names, badge photos, social handles, attendance logs). Specify purpose (event media coverage, exhibitor highlights, LinkedIn posts, promotional material). Do NOT use “and other uses as may be necessary”—vague scope triggers Board scrutiny.

• Security Obligations: State minimum standards (encrypted storage, password protection, no downloading to personal devices, no resharing with third parties). Reference Section 8(2)(c) explicitly. Require processor to notify you within 24 hours of any unauthorised access or deletion.

• Data Retention & Deletion: Define how long photos are kept (e.g., “30 days post-event for editing; deleted thereafter unless written consent for portfolio use obtained”). Require processor to delete on written request within 14 days. Specify that deleted data includes backups and archives.

• Sub-processors & Third Parties: If photographer uses a cloud storage vendor (Google Drive, Dropbox), a photo editing SaaS, or a printing service, they must name it in writing and get your approval. Ban use of unnamed subprocessors.

• Audit & Inspection Rights: You have the right to audit processor’s storage, deletion logs, and security measures. Processor must maintain a deletion register showing dates and methods. Require annual written confirmation of compliance.

• Liability & Indemnity: Processor indemnifies you for their violations of Section 5 (consent), Section 6 (notice), or Section 8 (security/retention). Cap their liability at the contract value; do not agree to unlimited liability that exceeds your own exposure.

• Term & Termination: Agreement runs for the event duration plus 60 days. Either party can terminate if the other materially breaches (e.g., unauthorised posting). Upon termination, processor must return or destroy all data within 7 days and provide written certification.

---

The Template

Below is a fill-in-the-blank Data Processor Agreement ready for use at your next trade show or exhibition.

DATA PROCESSOR AGREEMENT — TRADE SHOW PHOTOGRAPHY

BETWEEN:

[Event Organiser Name], a registered business entity at [Address], hereinafter referred to as “Data Fiduciary”

AND:

[Photographer/Agency Name], registered as [Sole proprietor / Partnership / Limited Company] with GST No. [___], hereinafter referred to as “Data Processor”

Dated: [___] 2026

---

1. DEFINITIONS

• “Personal Data”: Names, company affiliations, designations, email addresses, phone numbers, photographs (including facial images), badge information, and any other visitor or exhibitor identifiers captured during [Event Name], [Dates], held at [Venue].

• “Processing”: Photographing, storing, editing, uploading, sharing, or deleting Personal Data.

• “DPDPA”: The Digital Personal Data Protection Act, 2023, and rules thereunder.

• “Breach”: Unauthorised access, loss, alteration, or disclosure of Personal Data.

---

2. PURPOSE OF PROCESSING

Data Processor shall process Personal Data solely for the following purposes:

• Live event photography for event documentation
• Still imagery for post-event exhibitor highlight reels
• Press release images for trade media (PTI/ANI distribution)
• Social media content (LinkedIn, Twitter) — exhibitor accounts only, not organiser’s
• Printed event brochures and annual reports
• Other (specify): _________________________

Data Processor shall NOT use Personal Data for any other purpose, including personal portfolio building, commercial licensing, or third-party resale, without separate written consent from the Data Fiduciary.

---

3. SCOPE OF PERSONAL DATA

Data Processor has access to the following Personal Data only:

• Visitor badges and company information
• Exhibitor stall names and booth assignments
• Audio-visual recording (photographs and video)
• Attendee names and designations as visible in venue

Data Processor shall not attempt to extract, infer, or cross-reference Personal Data with third-party databases (e.g., LinkedIn, company registries, financial records) without explicit written instruction from the Data Fiduciary.

---

4. SECURITY OBLIGATIONS (DPDPA Section 8)

Data Processor shall maintain the following minimum security standards:

• Store all photographs and raw files in password-protected, encrypted cloud storage (e.g., Google Drive with two-factor authentication, Dropbox Business with encryption at rest).

• Do not download files to personal computers, phones, or USB drives without encryption. If downloaded, delete within 48 hours of use.

• Do not share access links with third parties, including the Data Fiduciary’s team members, without prior written approval.

• Do not upload to public platforms (Instagram, Facebook, Pinterest) without explicit consent from the Data Fiduciary AND the individuals in the photographs.

• Maintain audit logs showing who accessed what data, when, and from which location. Provide these logs to the Data Fiduciary upon request within 5 working days.

• Use strong passwords (minimum 16 characters, alphanumeric + symbols) and change passwords every 90 days.

• Report any suspected Breach immediately to the Data Fiduciary within 24 hours of discovery. Provide details: date, time, nature of access/loss, data affected, and remediation steps taken.

---

5. DATA RETENTION & DELETION (DPDPA Section 8)

• Retention Period: Data Processor shall retain Personal Data for [30/45/60] days following the event date only, to permit editing, client review, and delivery.

• Automatic Deletion: Upon expiry of the retention period, Data Processor shall automatically delete all Personal Data from primary storage and backups using secure erasure methods (e.g., NIST guidelines, encrypted overwrite).

• Request-Based Deletion: If any individual requests deletion of their photograph, Data Processor shall delete within 14 calendar days of receipt of written request (via email or formal notice). Deletion includes all edited versions, backups, archives, and cached copies.

• Deletion Certification: Data Processor shall provide written confirmation of deletion within 5 working days, signed by an authorised representative, stating the date and method of erasure.

• Portfolio Use Exception: If Data Processor wishes to retain any photograph in their professional portfolio (for credibility or marketing), they must obtain separate, signed consent from each individual pictured. This consent is separate from this Agreement and does not extend to commercial licensing or third-party resale.

---

6. SUB-PROCESSORS & THIRD PARTIES

Data Processor may use the following approved sub-processors only:

• Cloud storage: [Google Drive / Dropbox / OneDrive — specify]
• Photo editing software: [Adobe Lightroom / Capture One — specify]
• Printing/delivery service: [___]

Any other third-party vendor must be approved in writing by the Data Fiduciary before use. Data Processor remains liable to the Data Fiduciary for sub-processor compliance with this Agreement.

Prohibited sub-processors: Facial recognition SaaS, AI-powered auto-tagging, unencrypted cloud services, and any vendor located outside India without explicit written approval.

---

7. AUDIT & INSPECTION RIGHTS

The Data Fiduciary reserves the right to:

• Request a detailed log of all Personal Data accessed, stored, and deleted, within 5 working days.

• Conduct announced or unannounced audits of Data Processor’s storage systems and deletion practices.

• Require written confirmation of DPDPA Section 8 compliance annually or upon reasonable suspicion of non-compliance.

Data Processor shall not obstruct or delay audit access and shall remediate any non-compliance within 7 days of notification.

---

8. LIABILITY & INDEMNITY

• Data Processor Indemnity: Data Processor shall indemnify and hold harmless the Data Fiduciary against all losses, damages, fines, penalties, and legal costs arising from:

  • Data Processor’s unauthorised processing of Personal Data
  • Data Processor’s failure to comply with Sections 5, 6, or 8 of the DPDPA
  • Data Processor’s Breach or negligence
  • Third-party claims arising from Data Processor’s processing

• Liability Cap: Data Processor’s total liability shall not exceed the contract value paid for this event or ₹5,00,000, whichever is greater. This cap does not apply to indemnification for DPDPA violations.

• Data Fiduciary Liability: The Data Fiduciary remains solely liable to individuals for compliance with Sections 5 and 6 (consent and notice). The Data Fiduciary shall indemnify Data Processor against fines or claims arising from the Data Fiduciary’s own failure to obtain consent or provide notice before sharing data with Data Processor.

---

9. TERM & TERMINATION

• Commencement: This Agreement commences on [Event Start Date] and runs through [Event End Date + 60 days].

• Immediate Termination: Either party may terminate immediately if the other party materially breaches (e.g., unauthorised posting, failure to delete, unannounced use of sub-processors) and does not cure the breach within 7 days of written notice.

• Obligations Upon Termination: Within 7 days of termination, Data Processor shall:

  • Return all Personal Data to the Data Fiduciary in encrypted format, or
  • Delete all Personal Data and provide written certification of deletion
  • Cease all access to Personal Data
  • Notify all sub-processors of data deletion

---

10. COMPLIANCE WITH DPDPA

Data Processor acknowledges and agrees that this Agreement is governed by the Digital Personal Data Protection Act, 2023, and that:

• They are acting as a Data Processor on behalf of the Data Fiduciary and have no independent right to process Personal Data for their own purposes.

• They shall comply with all applicable provisions of the DPDPA, including Sections 5 (consent), 6 (notice), 8 (security and retention), and 12 (erasure).

• They shall not use Personal Data in any manner that violates the DPDPA, including facial recognition, automated profiling, or cross-database matching without explicit prior written consent.

---

11. DISPUTE RESOLUTION

Any dispute arising from this Agreement shall first be subject to good-faith negotiation between the parties for 14 days. If unresolved, disputes shall be escalated to arbitration under the Indian Arbitration and Conciliation Act, 1996, with a single arbitrator based in [Jurisdiction]. Costs shall be borne equally.

---

12. SIGNATURES

For the Data Fiduciary:

Name: _________________________ | Signature: _________________ | Date: _________

Designation: ___________________ | Email: _________________ | Phone: _________

For the Data Processor:

Name: _________________________ | Signature: _________________ | Date: _________

Designation: ___________________ | Email: _________________ | Phone: _________

Witness (if required):

Name: _________________________ | Signature: _________________ | Date: _________

---

NOTE: This template must be signed before the photographer begins work. Retain a signed copy for your Section 8 compliance file.

---

How to Deploy This

Sign before the event begins. The Data Fiduciary (event organiser or exhibition management company) must sign Section 12 with the photographer, videographer, or PR agency before they enter the venue and begin capturing images. Unsigned processing is a violation of Section 8.

Keep evidence of signing. Retain the executed agreement (both original and scanned copy) in a dedicated compliance folder. The Data Protection Board will ask for this if an attendee files a complaint about unauthorised use or deletion failure.

Specify retention periods clearly. Fill in the exact number of days (typically 30–60 days post-event). If you need longer retention for legal or tax reasons, document this separately in writing and ensure the photographer agrees.

What if the photographer refuses to sign? Do not hire them. Unsigned processing exposes you to ₹250 crore in penalties under Section 8 alone. Explain that DPDPA now requires this—they are a mandatory Data Processor. If they refuse, escalate to your event management committee or insurance provider.

Termination checklist: If you terminate mid-event (e.g., photographer posts unauthorized content), immediately send written termination notice requiring deletion certification within 7 days. If they do not comply, file a complaint with the Data Protection Board and notify affected individuals of the Breach within 30 days per Section 11.

Sub-processor changes: If your photographer wants to use a new cloud storage vendor or editing service mid-event, require their written proposal first and approve/reject within 2 working days. Do not allow “just-in-time” sub-processor decisions.

---

What Happens Without This Document

Without a signed Data Processor Agreement, you lose protection under Section 8 and become directly liable for the photographer’s practices.

Scenario 1: Unauthorised Posting (Most Common) Your exhibitor photographer uploads