Wedding Photographer Data Erasure: Section 12 Compliance in 6 Key Steps
| Applies to | Wedding Photography & Studios operating in India |
| Primary law | DPDPA 2023 · Section 12 |
| Penalty ceiling | up to ₹200 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-07 |
| Source | DPDPAReady Compliance Team |
Understanding DPDPA Section 12: The Right to Correction and Erasure
Every couple you photograph—the bride, groom, family members whose names and phone numbers appear in your booking records—holds four explicit legal rights under DPDPA Section 12. They can demand you correct misspelled names, complete missing address fields, update phone numbers, or permanently erase their personal data. Refusing these requests exposes your studio to penalties up to ₹200 crore and regulatory action from the Data Protection Board.
Section 12 of the DPDPA, 2023 states:
“A data principal shall have the right to correct inaccurate personal data, complete incomplete personal data, update personal data, and erase personal data, in accordance with the provisions of this section. A data fiduciary shall comply with a request under this section, unless retention is required by any other law for the time being in force.”
For a wedding photographer, this means:
- A client cannot be forced to stay in your database against their will
- Misspelled names and outdated contact details must be corrected on request
- Data kept beyond its original purpose must be deleted on request
- You cannot charge fees for honoring these rights
- Retention of data must have a lawful basis—otherwise, erasure is mandatory
6-Step Compliance Checklist for Wedding Photography Studios
Step 1: Define and Disclose Your Data Purpose and Retention Period At the point of booking, provide written notice: “We collect your personal data to deliver wedding photography services. Your booking contact details will be retained for 3 years to comply with tax law; personal contact information will be deleted 6 months after your wedding unless you request otherwise.” This establishes the lawful basis for retention and signals to clients that data will be erased when no longer necessary.
Step 2: Implement a Data Correction Process Create a simple form (email, WhatsApp, or web portal) where clients can request corrections. When a client notifies you—“My last name is spelled Sharma, not Sharm in your records”—correct it within 14 days and send written confirmation. Document every correction in a compliance log (name, date, data changed, completion date). This demonstrates compliance under Section 12.
Step 3: Establish a Documented Erasure Request Workflow When a client requests deletion—“Please delete our photos and personal details after 6 months”—acknowledge in writing: “Erasure request received on [date] for [couple name]. We will delete all personal data and images on [future date].” Store this acknowledgment. Section 12 requires you to act on erasure requests; written acknowledgment proves you took the request seriously and act intentionally, not negligently.
Step 4: Execute Technical Data Deletion with Proof For wedding photographers, technical deletion includes:
- Removing client names, phone numbers, and email addresses from your booking management system
- Deleting client names from photo albums or online galleries (unless renewed consent is obtained)
- Purging payment information after tax retention period (6 years for GST records, but only the minimum invoice data—not contact details)
- Ensuring cloud backups (Google Drive, AWS, Dropbox, etc.) are also purged within the deletion timeline
- For on-premises storage, ensure backup files are also deleted, not just the primary database
Step 5: Respond Within 30 Days Section 12 does not mandate a specific deadline, but compliance standards expect acknowledgment within 5 days and execution within 30 days of a correction or erasure request. If you need more time (e.g., to verify the person’s identity or to isolate data across multiple systems), communicate the reason and revised timeline in writing.
Step 6: Maintain a Permanent Compliance Register Keep a record that shows:
- Date of request received (correction or erasure)
- Client name and booking reference
- Type of request (correct, complete, update, or erase)
- Data involved (e.g., “phone number,” “full wedding album,” “address”)
- Date request was fulfilled
- If refused, the lawful reason (e.g., “tax law requires retention of invoice data until 2032”)
This register is your legal defense. If a dispute arises, it demonstrates Section 12 compliance.
Section 12 vs. Studio Contracts: Which Law Wins?
A common scenario: A couple signed your booking contract stating “All wedding photos remain the studio’s property and portfolio showcase for 5 years.” Six months later, they request erasure under Section 12. Conflict.
DPDPA Section 12 overrides contractual clauses. The couple has a statutory right to erasure of their personal data. You cannot defend non-compliance by pointing to a contract term. However, the law distinguishes between personal data and creative works:
- Personal Data (must be erased on request): Bride’s name, groom’s name, phone numbers, addresses, family member names, email addresses, payment card details, booking notes
- Creative Works (may be retained, but requires anonymization or renewed consent): The photograph itself—once you’ve removed identifying personal data from metadata and tags, you can use it as portfolio content
Your studio can retain the wedding photo in your portfolio, but you must anonymize it: remove the couple’s names from captions, delete metadata linking the photo to their booking, and ensure no personal data is associated with the image. Alternatively, obtain explicit renewed consent: “May we showcase your wedding photos in our portfolio for the next 5 years? Yes / No.”
If you refuse without offering anonymization or consent renewal, you violate Section 12.
Real Wedding Photography Scenarios Under Section 12
Scenario 1: The Immediate Photo Deletion Request A bride texts: “Delete our wedding photos from your server. We no longer want them anywhere.”
- Section 12 Right: Erasure of personal data no longer necessary for the stated purpose
- Your Obligation: If you’ve already delivered the photos and fulfilled the booking, data is no longer necessary for the photography service purpose. You must delete all copies from your server, backup drives, and cloud storage within 30 days.
- Exception: If a legal hold is in place (court order, dispute) or if you’ve stored minimal anonymized portfolio data with consent, you can retain that narrowly.
- Penalty for Non-Compliance: Up to ₹200 crore if you deliberately ignore erasure requests
Scenario 2: Name Correction on Booking Form A groom’s entry shows: “Name: Arjun Kumar Singh | Bride: Priya [Last Name Blank] | Phone: 98765 43210” His wife requests: “Fix our names. We’re Arjun and Priya Sharma, not Singh.”
- Section 12 Right: Correction of inaccurate data AND completion of incomplete data
- Your Obligation: Within 14–30 days, correct Arjun’s last name to Sharma, complete Priya’s last name as Sharma. Update any related records (email list, guest list, final invoice).
- No Exemption: Even if correcting data seems inconvenient or creates minor record-keeping complications, you must do it. Section 12 requires compliance unless law forbids it.
Scenario 3: Long-Retained Payment and Contact Data A wedding occurred 9 years ago. The client requests: “I no longer have photos with you. Please delete my personal information from your system.”
- Section 12 Right: Erasure of data no longer necessary for stated purpose
- Your Potential Exemption: If GST or income tax law requires you to retain the invoice for audit purposes (typically 6 years), you can retain only the invoice line-item data (date, amount, invoice number). You must delete the client’s phone number, address, email, and personal notes unless they’re integral to the tax record.
- Your Obligation: Delete all non-essential personal data within 30 days. Provide written confirmation of what you retained and why.
Scenario 4: Update of Changed Personal Data A couple’s anniversary booking is coming up. You email their old address on file, but the email bounces. They contact you: “We moved. Please update our address to Whitefield, Bangalore.”
- Section 12 Right: Update of personal data
- Your Obligation: Correct the address within 30 days. This is a straightforward data maintenance request—you must comply. If you fail, continued use of outdated data (sending emails to invalid addresses, storing incorrect contact details) could constitute negligent data handling.
Frequently Asked Questions
Q: Can we refuse to delete wedding photos if the couple is still using our studio’s website terms of service?
A: No. Section 12 is a statutory right; your website terms of service cannot override it. If your ToS says “Clients cannot request photo deletion,” that clause is unenforceable under DPDPA. A client can demand erasure of their personal data regardless of what the website terms say. Update your ToS to comply: “Clients may request deletion of their personal information and photos by contacting us in writing. We will delete non-essential data within 30 days, retaining only data required by law.”
Q: How quickly must we respond to a data correction request from a couple?
A: Section 12 does not specify a deadline in the Act itself, but standard practice and regulatory guidance expect acknowledgment within 5 business days and completion within 30 days. Delays beyond 30 days without justified reason (e.g., needing to verify the requester’s identity) risk regulatory action. For simple corrections like name spelling, aim to complete within 7–14 days to demonstrate good faith compliance.
Q: If a couple requests erasure of their photos, can we charge a fee to process it?
A: No. Section 12 does not permit charges for exercising erasure or correction rights. Charging a fee would violate the right itself. You can only charge if the request is manifestly unfounded, excessive, or repetitive, and even then, you’re charging for the administrative cost of processing, not as a penalty or refusal mechanism. The safest approach: process corrections and erasures free of charge.
Q: Can we keep photos in a “backup” folder offline if the client requests deletion?
A: No. Erasure under Section 12 requires deletion of personal data from your systems, including backups. If you retain photos in an offline folder, external hard drive, or backup server, you’ve technically not erased the personal data. You must purge all copies—primary storage, backups, cloud archives, external drives. Document the deletion process to prove compliance.
Q: What if a client requests erasure, but we have a contract clause allowing us to keep photos for 7 years?
A: Section 12 rights override contract clauses. The client has the right to erasure of their personal data, regardless of contract terms. Your contractual right to retain photos as creative works is separate—you can argue you own the photograph as a creative asset, but you must delete the personal data associated with it (couple’s names in captions, metadata, booking notes). You cannot hide behind the contract to deny erasure. You must either (1) anonymize the photos before retaining them, or (2) delete the personal data and update your records, or (3) obtain renewed written consent to keep the photos with identifying information. Defaulting to “the contract says we can keep photos” violates Section 12.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →