Navigating India’s DPDPA 2023: A Compliance Guide for Handling Photographs of Individuals
The Digital Personal Data Protection Act, 2023 (DPDPA) and its accompanying rules have ushered in a new era of accountability for businesses handling personal data in India. Among the most overlooked, yet critical aspect, of compliance is the management of photographs. Under the DPDPA, images that identify individuals qualify as personal data, triggering strict obligations for consent, storage and deletion. Let’s break down what this means for your organisation, with practical examples to guide compliance.
When Is a Photographer a Data Fiduciary and When a Data Processor?
Under India's DPDPA 2023 and its rules, a photographer can either be a Data Fiduciary or a Data Processor, depending on how they handle personal data.
Photographer as a Data Fiduciary
A photographer is a Data Fiduciary when he/she independently decide the purpose and means of processing photographs. This includes:
- Running a professional studio and using client photos for promotions.
- Storing client photos for future sales without explicit instruction.
- Maintaining an online database of client images.
Photographer as a Data Processor
A photographer is a Data Processor when he/she processes images on behalf of a Data Fiduciary. This includes:
- Being hired for a wedding or event where all photos are given to the client.
- Editing and retouching images as per instructions from a company.
- Providing photography services where the client controls usage.
Example: If a wedding photographer stores guest photos and sells them as prints, he/she is a Data Fiduciary. If he/she merely take pictures and hands them over to the couple, he/she acts as a Data Processor.
1. When Is a Photograph Considered 'Personal Data'?
Under the DPDPA, any image that allows identification of a person qualifies as personal data. This includes:
- Group photos (e.g., team pictures at corporate events).
- Candid or accidental captures (e.g., an employee walking into the frame during a product shoot).
- Partial identifiers (e.g., a tattoo, birthmark, or unique clothing visible in the image).
Example: A company posts a photo of its employees celebrating Diwali on its website. Even if one employee’s face is partially obscured, his distinctive wrist tattoo makes him identifiable. This image falls under the DPDPA’s definition of personal data, requiring compliance.
2. Consent Is King: Documenting Permission under Section 6
The DPDPA mandates explicit, informed consent (Section 6) for:
- Collection: Taking photos (e.g., during a corporate event or employee headshots).
- Processing: Editing, cropping, or archiving images.
- Usage: Publishing photos on websites, social media, or marketing materials.
Withdrawal of Consent: Individuals can revoke consent at any time and organisations must act promptly.
3. Right to Erasure: Beyond 'Unpublishing'
Under the DPDPA, Individuals have the right to:
Withdraw consent at any time (Section 6(6)).
Request erasure of their photos (Section 12), including removal from websites, social media, or archives.
Correct/update inaccurate or incomplete data (Section 12)
- Unpublishing: Removal from websites, social media, or print materials.
- Permanent deletion: Erasing all copies from servers, backups and archives (not just moving to a recycle bin).
4. Data Fiduciary Responsibilities: Who’s Accountable?
The Data Fiduciary (your company) is legally responsible for ensuring compliance. This includes:
- Training staff on photo-handling protocols.
- Auditing third-party vendors (e.g., photographers, designers).
- Implementing technical safeguards (e.g., encryption, access controls).
5. How Photographers Can Simplify Compliance
Photographers act as Data Processors under the DPDPA. A compliant photographer can:
a) Collect Consent at the Source
Provide digital consent forms for subjects to sign before the shoot.
b) Minimise Post-Processing
Deliver photos in final formats (e.g., JPEG) to avoid unnecessary editing.
c) Organise Files for Easy Management
Use clear file names (e.g., “EmployeeID_ConsentDate.jpg”) for tracking.
d) Scrub Metadata
Remove EXIF data (e.g., GPS location, camera details) embedded in photos.
e) Stay Updated on DPDPA Changes
Advise clients on evolving compliance requirements.
6. Avoiding Costly Mistakes: Real-World Scenarios
Scenario 1: The Accidental Group Photo
A tech company posts a team photo on LinkedIn. An employee in the background, who never consented to being photographed, is recognised by a colleague. Under the DPDPA, the company must delete the photo and may face penalties for unauthorised processing.
Scenario 2: The Viral Marketing Campaign
An e-commerce brand uses customer photos from a contest in an ad campaign. One participant withdraws consent, but the brand forgets to remove their image from billboards. This constitutes a DPDPA violation.
7. Penalties for Non-compliance
The DPDPA imposes fines of up to Rs250 crore per violation for failures such as:
- Processing photos without valid consent.
- Ignoring deletion requests.
- Inadequate security measures leading to data breaches.
Best Practices Checklist
- Always obtain explicit consent in writing or digitally.
- Label and organise photos for easy tracking and deletion.
- Train employees on photo-handling protocols.
- Audit third-party vendors (photographers, printers, cloud-providers).
- Implement metadata scrubbing tools for all published images.
For marriage photographers imagine the humour: -
Big Fat Indian Wedding Meets Data Protection: Sign before You Smile!
It’s a grand wedding in Delhi—dhols are beating, aunties are grooving, and somewhere in the middle of the glittering chaos, the wedding photographer is chasing guests… with consent forms.
“Sir, please sign here before we capture your dance moves.”
Bride’s father, sweating under his sherwani, is perplexed. “Beta, why are you giving me a contract before taking the photo?”
“Uncle, under India’s DPDPA 2023, we need explicit consent before capturing personal data—aka your dazzling face!”
Guests roll their eyes as the photographer’s assistant approaches the buffet line. “Sir, before you take that paneer tikka, can you confirm consent for being in the background of the wedding video?”
One enthusiastic uncle, stuffing gulab jamuns into his mouth, mumbles, “I consent to food. Film away!”
Innovative Wedding Invitations: RSVP & Consent Clause!
To avoid last-minute confusion, the bride and groom have taken a bold step—the wedding invitation doubles as a legal contract.
Sample Invitation:
"We cordially invite you to the wedding of Meera & Rohan. By attending, you consent to being photographed, video recorded, and possibly ending up in a viral Instagram reel with hashtags #JustMarried #BigFatDPDPACompliantWedding. If you do not wish to be filmed, kindly wear a giant sticker saying ‘No Photos’ or sit in the ‘Privacy-Compliant’ section near the restroom.”
Gate Crashers & Free Loaders: The New Wedding Villains
While most guests are happy to sign the consent form, the real troublemakers are the wedding gatecrashers.
Picture this: A random uncle, who no one knows, sneaks in for some free biryani. Just as he’s about to enjoy his fourth round of dessert, he’s approached by a Consent Verification Officer (CVO) (aka, the groom’s techie cousin).
CVO: “Sir, could you please sign this consent form before appearing in the wedding footage?”
Gatecrasher Uncle, nervous: “Uh… I’m with the bride’s side.”
CVO checks the guest list. No sign of ‘Mr. Ramesh Sharma.’
“Sir, no consent, no food. Also, please step aside for a privacy audit.”
Two security guards, dressed as baraatis, swoop in and escort him out—ensuring that wedding freeloaders are not just denied food but also erased from existence (aka wedding photos).
Last Thoughts | Final Takeaway: Sign or Starve!
Photographs are more than just visuals—they are personal data requiring meticulous care under India’s DPDPA. By partnering with compliant photographers, maintaining robust consent systems, and prioritizing individuals’ rights, organisations can avoid legal risks while building trust. As the DPDPA evolves, staying proactive will be key to turning compliance into a competitive advantage.
oh.. and as the wedding concludes, the photographer sighs in relief—all guests who ate were either invited or had signed consent. Gatecrashers have been dealt with, and the bride’s father is thrilled that privacy laws have actually saved some money (fewer freeloaders = lower catering bill).
The wedding video rolls out with a disclaimer:
"No uninvited guests were harmed (or fed) in the making of this celebration."
The End, but yes do you need FREE Templates of consent forms and DOCs CLICK TO DOWNLOAD
(This article first appeared on dpdpa.com, a site maintained by Adv Dr Mali)
(Advocate (Dr) Prashant Mali is an internationally renowned Cyber & Privacy Lawyer with a Master's in Computer Science and Law, and holds a Ph.D. in Cyberwarfare & International Cyberlaw. He is a sought-after expert who has represented Fortune 500 companies, celebrities, and governmental agencies. An author of six books and numerous research papers, one of his books serves as an official textbook in prestigious academic institutions. Beyond law, he is actively involved in charitable activities and cyber education initiatives to support underprivileged communities.)
