photographers require dpdpa compliance

Photographers require DPDPA Compliance like Consent Forms, Data Deletion

Author: Advocate (Dr.) Prashant Mali

SHARE : Share on WhatsApp Share on Twitter  Share on LinkedIn  Share on Facebook  Share on Email

Navigating India’s DPDPA 2023: A Compliance Guide for Handling Photographs of Individuals

The Digital Personal Data Protection Act, 2023 (DPDPA) and its accompanying rules have ushered in a new era of accountability for businesses handling personal data in India. Among the most overlooked yet critical aspects of compliance is the management of photographs. Under the DPDPA, images that identify individuals qualify as personal data, triggering strict obligations for consent, storage, and deletion. Let’s break down what this means for your organization, with practical examples to guide compliance.

When is a Photographer a Data Fiduciary and When a Data Processor?

Under India's DPDPA 2023 and its rules, a photographer can either be a Data Fiduciary or a Data Processor, depending on how they handle personal data.

Photographer as a Data Fiduciary

A photographer is a Data Fiduciary when they independently decide the purpose and means of processing photographs. This includes:

  • Running a professional studio and using client photos for promotions.
  • Storing client photos for future sales without explicit instruction.
  • Maintaining an online database of client images.

Photographer as a Data Processor

A photographer is a Data Processor when they process images on behalf of a Data Fiduciary. This includes:

  • Being hired for a wedding or event where all photos are given to the client.
  • Editing and retouching images as per instructions from a company.
  • Providing photography services where the client controls usage.

Example: If a wedding photographer stores guest photos and sells them as prints, they are a Data Fiduciary. If they merely take pictures and hand them over to the couple, they act as a Data Processor.

1. When Is a Photograph Considered “Personal Data”?

Under the DPDPA, any image that allows identification of a person qualifies as personal data. This includes:

  • Group photos (e.g., team pictures at corporate events).
  • Candid or accidental captures (e.g., an employee walking into the frame during a product shoot).
  • Partial identifiers (e.g., a tattoo, birthmark, or unique clothing visible in the image).

Example: A company posts a photo of its employees celebrating Diwali on its website. Even if one employee’s face is partially obscured, their distinctive wrist tattoo makes them identifiable. This image falls under the DPDPA’s definition of personal data, requiring compliance.

2. Consent Is King: Documenting Permission Under Section 6

The DPDPA mandates explicit, informed consent (Section 6) for:

  • Collection: Taking photos (e.g., during a corporate event or employee headshots).
  • Processing: Editing, cropping, or archiving images.
  • Usage: Publishing photos on websites, social media, or marketing materials.

Withdrawal of Consent: Individuals can revoke consent at any time, and organizations must act promptly.

3. Right to Erasure: Beyond “Unpublishing”

Under the DPDPA, Individuals have the right to:
Withdraw consent at any time (Section 6(6)).
Request erasure of their photos (Section 12), including removal from websites, social media, or archives.
Correct/update inaccurate or incomplete data (Section 12)

  • Unpublishing: Removal from websites, social media, or print materials.
  • Permanent deletion: Erasing all copies from servers, backups, and archives (not just moving to a recycle bin).

4. Data Fiduciary Responsibilities: Who’s Accountable?

The Data Fiduciary (your company) is legally responsible for ensuring compliance. This includes:

  • Training staff on photo-handling protocols.
  • Auditing third-party vendors (e.g., photographers, designers).
  • Implementing technical safeguards (e.g., encryption, access controls).

5. How Photographers Can Simplify Compliance

Photographers act as Data Processors under the DPDPA. A compliant photographer can:

a) Collect Consent at the Source

Provide digital consent forms for subjects to sign before the shoot.

b) Minimize Post-Processing

Deliver photos in final formats (e.g., JPEG) to avoid unnecessary editing.

c) Organize Files for Easy Management

Use clear file names (e.g., “EmployeeID_ConsentDate.jpg”) for tracking.

d) Scrub Metadata

Remove EXIF data (e.g., GPS location, camera details) embedded in photos.

e) Stay Updated on DPDPA Changes

Advise clients on evolving compliance requirements.

6. Avoiding Costly Mistakes: Real-World Scenarios

Scenario 1: The Accidental Group Photo

A tech company posts a team photo on LinkedIn. An employee in the background, who never consented to being photographed, is recognized by a colleague. Under the DPDPA, the company must delete the photo and may face penalties for unauthorized processing.

Scenario 2: The Viral Marketing Campaign

An e-commerce brand uses customer photos from a contest in an ad campaign. One participant withdraws consent, but the brand forgets to remove their image from billboards. This constitutes a DPDPA violation.

7. Penalties for Non-Compliance

The DPDPA imposes fines of up to ₹250 crore per violation for failures such as:

  • Processing photos without valid consent.
  • Ignoring deletion requests.
  • Inadequate security measures leading to data breaches.

Best Practices Checklist

  • Always obtain explicit consent in writing or digitally.
  • Label and organize photos for easy tracking and deletion.
  • Train employees on photo-handling protocols.
  • Audit third-party vendors (photographers, printers, cloud providers).
  • Implement metadata scrubbing tools for all published images.
For Marriage Photographers imagine the humour : -

Big Fat Indian Wedding Meets Data Protection: Sign Before You Smile!

It’s a grand wedding in Delhi—dhols are beating, aunties are grooving, and somewhere in the middle of the glittering chaos, the wedding photographer is chasing guests… with consent forms.

“Sir, please sign here before we capture your dance moves.”

Bride’s father, sweating under his sherwani, is perplexed. “Beta, why are you giving me a contract before taking the photo?”

“Uncle, under India’s DPDPA 2023, we need explicit consent before capturing personal data—aka your dazzling face!”

Guests roll their eyes as the photographer’s assistant approaches the buffet line. “Sir, before you take that paneer tikka, can you confirm consent for being in the background of the wedding video?”

One enthusiastic uncle, stuffing gulab jamuns into his mouth, mumbles, “I consent to food. Film away!”

Innovative Wedding Invitations: RSVP & Consent Clause!

To avoid last-minute confusion, the bride and groom have taken a bold step—the wedding invitation doubles as a legal contract.

Sample Invitation:

"We cordially invite you to the wedding of Meera & Rohan. By attending, you consent to being photographed, video recorded, and possibly ending up in a viral Instagram reel with hashtags #JustMarried #BigFatDPDPACompliantWedding. If you do not wish to be filmed, kindly wear a giant sticker saying ‘No Photos’ or sit in the ‘Privacy-Compliant’ section near the restroom.”

Gate Crashers & Free Loaders: The New Wedding Villains

While most guests are happy to sign the consent form, the real troublemakers are the wedding gatecrashers.

Picture this: A random uncle, who no one knows, sneaks in for some free biryani. Just as he’s about to enjoy his fourth round of dessert, he’s approached by a Consent Verification Officer (CVO) (aka, the groom’s techie cousin).

CVO: “Sir, could you please sign this consent form before appearing in the wedding footage?”

Gatecrasher Uncle, nervous: “Uh… I’m with the bride’s side.”

CVO checks the guest list. No sign of ‘Mr. Ramesh Sharma.’

“Sir, no consent, no food. Also, please step aside for a privacy audit.”

Two security guards, dressed as baraatis, swoop in and escort him out—ensuring that wedding freeloaders are not just denied food but also erased from existence (aka wedding photos).

Last Thoughts | Final Takeaway: Sign or Starve!

Photographs are more than just visuals—they are personal data requiring meticulous care under India’s DPDPA. By partnering with compliant photographers, maintaining robust consent systems, and prioritizing individuals’ rights, organizations can avoid legal risks while building trust. As the DPDPA evolves, staying proactive will be key to turning compliance into a competitive advantage.

oh.. and as the wedding concludes, the photographer sighs in relief—all guests who ate were either invited or had signed consent. Gatecrashers have been dealt with, and the bride’s father is thrilled that privacy laws have actually saved some money (fewer freeloaders = lower catering bill).

The wedding video rolls out with a disclaimer:

"No uninvited guests were harmed (or fed) in the making of this celebration."

🎥 The End, but yes do you need FREE Templates of consent forms and DOCs CLICK TO DOWNLOAD

Reaching Author : Email - info@cyberlawconsulting.com | Know more about the Author on www.prashantmali.com

For assistance in making your Data Protection Process, reach out at info@cyberlawconsulting.com.


SHARE : Share on WhatsApp Share on Twitter  Share on LinkedIn  Share on Facebook  Share on Email