SEO Guides7 min read

Does Personal Data Under DPDP Include Capturing Of Pictures And Videos

An enterprise guide explaining how pictures, videos, and CCTV footage are classified as digital personal data under the DPDP Act, 2023, and how large organizations must apply the DPDP Rules, 2025 to visual media.

Written bySanket Sharma· Former Advocate, Supreme Court of India · ComplyDP Co-Founder

Last updated:

Does Personal Data Under DPDP Include Capturing Of Pictures And Videos

Yes, capturing pictures and videos of identifiable individuals unequivocally constitutes the processing of digital personal data under the Digital Personal Data Protection (DPDP) Act, 2023. At its core, personal data is defined as any data about an individual who is identifiable by or in relation to such data. Because a photograph or video footage inherently contains physical features, facial structures, or contextual clues linking back to a specific Data Principal, it triggers compliance obligations. Section 3(a) of the DPDP Act dictates that the law applies to personal data collected in two distinct ways: either "in digital form" (such as smartphone photos, IP surveillance cameras, and digital CCTV footage), or "in non-digital form and digitised subsequently" (such as scanning physical Polaroid prints, 35mm film negatives, or printed ID cards into a computer system). As defined under Section 1(2), the Act comes into force on dates appointed by the Central Government. Large enterprises cannot wait for full enforcement to map their unstructured visual data; any system capturing digital imagery must be subjected to immediate compliance readiness to avoid massive operational disruptions.

Exceptions: When Do Pictures And Videos Fall Outside The DPDP Act?

While the Act comprehensively covers corporate data collection, Section 3(c) explicitly carves out exceptions that compliance teams must understand so they do not over-engineer their privacy programs. First, under Section 3(c)(i), the Act does not apply to personal data processed by an individual for any "personal or domestic purpose." If an employee takes pictures of their family at home, or records a video of a personal celebration on their personal device, this falls completely outside the Act's purview. However, if an enterprise records a corporate retreat or office party, it constitutes processing for a commercial purpose and the Act applies fully. Second, under Section 3(c)(ii), the DPDP Act does not apply to visual data that is made publicly available by the Data Principal themselves, or by another person under a legal obligation. For example, if an individual voluntarily posts a video of themselves on a public blog or social media profile, enterprises scraping that specific public video are not constrained by the DPDP Act for that particular dataset. Conversely, proprietary CCTV footage captured inside a private retail store remains fully regulated.

Establishing A Lawful Purpose For Visual Data Under Section 4

If your enterprise is capturing visual media, Section 4(1) of the DPDP Act strictly dictates that you may process this personal data only in accordance with the provisions of the Act and for a "lawful purpose." Under Section 4(2), the expression "lawful purpose" is broadly defined as any purpose which is not expressly forbidden by law. However, having a lawful purpose is merely the baseline requirement. Section 4(1) further mandates that processing must rely on one of two specific grounds: either the Data Principal has given their explicit consent, or the processing qualifies under certain "legitimate uses." For most marketing videos, promotional photographs, and employee facial recognition databases, obtaining explicit consent under Section 4(1)(a) is absolutely mandatory. When relying on legitimate uses under Section 4(1)(b) for visual media - such as using CCTV to ensure corporate security or investigate employment fraud - the enterprise must strictly limit the processing to those exact operational necessities. You cannot install CCTV for office security (a legitimate use) and subsequently utilize that footage for behavioral marketing analytics without obtaining separate, explicit, and verifiable consent.

Regulatory Context For Visual Media Under DPDP Rules 2025

The DPDP Rules, 2025 introduce specific operational mandates for handling personal data, particularly regarding the issuance of itemised notices. Before or at the time of capturing photos or video, your organization must provide a clear, itemised notice detailing the specific purpose of capturing this visual media. In practical terms for CCTV surveillance, this requires placing highly visible warning signage at camera locations that includes a QR code or link directing individuals to the comprehensive privacy policy. Furthermore, enterprises must ensure notices are accessible, supporting English alongside the 22 languages specified in the Eighth Schedule to the Constitution where applicable. When an enterprise deploys facial recognition access control, or captures employee ID photos, it must log consent artefacts for this visual media just as rigorously as it does for text-based CRM records. Because Data Principals retain the right to withdraw consent, your IT architecture must be capable of identifying, isolating, and deleting specific video files or blurred imagery upon request, without relying on manual, error-prone human intervention.

Steps For Large Enterprises To Audit Visual Data Processing

With 307 days remaining until the DPDP hard compliance deadline of 13 May 2027, data protection teams must rapidly evaluate how visual media is captured, stored, and shared across the entire enterprise. First, proactively update your Record of Processing Activities (RoPA) to explicitly include all endpoints that store unstructured photos, videos, and surveillance logs. Second, assign a dedicated control owner to review the data retention periods for these media files. Because data must be erased once the lawful purpose is fulfilled, indefinitely archiving surveillance footage is a direct violation of data minimization principles. Third, conduct a Data Protection Impact Assessment (DPIA) for high-volume video analytics platforms, especially if your enterprise anticipates designation as a Significant Data Fiduciary (SDF) due to the sheer scale of monitoring. Finally, verify that your cybersecurity and breach intimation workflows cover unauthorized access to unstructured media servers. The DPDP Rules, 2025 require notifying affected Data Principals without delay and sending a detailed breach report to the Data Protection Board within 72 hours if your CCTV or photo servers are compromised.

Common Misconceptions About Pictures And Videos Under DPDP

A frequent and dangerous misconception is that CCTV footage lacking name tags or text metadata is entirely anonymous and therefore exempt from the Act. If the footage clearly shows facial features allowing a specific person to be singled out and identified, it is digital personal data, regardless of whether a name is explicitly attached. Another common mistake relates to the classification of biometric or facial recognition data. The DPDP Act, 2023 has no separate sensitive-data category. Instead, all digital personal data operates under the same fundamental compliance baseline, though the volume, risk, and continuous nature associated with mass surveillance heavily contribute to your likelihood of Significant Data Fiduciary (SDF) designation by the Central Government. Additionally, compliance officers often fail to establish verifiable parental consent mechanics when recording videos at public events where children are present. The Act strictly prohibits tracking or behavioral monitoring of children, meaning crowd-scanning visual technologies must be rigorously audited to ensure complete compliance.

Evaluating Visual Data Compliance Controls And Platforms

When selecting a platform to manage DPDP compliance, Head of Compliance leaders must look far beyond basic structured text-data mapping. A regulator-ready enterprise solution must maintain immutable audit trails proving that notice was prominently displayed at points of video capture, effectively linking physical CCTV warning signs to a dynamic, digital privacy policy. The system must seamlessly track consent artefacts specifically tied to media usage, such as marketing photo release forms or HR identity verification processes. It should also deeply integrate with your existing unstructured data repositories and media servers to trigger automated deletion workflows when the specified retention period expires, drastically reducing reliance on manual oversight. Avoid lightweight tools that simply add another disconnected, theoretical dashboard to your tech stack. Instead, demand a platform that provides a concrete evidence pack demonstrating end-to-end governance over both structured text and unstructured visual data. Evaluate your enterprise visual data compliance gaps by visiting freescan.complydp.com well before the 13 May 2027 enforcement deadline.

Sources

Frequently asked questions

Do CCTV cameras in our corporate offices fall under the DPDP Act 2023?

Yes. CCTV footage captures identifiable facial features and physical attributes, making it digital personal data under Section 3 of the Act. You must ensure proper notice and establish a lawful purpose under Section 4, while adhering to data retention principles.

Are we required to get consent before taking pictures or videos of individuals?

Under Section 4(1), you may process visual personal data only for a lawful purpose, based on either explicit consent or certain legitimate uses. If you are taking promotional photos or using facial recognition, explicit consent is generally mandatory.

Does the DPDP Act apply to photos taken for personal or family use?

No. Under Section 3(c)(i), the DPDP Act does not apply to personal data processed by an individual for any personal or domestic purpose, such as capturing pictures at a private family celebration.

Are publicly posted videos regulated under the DPDP Act?

According to Section 3(c)(ii), the Act does not apply to personal data made publicly available by the Data Principal themselves, or by any other person who is under a legal obligation to make it public.

Does the DPDP Act cover old physical photographs that are scanned into our systems?

Yes. Section 3(a)(ii) explicitly states that the Act applies to personal data collected in non-digital form and digitized subsequently. Scanning physical prints into a computer brings them fully under DPDP compliance.