Implications of the DPDP Act, 2023 on Corporate Social Responsibility (CSR) Activities

Executive Summary

The Digital Personal Data Protection Act, 2023 has changed the way organisations must handle personal data.

 Even if a company does not directly collect personal details like name, phone number, or Aadhaar from CSR beneficiaries, taking their photographs and posting them online is still considered processing of personal data because a photograph can identify a person. The DPDP Act treats any information that can identify a person as personal data. Publishing it on websites or social media is considered processing.

 This report:

• Explains how CSR photographs become personal data.
• Explains that the organisation becomes a Data Fiduciary (the one responsible for the data).
• Describes what legal duties the organisation must follow.
• Suggests proper SOPs (Standard Operating Procedures).
• Explains how to take proper consent.
• Covers special cases like children or vulnerable groups.
• Discusses storage, deletion, and grievance handling.
• Impose penalties if the law is not followed. 

In short:
Even CSR photos must be handled carefully under DPDP.

Introduction and Background

What are CSR activities?

Corporate Social Responsibility (CSR) refers to initiatives undertaken by companies for the social and economic development of communities. Under the Companies Act, 2013, eligible companies are mandated to allocate a portion of their profits toward activities such as education, healthcare, rural development, environmental sustainability, and community welfare.

During the implementation of such initiatives, organisations frequently document their activities through photographs, videos, and reports for transparency and communication purposes.

Why DPDP applies to CSR?

The Digital Personal Data Protection Act, 2023 applies to the processing of personal data in digital form. While CSR activities are philanthropic in nature, any collection, storage, or publication of identifiable information relating to individuals falls within the scope of the Act.

Therefore, when organisations capture and publish photographs of beneficiaries on digital platforms such as websites or social media, such actions may constitute processing of personal data under the Act.

Why Photography needs legal attention?

Photography in CSR activities, though often undertaken for documentation and promotional purposes, requires careful legal consideration. A photograph that clearly identifies an individual qualifies as personal data. Once such photographs are stored or published on digital platforms, they amount to processing under the DPDP Act.

Additionally, photographs may unintentionally disclose sensitive contextual information such as health conditions, socio-economic background, or association with specific programmes. In the absence of valid consent, such publication may expose organisations to legal and reputational risks.

Understanding the DPDP Act – Key Definitions Applicable to CSR

Before addressing compliance requirements, it is essential to understand the foundational definitions under the Digital Personal Data Protection Act, 2023 as they apply to CSR photography.

How Photographs Constitute Personal Data

Under the Digital Personal Data Protection Act, 2023, personal data refers to any data about an individual who is identifiable by or in relation to such data. Identification does not require explicit details such as name or contact information; it is sufficient if a person can be recognised directly or indirectly.

A photograph that clearly captures an individual’s face enables identification. Facial features, physical appearance, attire, and surrounding context may allow a person to be recognised either by the organisation or by third parties. Even in the absence of accompanying personal details, the ability to identify an individual from the image itself brings the photograph within the scope of personal data.

Further, the Act defines processing broadly to include activities such as collection, recording, storage, use, sharing, disclosure, and publication of personal data. Accordingly, when an organisation captures photographs during CSR activities, stores them digitally, uploads them on websites or social media platforms, or circulates them through newsletters, such actions constitute processing of personal data.

Therefore, CSR-related photography is not merely documentation; it amounts to regulated data processing under the DPDP Act and must comply with the statutory obligations applicable to personal data handling.

Sensitive Dimensions of CSR Photography

CSR photographs are particularly sensitive because they often:

a)      Reveal the socioeconomic status of the subject (e.g., slum dwellers, tribal communities).

b)      Disclose health conditions (e.g., disability, malnutrition, illness-related programmes).

c)      Depict minors, who attract heightened protection under Section 9 of the DPDP Act.

d)      Capture individuals in settings that could carry social stigma (addiction rehabilitation, gender-based violence programmes).

e)      Be published on global platforms, exposing subjects to unknown secondary audiences.

Role of the Organisation: Data Fiduciary Obligations

Under the Digital Personal Data Protection Act, 2023, an entity that determines the purpose and means of processing personal data is classified as a Data Fiduciary. In the context of CSR photography, when an organisation decides to capture, store, and publish photographs of beneficiaries, it determines why and how such data will be processed. Consequently, the organisation assumes the role of a Data Fiduciary under the Act.

As a Data Fiduciary, the organisation is required to comply with certain statutory obligations:

1.      Obtain Valid Consent:

The organisation must obtain free, specific, informed, and unambiguous consent from individuals before capturing and publishing their photographs. Consent should clearly mention the purpose of use, including publication on digital platforms such as websites or social media.

2.      Ensure Reasonable Security Safeguards

The organisation must implement appropriate technical and organisational measures to protect photographs from unauthorised access, misuse, alteration, or disclosure. This includes restricted access, secure storage systems, and internal approval mechanisms.

3.      Provide Grievance Redressal Mechanism

The Act mandates that Data Fiduciaries establish a grievance redressal mechanism. Individuals whose photographs are processed must have a clear and accessible channel to raise concerns, request corrections, or withdraw consent.

4.      Delete Data When No Longer Necessary

Personal data must not be retained indefinitely. Once the purpose for which the photograph was collected is fulfilled, or if consent is withdrawn, the organisation must delete the data in accordance with prescribed retention policies.

Accordingly, organisations conducting CSR activities must recognise that photography-related practices attract the full range of obligations applicable to Data Fiduciaries under the DPDP Act.

Rights of Data Principals (Beneficiary) must be honoured

The organisation must establish mechanisms to honour the following rights of beneficiaries under Chapter IV of the DPDP Act:

Consent Framework under the DPDP Act

The Digital Personal Data Protection Act, 2023 places significant emphasis on obtaining valid consent prior to processing personal data. In the context of CSR photography, consent forms the legal basis for capturing, storing, and publishing photographs of beneficiaries.

For consent to be valid under the Act, it must satisfy the following essential conditions:

1.     Free

Consent must be given voluntarily, without coercion, pressure, or undue influence. Beneficiaries should not feel compelled to provide consent as a condition for receiving CSR benefits. 

2.      Specific

Consent must relate to a clearly defined purpose. A general or blanket consent for “documentation purposes” may not be sufficient. The purpose of photography and its intended use must be precisely identified. 

3.      Informed

Individuals must be provided with adequate information before giving consent. This includes details regarding how the photographs will be used, where they may be published, and the duration for which they will be retained. 

4.      Clear and Unambiguous

Consent must be expressed through a clear affirmative action. Silence, pre-ticked boxes, or implied consent may not satisfy statutory requirements. The intention to permit use of the photograph must be explicitly indicated.

Written Consent as a Best Practice

Although the Act permits consent in electronic form, obtaining written consent (physical or digital) is strongly advisable. Written records provide documentary evidence of compliance and reduce legal risk in the event of disputes.

Purpose Limitation in Consent

The consent form must clearly specify the platforms and purposes for which the photographs will be used, such as publication on the organisation’s website, social media channels, internal newsletters, or external stakeholder communications. Use beyond the stated purpose may amount to a violation of the Act.

Accordingly, a structured and well-documented consent framework is essential for lawful CSR photography practices.

Consent for different beneficiary categories

Special Categories and Vulnerable Beneficiaries

While obtaining valid consent is essential in all cases, additional safeguards are required when CSR activities involve children or vulnerable individuals. The Digital Personal Data Protection Act, 2023 imposes stricter obligations in such circumstances to ensure protection of dignity and rights.

1.      Processing of Children’s Data

Where beneficiaries are children, parental or lawful guardian consent is mandatory prior to capturing or publishing photographs. The organisation must verify that consent has been obtained from the parent or guardian in accordance with statutory requirements.

Given the heightened risk associated with online publication of children’s images, organisations should exercise particular caution and ensure that such images are not used in a manner that could expose the child to harm, profiling, or misuse.

2.      Vulnerable Beneficiary Groups

CSR initiatives often engage with individuals who may be in vulnerable situations, such as patients in healthcare camps, persons with disabilities, economically disadvantaged communities, or rural populations with limited awareness of data protection rights.

In such cases, consent must not only be legally valid but also ethically sound. The organisation should ensure that individuals fully understand the implications of publication and that consent is not obtained under circumstances of dependency or unequal power dynamics.

3.      Avoidance of Exploitation or Misuse

Photographs should not portray beneficiaries in a manner that compromises their dignity, privacy, or social standing. Images that highlight poverty, medical conditions, or personal hardships for promotional purposes may raise ethical and legal concerns.

Accordingly, organisations must adopt a responsible approach to CSR documentation, ensuring that photography serves transparency and reporting objectives without resulting in exploitation, reputational harm, or misuse of personal data.

Standard Operating Procedures (SOPs) for CSR Photography

To ensure compliance with the Digital Personal Data Protection Act, 2023, organisations should establish clear Standard Operating Procedures (SOPs) governing the collection, storage, and publication of photographs taken during CSR activities. A structured SOP helps demonstrate accountability and reduces legal and reputational risks.

An effective SOP should include the following components:

SOP 1: Pre-Activity Consent Collection

Step 1: Preparation of Consent Materials

·         Prepare a bilingual Consent Form in English and the local language of the beneficiary community.

·         Ensure the form clearly states purpose of photography, platforms where photographs will be published, duration of storage, rights of the beneficiary, and contact details for grievances.

·         Prepare an audio or verbal consent script for illiterate beneficiaries.

·         Designate a trained Consent Coordinator for each field visit.

Step 2: Consent Administration in the Field

·         The Consent Coordinator must explain the consent form verbally before handing it over not after.

·         Emphasise that participation in photography is voluntary and will not affect CSR benefit eligibility.

·         Allow beneficiaries adequate time to read, ask questions, and decide.

·         For minors, obtain consent from a parent or guardian present at the time. Do not photograph any minor without this.

·         Obtain signature/thumb impression on the form. For digital consent, use a simple digital form with GPS-tagged submission.

·         Issue a copy (physical or digital) of the signed consent form to the beneficiary.

Step 3: Documentation and Record Keeping

·         Assign a unique Consent ID to each form, linked to a secure register.

·         Photograph the signed consent form (with beneficiary permission) or digitise it before field return.

·         Securely store all consent records for the longer of the duration of photograph use, or 3 years from the date of consent

SOP 2: Photography Guidelines

•         Only trained and briefed photographers (internal or agency) should conduct CSR photography.

•         Photographers must carry a list of consented individuals. Photographs of non-consented individuals must not be taken.

•         No photograph of a minor should be taken without a parent/guardian being physically present and consented.

•         Photographs depicting poverty, illness, or distress should avoid any angle that may demean or stigmatise the subject.

•         All raw photographs must be stored in a secure, access-controlled folder immediately after the field visit.

•         Metadata including date, location, programme name, and Consent ID must be attached to each image file.

SOP 3: Review and Approval Before Publication

·         All photographs intended for publication must be reviewed by the Communications/CSR team.

·         Match each photograph to a valid Consent ID before approval. No consent = no publication.

·         Check whether the publication platform is within the scope of consented use (e.g., if the beneficiary consented to internal use only, do not publish on social media).

·         Apply face-blurring tools (e.g., Adobe Photoshop, Google's free tools) for any photograph of a minor where additional caution is warranted, even with consent.

·         Obtain final sign-off from the Designated Data Protection Officer (DDPO) or an authorised representative before publication on external platforms.

SOP 4: Privacy Notice and Publication Metadata

Every public-facing publication platform (website, social media) must display an accessible Privacy Notice that includes:

•         Identity and contact details of the Data Fiduciary.

•         Categories of personal data processed (photographs of CSR beneficiaries).

•         Purpose of processing.

•         Rights of Data Principals and how to exercise them.

•         Contact details of the Grievance Officer.

SOP 5: Withdrawal of Consent and Takedown Process

·         Any beneficiary (or parent/guardian for minors) may withdraw consent at any time through written request, email, phone, or in-person visit.

·         Upon receipt of withdrawal, the organisation must:

·         Remove the photograph from all digital platforms within 72 hours of acknowledged receipt.

·         Delete or anonymise the original file from the internal repository within 30 days.

·         Issue written confirmation of deletion to the Data Principal within 45 days.

·         Document the withdrawal and deletion in the Consent Register.

Platform-Specific Compliance Considerations

Storage, Retention, and Deletion Protocols

In compliance with the Digital Personal Data Protection Act, 2023, organisations must adopt clear policies governing the storage, retention, and deletion of photographs collected during CSR activities. Since photographs constitute personal data when individuals are identifiable, they cannot be stored indefinitely without justification.

1.      No Indefinite Storage

Personal data must be retained only for as long as it is necessary to fulfil the specific purpose for which it was collected. Storing photographs permanently without a defined purpose may amount to excessive retention and may expose the organisation to legal risk.

2.      Defined Retention Period

The organisation should establish a documented retention policy specifying how long CSR-related photographs will be stored. The retention period should be reasonable and linked to reporting, documentation, or communication needs. Once the defined period expires, the data should be reviewed and securely deleted unless a lawful basis for continued retention exists.

3.      Deletion Upon Withdrawal of Consent

If a beneficiary withdraws consent, the organisation must take appropriate steps to delete the photograph from its active records and digital platforms, subject to technical feasibility and legal requirements. Consent withdrawal mechanisms should be clearly communicated and operationalised in practice.

4.      Secure Storage and Restricted Access

Photographs must be stored in secure digital systems with appropriate access controls. Only authorised personnel should have access, based on role and necessity. Technical safeguards such as password protection, encryption where appropriate, and controlled sharing mechanisms should be implemented to prevent unauthorised access, alteration, or disclosure.

Grievance Redressal Mechanism

The Digital Personal Data Protection Act, 2023 mandates that every Data Fiduciary establish an effective grievance redressal mechanism to address concerns relating to the processing of personal data. In the context of CSR photography, this requirement ensures that beneficiaries have a formal channel to raise complaints or seek clarification regarding the use of their photographs.

1.      Appointment of a Grievance Officer

The organisation must designate a Grievance Officer responsible for handling complaints related to personal data processing. The details of the Grievance Officer, including name, contact information, and communication channels, should be clearly published on the organisation’s website and included in consent forms or notices provided during CSR activities.

2.      The Grievance Officer should be responsible for:

·         Receiving and acknowledging complaints,

·         Investigating concerns,

·         Facilitating withdrawal of consent where requested,

·         Ensuring timely resolution in accordance with statutory timelines.

3.      Clear Communication to Beneficiaries

Beneficiaries must be informed about their right to raise grievances and the procedure for doing so. This information should be provided at the time of obtaining consent and should be written in simple and understandable language.

The organisation should ensure that complaint mechanisms are accessible, including options such as email, written application, or designated helpline, particularly in cases involving rural or vulnerable communities.

An accessible and responsive grievance redressal system not only ensures compliance with the DPDP Act but also strengthens trust and accountability in CSR initiatives.

Penalties and Risk Matrix

Non-compliance with the Digital Personal Data Protection Act, 2023 may expose organisations to significant legal, financial, and reputational consequences. Even though CSR activities are philanthropic in nature, failure to comply with statutory data protection obligations can attract enforcement action.

1.      Statutory Penalties 

The DPDP Act prescribes substantial monetary penalties for contraventions, particularly in cases involving failure to obtain valid consent, inadequate security safeguards, or non-fulfilment of data principal rights. Depending on the nature and severity of the breach, penalties may extend to significant financial amounts as determined by the competent authority. Accordingly, organisations must treat CSR-related data processing with the same seriousness as commercial data processing.

2.      Reputational Damage

Beyond financial penalties, non-compliance can result in serious reputational harm. Misuse or unauthorised publication of beneficiary photographs especially involving children or vulnerable communities may attract public criticism and damage stakeholder trust. For organisations that position CSR as part of their brand identity, such reputational loss can have long-term consequences.

3.      Social Backlash

In the age of social media, concerns relating to privacy violations can rapidly escalate into public controversy. Allegations of exploitation or insensitive portrayal of beneficiaries may lead to social backlash, negative media coverage, and erosion of community goodwill.

4.      Need for Risk Assessment

To mitigate these risks, organisations should conduct periodic risk assessments relating to CSR photography practices. A structured risk matrix may evaluate factors such as:

·         Type of beneficiary (children, vulnerable groups),

·         Nature of platform for publication,

·         Sensitivity of context,

·         Likelihood of misuse or public scrutiny.

Proactive identification and mitigation of risks help ensure compliance, protect beneficiary dignity, and safeguard organisational credibility.

Recommendations and Conclusion

Considering the Digital Personal Data Protection Act, 2023, organisations must recognise that CSR-related photography is not merely a documentation or promotional activity. When photographs capture identifiable individuals and are stored or published digitally, they constitute personal data processing within the meaning of the Act. Accordingly, CSR initiatives fall within the regulatory framework of data protection law.

First, obtaining valid consent must be treated as a mandatory legal requirement rather than a procedural formality. Consent should be free, specific, informed, and clearly documented. Special care must be taken in cases involving children or vulnerable beneficiaries.

Second, organisations should implement structured Standard Operating Procedures (SOPs) governing photography practices. Clear protocols relating to consent collection, secure storage, internal approvals, defined retention periods, and deletion mechanisms significantly reduce legal exposure and operational uncertainty.

Third, compliance must be viewed as an ongoing responsibility. Regular review of policies, staff awareness training, and periodic risk assessments are essential to ensure that CSR practices remain aligned with statutory obligations.

In conclusion, compliance with the DPDP Act in the context of CSR photography is not optional. Organisations must adopt a responsible and transparent approach to data handling, balancing documentation needs with respect for individual privacy and dignity. A proactive compliance framework not only mitigates legal risk but also strengthens public trust and institutional credibility.

ANNEXURE A: SAMPLE BENEFICIARY CONSENT FORM

(To be adapted into local language and organisation letterhead)

Organisation Name: _________________________________

CSR Programme Name: _________________________________

Date of Activity: _______________ Location: ___________________________

Dear Participant,

We are documenting our CSR activities for reporting and communication purposes. We would like to take your photograph/video during today's programme. This is entirely voluntary, and your participation in the programme will NOT be affected whether or not you agree to be photographed.

What we will do with your photograph:

•         Publish on our organisational website.

•         Share on social media platforms (LinkedIn, Instagram, Facebook).

•         Include in internal employee communications and newsletters.

•         Share in reports to external stakeholders.

Your photograph will be stored for _______ years and will be deleted thereafter.

Your Rights:

•         You may withdraw this consent at any time by contacting us at: [email / phone].

•         You may request correction or deletion of your photograph.

•         You may raise any concern with our Grievance Officer at: [name, contact].

[ ]  I CONSENT to being photographed/recorded and to the uses described above.

[ ]  I DO NOT CONSENT.

Name: ___________________________  Signature / Thumb Impression: _____________

Date: ___________________________  Consent ID (office use): __________________

IF CONSENTING ON BEHALF OF A MINOR:

Name of Guardian: _________________  Relationship to Minor: _________________

Minor's Name: _____________________  Minor's Age: __________________________

ANNEXURE B: CONSENT REGISTER TEMPLATE