DPDP and Worker CCTV: What Indian Factories Must Do
Video of your workers is personal data under India's Digital Personal Data Protection Act, 2023. A factory filming its floor must post clear CCTV signage, fix one lawful purpose, capture only what that purpose needs, cap retention, and restrict access. Most substantive duties bite from 14 May 2027 — but the discipline should start with your next camera.
You almost certainly already run cameras. The DPDP Act does not tell you to switch them off — it tells you to run them like governed data, not like a passive DVR nobody thinks about. This guide translates the Act into the handful of things a plant head in metal, textile, auto-components, pharma or FMCG actually has to do, and when.
Why worker footage falls under the DPDP Act
The DPDP Act, 2023 governs "digital personal data" — any data about an identifiable person, processed digitally. A recognisable worker on a networked camera feed is exactly that. So your NVR footage, your analytics events, and any clips you export to a phone are all in scope, the same way attendance and biometric data already are (official Act text, MeitY).
The good news for factories: you usually do not need to chase written consent from every worker. The Act's "legitimate uses" provision (Section 7(i)) lets an employer process personal data for the purposes of employment — including safeguarding the employer from loss, preventing corporate espionage, and protecting confidentiality — without separate consent. Safety monitoring and operational supervision generally sit here. But Section 7(i) is a permission, not a blank cheque: the Act's core principles — lawful purpose, necessity, proportionality, and the data-fiduciary duties in Section 8 — still apply in full (Section 8, General obligations of Data Fiduciary, India Code).
The phased timeline: what applies when
The DPDP Rules, 2025 were notified on 14 November 2025, and enforcement is staggered across three dates. This matters because it tells you what is legally live today versus what you have runway to build (DPDP Rules 2025 notification, PIB).
| Date | What comes into force | What it means for your floor |
|---|---|---|
| 14 Nov 2025 | Data Protection Board of India established; Act definitions operative | The regulator and complaint machinery exist now — a worker can complain today |
| 14 Nov 2026 | Consent-manager framework, cross-border transfer rules and Significant Data Fiduciary duties | Mostly relevant to consumer-data and large platforms, not core factory CCTV |
| 14 May 2027 | Substantive obligations — notice, data-fiduciary duties (Section 8), breach reporting, retention/erasure | Your hard deadline for signage, purpose, minimisation, retention and access to be in order |
The practical read: you have until 14 May 2027 for full compliance, and no grace period is expected because the Board is already sitting. Treat any new camera project between now and then as if the 2027 rules are already on — retrofitting policy onto a live deployment is more expensive than specifying it once.
The five things a factory must actually do
Strip away the legal language and DPDP-compliant worker CCTV comes down to five operational habits. Here is each duty mapped to what it means at the shop-floor level.
| DPDP principle | What it means for factory CCTV | Practical action |
|---|---|---|
| Notice / transparency | Workers must know they are filmed and why | Visible, bilingual "This area is under CCTV surveillance" signage at every entrance and monitored zone; a line in the employee handbook stating purpose |
| Purpose limitation | Film for one stated reason, don't quietly reuse it | Write down the purpose (safety, theft prevention, downtime) — don't repurpose safety footage for productivity discipline without saying so |
| Data minimisation | Capture only what the purpose needs | No cameras in toilets, washrooms, changing rooms, prayer rooms or canteens — these are widely treated as non-compliant; point cameras at machines and lanes, not resting areas |
| Storage / retention limitation | Keep footage only as long as needed | Set a fixed retention window (e.g. 30-90 days, indicative) and auto-overwrite; don't hoard a year of clips "just in case" |
| Security & access control | Protect the footage; limit who sees it | Password-protected NVR, role-based access, encrypted feeds, an access log — reasonable security safeguards are a Section 8 duty |
Signage is the cheapest compliance you will ever buy
Of the five, signage and a written purpose are near-zero cost and the first thing any complaint or audit looks for. A clearly posted notice at each monitored zone, in English plus the local language, plus a short purpose statement in the handbook, covers the transparency duty for the employment-purpose route. For pharma and food plants under hygiene-zone rules, signage doubles as your record that gowning and restricted-area cameras exist for safety, not surveillance of individuals.
Where the money risk sits
The Act's penalty schedule is steep enough to matter to a mid-size promoter. A failure to take reasonable security safeguards to prevent a personal-data breach can attract penalties of up to ₹250 crore (indicative, per the Act's Schedule); failure to notify the Board of a breach and breaches of children's-data duties run to up to ₹200 crore; other contraventions up to ₹50 crore (Section 8 duties and penalty context, India Code). These are ceilings, not automatic fines — the Board weighs gravity, duration and mitigation — but they make "the NVR password is admin/admin" a genuinely expensive habit.
How this connects to your camera plan
DPDP is easiest to satisfy when you decide where cameras point and why before you mount them — because purpose limitation and data minimisation are placement decisions, not paperwork. A camera aimed at a press guard or a forklift lane is defensibly a safety purpose; one pointed at a canteen table is a problem waiting for a complaint.
This is exactly the gap Mama closes at the front of a project: you record a short phone walkthrough of the floor, and it reads the space — zones, sightlines, hazards, resting areas — then returns a floor plan plus a camera-placement plan that keeps lenses on machines and lanes and off private areas. You get a layout that is data-minimised by design, before a single bracket is drilled.
FAQ
Do I need every worker's consent to run factory CCTV? Usually not. Section 7(i) of the DPDP Act permits processing for the "purposes of employment" — including safety and safeguarding the employer from loss — without separate consent. But you still owe transparency (signage/notice), purpose limitation, data minimisation, retention limits and reasonable security under Section 8.
Can I put cameras anywhere in the plant? No. Data minimisation and privacy expectations mean cameras in toilets, washrooms, changing rooms, prayer rooms and canteens are widely treated as non-compliant and intrusive. Point cameras at machines, production lines, gates and walkways — not at spaces where workers rest or change.
When do I actually have to be compliant? The DPDP Rules were notified on 14 November 2025, with substantive obligations phased in to 14 May 2027. That is your practical deadline for notice, retention, minimisation and security to be in place. The Data Protection Board is already operative, so complaints can be filed now — don't wait until 2027 to start.
How long can I keep worker footage? The Act requires storage limitation — keep it only as long as the stated purpose needs. There is no single mandated number for CCTV, so set and document a fixed window (commonly 30-90 days, indicative) with automatic overwrite, and don't retain footage indefinitely.
What is the penalty if we get it wrong? Under the Act's Schedule, failing to take reasonable security safeguards can attract penalties up to ₹250 crore (indicative ceiling); other breaches run lower. The Board sets the amount case by case, weighing gravity and mitigation. The cheap insurance is basic hygiene: signage, a retention policy, and a locked-down NVR.
