The Digital Personal Data Protection Act 2023 (DPDP) passed in August 2023, the Rules were notified in parts through 2024 and 2025, and by early 2026 the operational parts are biting. For most Indian MSMEs running a face-recognition attendance system, this is the first privacy regulation with actual teeth — not a self-regulatory IT Act 2000 reasonable-security clause, but statutory obligations around notice, consent, data minimisation, and cross-border transfer, with penalties up to ₹250 crore per breach category.
This isn't a legal advisory — for that, you need a lawyer. But it is the practical, operational checklist we run through with every Indian customer deploying face attendance on a 20–500 person team. If you already have a face attendance system installed, this is also the review you should do in the next quarter.
Why face attendance specifically?
The DPDP Act defines "personal data" broadly as any data about an identifiable individual. Biometric templates — the mathematical representation of a face that a recognition system stores for matching — are squarely personal data under this definition. In practice, regulators are treating facial biometrics with the same weight as fingerprints, iris scans, and DNA: high-sensitivity processing that triggers stricter obligations than, say, an employee's phone number.
For context: the earlier IT Act 2000 regime (with its SPDI Rules 2011) already classified biometric data as Sensitive Personal Data or Information. DPDP doesn't use the "sensitive" label the same way, but it imposes the strict obligations that SPDI categorisation used to signal. Net effect: face attendance deployments are now in-scope regardless of team size.
The six obligations that change day-to-day operations
1. Notice in a form the employee can actually read
Before an employee enrols, they must be given a DPDP-compliant notice stating:
- The specific personal data being collected (face template, login timestamps)
- The purpose (attendance tracking, payroll integration, access control if applicable)
- Who the processors are (your company + the attendance vendor + any downstream processor)
- Whether the data leaves India (and where to)
- The rights the employee has (access, correction, erasure, grievance)
- How to withdraw consent and what happens if they do
Most existing Indian MSMEs have this notice buried in an employee handbook signed on day one, along with everything else. That's not sufficient under DPDP — the notice has to be contemporaneous with collection, specific to the processing, and in English plus the employee's preferred Indian language where reasonable. Offices in multilingual regions often end up publishing Hindi + English notices at enrolment time.
2. Consent — real consent
Consent under DPDP must be free, specific, informed, unconditional, and unambiguous. Some practical implications:
- Bundling face attendance consent with the overall employment offer letter is problematic; the two need to be separable
- An employee must be able to refuse face attendance without losing their job — and you need an alternative mechanism (RFID card, mobile-app check-in, manual register) ready to offer
- Pre-ticked consent checkboxes don't meet the bar
- Consent records must be retained — if an employee later says "I never agreed", you need to show when and how they did
For a concrete implementation, the enrolment flow in Hives.cloud's Vision captures a dated consent acknowledgement with the exact notice text shown at the moment, so the consent trail is auditable without building anything custom.
3. Data minimisation
This is the one that routinely fails under audit. A compliant face attendance system should store:
- The mathematical face template (a one-way feature vector)
- Timestamps of check-ins
- Enough metadata to link the template to an employee
It should not store:
- Raw photos or video of the face, beyond the moment of matching
- Face images of non-enrolled individuals (visitors caught in the camera frame)
- Location data beyond what's strictly needed for multi-site attendance
- Behavioral profiling derived from attendance patterns (time-in-office analytics that single out an individual)
If your vendor is retaining raw photos "for audit" or "for improving the model", you have a problem. Ask, in writing, what is stored. The real industry cost breakdown is in our sibling article on what Indian MSMEs actually pay for face attendance.
4. Retention
DPDP requires that personal data be retained only for as long as it's needed for the stated purpose. For face attendance, this means:
- Active employees: templates retained while employed
- On resignation/termination: templates and historical attendance records deleted or anonymised per statutory retention limits (often within 6 months unless there's a specific legal reason to retain longer — payroll audit, pending litigation)
- Any exports used for payroll should be separated from the raw biometric template
The specific deletion workflow matters. A vendor that can't show a verifiable deletion of a biometric template — as in, can produce a log confirming the record no longer exists in their systems — is a compliance risk.
5. Cross-border transfer
DPDP restricts transfer of personal data outside India to countries not specifically permitted by the government. The permitted-country list is still being finalised as of early 2026. For face biometric data, the conservative default is: keep it in India.
Practically, this means:
- Cloud-hosted face attendance services should clarify their hosting region. If templates are sitting on a server in Virginia, that's a DPDP concern until the relevant country is notified as permitted.
- SaaS vendors headquartered outside India should provide a data-residency SLA pinning your data to an Indian region (AWS Mumbai, Azure Pune, GCP Delhi / Mumbai).
- Backups count — if your data goes to India but the backup is replicated globally, that's still a cross-border transfer.
The Vision vs Spintly comparison calls out hosting region for both vendors; check similar questions for any alternative you evaluate.
6. Grievance redressal
Every Data Fiduciary (that's you, the employer) must publish the contact details of a Data Protection Officer or grievance officer, and respond to data-subject rights requests within statutory timelines (currently 30 days for most request types).
If you already have a privacy policy (you should — here's ours), extend it with a named contact and a working email. "contact@" aliases that nobody reads don't clear the DPDP bar.
The vendor due-diligence checklist
Before you sign (or renew) a face attendance contract, ask the vendor to answer these in writing:
- Where are biometric templates stored? Which Indian region? Are they encrypted at rest and in transit?
- What is retained — template only, or raw images as well? For how long?
- Is data replicated outside India for any purpose, including backup and analytics?
- How do employee-initiated deletion requests flow through your system? What's your SLA on completion?
- Do you provide a deletion-verification log?
- How is enrolment consent captured and stored in your system?
- Who are your sub-processors (the fourth-party risk)?
- What happens to our data if we cancel the contract?
The answers to those eight questions tell you whether the vendor is DPDP-serious or DPDP-tourist.
What happens if you don't comply
The DPDP Act's Schedule sets out penalty bands. For breaches of the obligations most relevant to face attendance:
- Failure to observe notice/consent obligations: up to ₹150 crore
- Failure to implement reasonable security safeguards for biometric data: up to ₹250 crore
- Failure to notify the Data Protection Board of a breach: up to ₹200 crore
These are ceilings — the Board has discretion, and for a 40-person MSME with a first offence, enforcement may be graduated. But the exposure is real, and — more practically — enterprise customers in India now routinely ask for DPDP-compliance evidence as part of vendor onboarding. Non-compliance costs customers before it costs fines.
The right-shape deployment in 2026
A DPDP-aligned face attendance setup for an Indian MSME looks like:
- Vendor hosts biometric templates in India, encrypted, with documented sub-processors
- Enrolment includes a contemporaneous, standalone consent moment with dated audit trail
- Retention and deletion are automated based on employment status
- The company has a published grievance officer and a working rights-request flow
- Alternative attendance is offered to employees who decline
That's the whole checklist. The tech is easy; the compliance discipline is what most vendors and customers have skipped. If you're evaluating Vision or any other face attendance platform in 2026, the questions above should be the first eight you send to the vendor. What comes back tells you more about their compliance posture than any marketing deck.
The broader rupee-first Indian stack story — why attendance sits alongside identity, asset, and credential management — is in our 6-product stack thesis. For compliance-specific questions on our products, write to sales@hives.cloud and we'll share the data-residency and retention specifics for your team size.