Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
The General Data Protection Regulation gives EU residents sweeping privacy protections for personal information, from names and addresses to location data and advertising IDs. Are photos personal data under GDPR? Knowing whether GDPR applies to photos is a big deal because infringing businesses can face fines of €10 million or more.
Any photos that can identify EU residents are subject to GDPR. These include selfies, event photos, social media images, professional photographs, and videos. The rules apply whether you use a digital camera, snap a pic with your smartphone, or take a screenshot of a video conference.
If you’re not a photographer, you may wonder if this issue is even something you need to worry about. Actually, there are many scenarios where businesses have to be careful to comply with GDPR rules for photos:
As privacy rights become stricter, it’s more important than ever to dot your i’s and cross your t’s when it comes to the images you use.
Whenever a photo can be used to identify someone, the GDPR treats the image as personal data. In practice, this means that if you can see the person’s face, GDPR protections apply. Many photos also have metadata that can further be used to identify someone, such as location data or background images of the person’s home.
High-definition images that can be used for biometric identification purposes are especially sensitive. GDPR article 9 lists this type of photo as a special category of personal data with strict rules for processing.
Meeting guidelines for GDPR and photos is similar to following the rules for other types of personal data.
Photographers and other businesses are prohibited from taking identifying photos of EU residents unless the subjects provide explicit consent. This restriction applies to photos in public settings as well as private places.
In other words, photographers can’t use a telephoto lens to capture people relaxing at the beach, sitting on a park bench, shopping, or engaging in other activities. They would have to approach the individual and get signed consent first.
One way to get around this restriction for public photos is to blur the background. For example, if you want to photograph your place of business in a downtown area, you can focus on the building and make it so images of passersby are blurred.
Any time you upload images of EU residents to a website, blog, or social media account, you must get consent for international data transfer. This is because users in any country can access and save images from the internet regardless of your company’s cybersecurity standards. The consent form should clearly explain that the person’s image may be viewed or downloaded from other countries, including places without adequate data protection standards.
The GDPR gives individuals a wide range of rights related to image processing. If you want to use or store photos of EU residents, you must follow strict guidelines for:
It’s possible to get around GDPR right-to-erasure laws with formal contracts that waive this provision. This type of agreement is common when dealing with professional studios, models, and image vendors.
If you’re an employer with workers in the EU, you may wonder if you have the right to photograph employees at work or take screen recordings in videoconferencing appointments. The answer is that you still have to follow GDPR for any personally identifiable images.
That said, you can take security photos, store ID documents for legal employment purposes, and set up video chats with employees under the legitimate interests provision of the GDPR. These are all normal actions that are necessary to run your business. Many businesses include related clauses in their employment agreements/contracts.
Using employee photos for marketing purposes requires separate permission. Remember that you can’t pressure employees to appear or have their picture taken for this purpose. You must respect the person’s right to refuse.
Use an image consent form, and remember to include all relevant details regarding processing, storage, upload, erasure, and data transfer. Keep in mind that some EU countries have additional laws regarding compensation, intellectual property, and promotional images.
One exception to signed consent requirements in GDPR is when photographers have a legitimate interest in taking images, such as at corporate events. Businesses have a reasonable expectation to take photos of events.
To respect the rights of employees and other attendees who may be recognizable in these photos, you must still:
This legitimate interest exception for GDPR and photos doesn’t apply to other special categories of personal data. Avoid taking images that identify a person’s sexual orientation, religion, or private health data.
Complying with GDPR for photos isn’t easy, but it’s possible. A centralized platform with organized storage can help you keep track of images, consent forms, and other required documentation. Learn more about using Compyl for images with GDPR requirements.
