How Does GDPR Affect How You Handle Client Photos?

Jun 12, 2018

Topic: Protecting Your Photographs
Time Investment: 6 Minutes
Suggested Product: Online Marketing Bundle


Following our earlier articles addressing GDPR for Photographers based outside of the EU (and particularly in the USA), we received a number of questions asking what GDPR means for the storage of photographs. If you don’t know what GDPR is or you have questions how this law even applies to you because you are in the US, then read this article about GDPR and your photography business first before you read this one about GDPR and Photographs!

Let’s start by reasserting the definition of personally identifiable information (PII) in the General Data Protection Regulations (GDPR).

PII is defined as ”any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people.”

You’ll notice that there is no mention of images.  But you’ll also notice that it includes any information where someone can be “directly or indirectly identified”. Does that mean it includes photographs?

Maybe. Let’s break this down a little more.

There have been some commentators who argue that photographs contain biometric information for the face and that makes them sensitive data – and because of this, they are personal data under GDPR. What is clear under GDPR is that the use of PII must be consented to unless you are using the information for purposes like news or art.


So, if a photograph of someone’s face is covered by GDPR as PII, what does that mean for you, the photographer?

You would need explicit consent to store, process, or publish unless you are using the image for employment or government mandated purposes.

You would need to inform any EU resident individual of their data privacy rights under GDPR including the right of access, the right to erasure (you can request to have your personal data erased unless it is needed to fulfill a legal obligation), the right to data portability (you can request to have your data available to you in a structured format), and the right to withdraw consent (it must be as easy to withdraw consent as it was to give it), among others.

Now, as a photography business, you are most likely storing images over which you own the copyright. To cover your bases, your model release should have information about the model-client giving you a release to use their likeness in promotion and advertising. It should also clearly articulate the legal obligations of the client to allow for your continued use of the image.


What about old photos?

As long as you had contractual consent for the sharing of an image of one of your subjects at the time you initially did so, then the laws at the time apply with some caveats. This is where making sure your contract is solid is a great place to start!

Under GDPR if the subject of the photo withdraws consent for you to process, store, or publish that image, you may need to be able to remove them. However, this would be pending a contract in which they agreed to allow this – and which would then not permit them to withdraw consent or require you to remove or erase the images.

It is a good general business practice to have a clear data and document retention policy and to adhere to it. What this might mean is that you decide that you will delete stored copies after a specified period of time and that you communicate this to clients at the time of the shoot.

But, here’s the kicker. Other commentators, including some legally trained ones, are arguing that unless a photograph is used for identification purposes or in direct connection with other personal data, then it is not covered by GDPR.


So where to go from here? Does GDPR apply to photographs?

It is going to depend on context and the facts of the situation. Think about this from the point of view of the authors of GDPR.

Say, an image of a person without any name, job, age, location information or anything uniquely identifiable was “stolen” or breached, then the legal rights and freedoms of the image subject is likely to be considered to be minimal.

In a different scenario, imagine that your web-based customer relationship management software (CRM) is linked to your online photo galleries for specific clients; that it contains names, addresses, copies of contracts and signed waivers linked to those images; and all of this was breached. This could have a significant impact on the privacy rights and freedoms of the individuals involved.


So, tell me already! Does GDPR apply to photographs?

Despite what some service providers are claiming, the GDPR does not directly include photographs as sensitive personal data covered by the regulations! However, they could come under GDPR when stored with other attached or connected information.

For images of individuals (who are covered by GDPR) that are identifiable, you should have explicit consent for processing, including storage and future publication – if there is no other lawful basis for processing. Your model releases and contracts should be updated to demonstrate GDPR compliance.

It is mandatory to obtain the consent of a guardian for minors (under the age of 16 in this context) to use their photographs. Your model release and contract should already address the specific situation of minors. See this article for more on photographing minors.

Because of the risk of metadata giving sufficient additional information to cause the photographs to become sensitive data, photographs should be handled with care. You should take care to use appropriate technical measures to protect this data – this could include not using open galleries, using SSL encryption, or other secure storage options.

Update your privacy policy! Remember, that under GDPR, if there is no other lawful basis to collect or process data to rely upon, then clear, unambiguous consent should be obtained and stored in written (or recorded verbal) format. Once consent has been obtained, your photography business must ensure they protect the confidentiality of said photographs until its point of destruction – with the caveat that contractual agreements can provide a basis for publishing those images with a name and/or location or other PII attached. Make sure your privacy policy details the information collected and how it will be used.

As a final note: The GDPR is about 5000 pages. It is a complex set of regulations. The full implications for photography businesses will not be clear for some time. Check back for more information.


Check out our GDPR-compliant website terms bundle here.


Explore more