<img src="https://ad.doubleclick.net/ddm/activity/src=10024890;type=invmedia;cat=front0;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;ord=1?" width="1" height="1" alt=""> 5 things you should know about GDPR for images
Book meeting

English

German
Fotoware news GDPR

5 things you should know about GDPR for images

30. March 2022 Amalie Widerberg

GDPR regulations impact how organizations can use images of identifiable people, often making workflows more complex. This article covers five essential facts about GDPR for images, helping you stay compliant and protect individual privacy with ease.

Whether you work in retail, education, healthcare, or something else entirely, you’ve likely heard about the General Data Protection Regulation (GDPR). Enacted by the EU in Spring 2018, the regulation aims to protect the fundamental rights and freedoms of individuals related to the protection of their personal data and its processing.

No matter the industry, almost every organization has to consider the GDPR when gathering or managing any form of personal data, including images in which a person can be identified. It’s no secret that this can make your internal processes quite cumbersome, as many organizations use images of people for marketing and other purposes.

In this article, we’ll take you through 5 key facts about GDPR for images.

Consent Management and GDPR with Fotoware

#1 Personal data includes images

According to the European Union, there are several categories of personal data. Personal data refers to all information that relates to an identified or identifiable living individual, and also includes pieces of information that can lead to the identification of someone when collected together. This means that assets like images and videos can also fall into this category, and may result in data protection law breaches if not managed correctly.

Today, images are everywhere - on an organization’s website, social media pages, marketing campaigns, and much more, often featuring people. With the rise of advanced technologies like Artificial Intelligence and Cognitive Services, facial recognition and image searches are more efficient than ever, resulting in most visuals containing individuals being classified as personal data.

Learn more: How two of Norway's largest enterprises solved GDPR challenges with images

GDPR report 2024

Read the 2024 GDPR report

In this report, you'll find key numbers related to how organizations treat their corporate images in relation to the GDPR.

To the report

#2 Consent must be documented when storing or managing personal data

Article 7 requires the data controller should be able to demonstrate that consent was given when processing personal data. This means that when storing, managing, or using images or videos featuring identifiable persons, you must document that they have provided prior consent.

Learn more: How to comply with Article 7 for photos and videos of employees


The individual also has the right to withdraw their consent, requiring you to update the consent status of all related visuals. This can be a complex process, as the content may be stored in different folders and drives, making them difficult to find.

Additionally, those whose images you store must know what they’re consenting to and be informed of this right, which can be challenging to document if you rely on informal agreements.

#3 Individuals have the right to be erased

Just like individuals have the right to withdraw their consent, they also have the right to be forgotten. They may demand you to unpublish and delete all their personal data immediately. Since it’s common to use the same visuals across multiple platforms, marketing teams and data protection officers often face a huge cleanup task if someone retracts their consent.

Learn more: How to collect and manage consent forms in Fotoware
Fotoware office

#4 The term ‘data controller’ encompasses a wide variety of actors

The EU defines a ‘Controller’ as a person, public authority, agency, or other body that either alone or jointly determines the purposes and means of the processing of personal data. This definition is rather broad and may encompass anyone who’s working with the data, including private individuals as well as enterprises. This suggests that people managing personal data can be held personally accountable for GDPR breaches, as seen in a German court case in early 2022.

Over recent years, we’ve witnessed an increased focus on personal privacy that shows no signs of slowing down. Therefore, it’s likely that the German court case is just one of many that apply a broader definition to the term ‘Controller’. This may result in high-level professionals being held accountable for breaches resulting from poor personal judgment or failure to follow internal routines.

Simply having rules for data management is not enough for effective GDPR compliance. Modern organizations should ensure that their processes are easy to follow, as mistakes often happen when procedures are too inefficient.

#5 Being GDPR compliant with images is possible

You may think that ensuring compliance with your images is nearly impossible, but that's not true. As technology advances, many processes can now be streamlined or automated.

Learn more: GDPR best practices for using photos

 

At Fotoware, we help enterprises manage Consent Management processes to handle photos in a compliant way.

If you’d like to see an example of how it works, get in touch with our experts to get a demo!

GDPR guide and checklist

GDPR Checklist for Images

Six steps to ensure GDPR-compliance for images.

Get your free guide
Fotoware empowers organizations to be GDPR-compliant through proper use of its Digital Asset Management system, and cannot advise on any legal aspect of the GDPR. Fotoware makes no representation, warranty or guarantee of GDPR compliance when using the product.