GDPR in numbers: Using images of employees in marketing
Storing images of employees and stakeholders
Unsurprisingly, many organizations store images of employees. A total of 51% store images of all employees and 39% store images of some, but not all. While this may not always require written consent, the individual must be informed about their personal data being stored and their rights regarding withdrawing the consent later on.
Additionally, 70% of organizations store images of external stakeholders, such as customers or partners. While these people have the same rights as employees, they usually don’t have the same contracts, and are often in need of specific agreements related to the processing and use of the images in question.
Learn more: 5 things you should know about GDPR for images
Using images for marketing purposes - in compliance with the GDPR
Of the people questioned, 65% report that they sometimes use images and/or videos of employees for marketing purposes, and only 5% restrict themselves to using only visuals depicting upper management. This is a trend that has been emerging for a while, and is typically witnessed among organizations wanting a human and relatable approach, which encourage them to rely more on images of actual employees rather than generic stock photos.
Learn more: Best Practices for GDPR compliance when using photos of employees
In order to use images of private individuals for marketing purposes, one must ensure that the person is aware of this and his/her right to withdraw it later on. If, for example, one takes images of people for internal use and then later decides to use them in marketing, the recognizable individuals must be informed about this additional type of usage and their rights to withdraw their consent. However, exceptions may apply when the public representation of the company is incorporated into the employee’s contract, for example, in the case of upper management.
Learn more: How PGS ensures full control of visual assets with Fotoware
Documenting image consent - in compliance with the GDPR
According to GDPR Article 12, the data controller “shall take appropriate measures to provide any information […] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language […]”. In other words, people have the right to know what they are consenting to and their rights concerning the consent.
Oftentimes, this would mean that organizations would need to gather explicit consent for processing and using images of employees. While oral agreements can work for certain instances, written documentation is usually preferable, as it provides a good digital trace and is more easily referred to. For this reason, it’s surprising to see the GDPR statistics revealing that only 37% of organizations have documented explicit consent for images with private individuals.
30% claim to have an informal agreement, while a total of 32.6% are unsure of whether depicted individuals know that their images are being processed and/or used by the organization.
GDPR Article 17. Right to erasure
Another article to keep in mind when storing and using images of employees, is Article 17, the Right to Erasure. Also referred to as the “right to be forgotten”, Article 17 demands data controllers to delete all personal data related to a specific individual, within a reasonable time, should the person request it.
While this right comes with certain limitations (for example, specific forms of data may be deemed as crucial to business operations), most corporate images would fall under the category of standard personal data and be eligible for deletion should the data subject request this.
According to our GDPR for images research and report, only 26% of organizations are able to comply with such a request quickly and easily, and 33.7% are unsure of whether it's even possible for them to comply with Article 17.
