How to Comply with GDPR Article 7 for Photos and Videos of Employees
Businesses face a number of challenges with the GDPR when using photos or videos of employees. If an individual in those photos or videos can be identified, then those files are considered to be personal data.
This means that companies need to be able to comply with the GDPR for photos and videos in a similar way that they would do for the personal data of customers or prospects.
In our blog post "Best Practices for GDPR compliance when using employee photos", we looked at how companies can identify whether their use of photos and videos of employees is compliant with the GDPR. One of the main challenges they're faced with is Article 7 of the GDPR, also known as Conditions of Consent.
In this article, we explain what that means for companies and demonstrate how Fotoware enables them to keep track of consent for photos and videos of their employees easily and efficiently and avoid expensive fines for personal data breaches through accidental misuse of these digital assets.
What is Article 7?
Article 7 of the GDPR sets out four conditions of consent, outlining what is required by the data controller when obtaining consent, as well as how they should collect it, and what rights the data subject has.
Consent is defined in the GDPR Article 4(11) as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. These conditions of consent are summarized below, which states that consent must be:
(1) Demonstrable - the data controller (organization) must be able to show that the data subject (employee) has consented to their personal data (photos or videos) being processed.
(2) Distinguishable and Accessible - when a data subject (employee) is asked to give consent in a written context which also includes other matters (eg. an employment contract), the request for consent must be clearly distinguishable, intelligible, easily accessible, and using clear and plain language. Essentially, the data subject must be able to clearly identify what they are consenting to.
(3) Able to be withdrawn - the data subject (employee) has the right to withdraw their consent at any time and must be fully informed of how to do this. It should also be just as easy to withdraw consent as to give consent.
(4) Not conditional unless necessary - consent must be freely given and cannot simply be added as a condition of a service. However, there are exceptions, such as in circumstances where consent to process personal data is dependent on the condition of service.
Example: Companies will often want to use photos or videos of their employees in external marketing, but in most cases this is not required or necessary for the service they provide to the company. Therefore consent should not be bundled together as a condition of service in this instance. However, if a company hires a model or actor, obtaining consent is necessary in the condition of service since the reason they are being employed is to feature in photos or videos for the company.
In keeping with the topic of this article, we have added clarifications in parentheses to identify how this applies to an employer-employee relationship.
Learn more: 5 things you should know about GDPR for images
How Fotoware helps companies to comply with the GDPR Article 7
Step 1: Upload and tag your photos or videos
When you upload your files into Fotoware, you are able to add metadata tags to make them searchable (instead of saving them into folders). This means you can tag photos and videos of an employee with things like their name or ID number, so you can easily find every photo or video of them with one simple search. This also helps you to comply with the GDPR Article 17 - also known as the Right to Erasure. Read more about Article 17 here.
Tip: to comply with Article 7(1), you can upload the employee's consent form and use the same metadata tags that you have used for photos or videos featuring the employee. This means you can easily access and demonstrate that they have given consent.
Step 2: Set Consent Status
In Fotoware, you can use markers to identify the status of your digital assets, enabling all those who work with these assets to quickly tell whether or not they have permission to use them.
It is also possible to set an expiry date, so if you only have consent to use an asset for a set period of time, the consent status will automatically change to reflect that it is no longer available to use.
Step 3: Using Consent Status Markers
By setting the consent status when you upload your photos and videos of employees, you can enable those who work with these assets to identify whether or not they have permission to use them, via markers. Markers are small icons that visibly display information, like the consent status or usage-rights for your assets (eg. social media, website, internal)
Step 4: Enable employees to withdraw consent on individual photos and videos
In Fotoware, employees can withdraw their consent at just the click of a button. In line with Article 7(3), withdrawing consent needs to be an easy process, and you can let them simply select if there are any assets that they would specifically not like to be used, by revoking them. This makes it easier for your employees to review their own photos after a photo shoot, for example.
If you’re worried about whether your organization is GDPR-compliant in its use of photos and videos of employees, we hope this article has helped to show how you can overcome some of the challenges with relative ease and efficiency.
Read more: Consent Management for effective GDPR compliance
Want to learn more?
Talk to one of our experts to discover how we can streamline your organization's content workflows.