Is your use of employee photos GDPR compliant?

If you work in marketing, communications, or HR, it’s highly likely that your job involves producing, using, or sharing employee photographs from time to time. But did you know that photos can constitute personal data under the GDPR laws? In this article, you will discover how to identify if your organization is GDPR compliant when using images of employees.

Why is GDPR compliance important?

The General Data Protection Regulation (GDPR) stands for safeguarding individuals' privacy rights in the digital era. Compliance with GDPR is not just about adhering to legal requirements; it's about fostering trust and accountability in handling sensitive data. Failure to comply with GDPR can result in severe consequences, including hefty fines and reputational damage Since the GDPR came to force on May 25, 2018, the amount of fines handed out every year has skyrocketed in 2023. According to data from DLA Piper's GDPR Data Breach Survey, European authorities have fined companies for a total of 1.78 billion EUR over the last year, including the highest fine ever issued with a value of 1.2 billion EUR (against Meta) - A reminder of the importance of robust data protection measures.

These fines highlight the seriousness with which regulators approach data privacy violations, urging businesses to prioritize Consent Management and GDPR compliance to avoid both financial penalties and loss of trust from customers and stakeholders alike. It is absolutely vital to ensure that your use of employee data (like photos) is GDPR compliant.

 

READ MORE: 5 things you should know about GDPR for images

Is your use of employee images GDPR compliant?

When it comes to working with images, there are 3 main questions you can ask in order to determine whether your organization's use of photos is in line with the GDPR:

 

1. Do you appropriately inform employees of their rights?

Your organization must inform its employees about their rights under the GDPR - and they must know how to exercise those rights. This includes the right to withdraw consent at any time (Article 7 - Conditions of Consent), the right to see their data (Article 15 - Right of Access), and the right to be forgotten (Article 17 - Right to Erasure).

 

READ MORE: How to comply with GDPR - Article 7 for photos and videos

 

2. Do you adequately gather photo consent from employees?

Consent must be obtained from employees and it should be “freely given, specific, informed and unambiguous” without fear of repercussions for choosing not to give consent. This means consent cannot simply be included as part of an employee’s employment contract. It must be clear what consent is being given for, including how the photos will be used. A standard form with a generic statement is therefore not in compliance with GDPR.

READ MORE: Best Practices for GDPR compliance when using images of employees

 

3. Can you find every image of an individual in your organization?

This is arguably the most difficult aspect of the GDPR for organizations to comply with, regarding the use of employee photos. What this means is that the employee can request for the organization to erase all their personal data, and the organization has one month to respond.

A typical example might be when the employee leaves the organization and doesn't want their image to be used anymore. For the vast majority of organizations, searching and finding these images will end up being a manual task, taking hours to trawl through hundreds if not thousands of folders of photos. However, the same goes for if a current employee withdraws their consent, as per Article 7(3).

 

Does your company need help with GDPR compliance?

There are plenty of reasons why businesses aren't fond of the GDPR. It can be confusing and unclear, especially when there's no legal precedent to help understand certain situations. However, what’s absolutely certain is that organizations must process personal data about their employees, including any photographs, just as seriously as they would process customer data. The number of fines for GDPR breaches is rapidly increasing, so it’s essential that organizations make sure they are properly prepared for every process - including managing images of staff.

 

READ MORE: How 2 of Norway’s largest enterprises solved GDPR challenges

Fotoware empowers organizations to be GDPR-compliant through proper use of its Digital Asset Management system, and cannot advise on any legal aspect of the GDPR. Fotoware makes no representation, warranty or guarantee of GDPR-compliance when using the product.