Skip to content
Fotoware Life GDPR Public & Education

5 things you should know about GDPR for images

30. March 2022

Whether you work in retail, education, healthcare, or something else entirely, you’ve likely heard about the General Data Protection Regulation (GDPR). Enacted by the EU in Spring 2018, the regulation aims to protect the fundamental rights and freedoms of individuals related to the protection of their personal data and its processing.

No matter the industry, almost every organization has to take the GDPR into consideration when gathering or managing any form of personal data, including images in which a person can be identified. It’s no secret that this can make your internal processes quite cumbersome, as many organizations use images of people for marketing and other purposes.

In this article, we’ll take you through 5 key facts about GDPR for images.

#1 Personal data includes images

According to the European Union, personal data refers to all information that relates to an identified or identifiable living individual, and also includes pieces of information that can lead to the identification of someone when collected together. This means that assets like images and videos can also fall into this category, and may result in GDPR breaches if not managed correctly.

The new Activity Exports - FotoWare

Today, images are everywhere - on an organization’s website, social media pages, marketing campaigns, and much more, often featuring people. With the rise of advanced technologies like Artificial Intelligence and Cognitive Services, facial recognition and image searches are more efficient than ever, resulting in most visuals containing individuals being classified as personal data.

LEARN MORE: How two of Norway's largest enterprises solved GDPR challenges with images

 

#2 Consent must be documented when storing or managing personal data

According to Article 7, the data controller should be able to demonstrate that consent has been given when processing personal data. This means that when storing, managing, or using images or videos featuring identifiable persons, you must be able to document that they have granted prior consent.

LEARN MORE: How to comply with Article 7 for photos and videos of employees

The featured individual also has the right to withdraw their consent, meaning that you can be forced to change the consent status of all visuals relating to them. This can be a cumbersome process, as the content may be stored in different folders and drives, making them difficult to find. Additionally, everyone you store images of must know what they’re consenting to and be informed of this right, which can be challenging to document if you rely on informal agreements.

#3 Individuals have the right to be erased

Just like individuals have the right to withdraw their consent, they also have the right to be forgotten, meaning that they may demand you to unpublish and delete all their personal data immediately. It’s not uncommon to use the same visuals across many different sites and platforms, oftentimes leaving marketing teams with a massive clean-up process should someone withdraw or change their consent.

LEARN MORE: How to collect and manage consent forms in FotoWare
img-blog-gdpr-office-people

#4 The term ‘data controller’ encompasses a wide variety of actors

The person(s), public authority, agency, or other body that either alone or jointly determines the purposes and means of the processing of personal data, is referred to as the ‘Controller’ by the EU. As you may have noticed, the definition is rather broad and may encompass anyone who’s working with the data, including private individuals as well as enterprises. This suggests that people managing personal data can be held personally accountable for GDPR breaches, which has already happened in a German court in early 2022.

Over the past few years, we’ve witnessed an increased focus on personal privacy that shows no signs of slowing down. Therefore, it’s likely that the German court case is just one of many that apply a broader definition to the term ‘Controller’. This may result in high-level professionals being held accountable for breaches that are results of poor personal judgment or failure to abide by internal routines.

Having rules for data management is, therefore, insufficient for effective GDPR compliance. A modern organization should also ensure that it’s easy for employees to follow these since mistakes are often made when the established processes are too inefficient.

#5 Being GDPR compliant with images is possible


After reading this, you may be thinking that ensuring GDPR compliance with your images is close to impossible. Fortunately, that’s not the case.

As the world becomes more complicated, so does technology, and we’re now at a place where many processes can be streamlined or automated. At FotoWare, we help several enterprises improve their processes to manage visuals in a GDPR-compliant way. If you’d like to see an example of how it can be done, click the button below to watch our 3-minute demo video.

 

FotoWare empowers organizations to be GDPR-compliant through proper use of its Digital Asset Management system, and cannot advise on any legal aspect of the GDPR. FotoWare makes no representation, warranty or guarantee of GDPR-compliance when using the product.