3 min read

5 things you should know about GDPR for images

5 things you should know about GDPR for images

Whether you work in retail, education, healthcare, or something else entirely, you’ve likely heard about the General Data Protection Regulation (GDPR). Enacted by the EU in Spring 2018, the regulation aims to protect the fundamental rights and freedoms of individuals related to the protection of their personal data and its processing.

No matter the industry, almost every organization has to take the GDPR into consideration when gathering or managing any form of personal data, including images in which a person can be identified. It’s no secret that this can make your internal processes quite cumbersome, as many organizations use images of people for marketing and other purposes.

In this article, we’ll take you through 5 key facts about GDPR for images.

Table of Contents

#1 Personal data includes images

#2 Consent must be documented when storing or managing personal data

#3 Individuals have the right to be erased 

#4 The term ‘data controller’ encompasses a wide variety of actors

#5 Being GDPR compliant with images is possible

#1 Personal data includes images

According to the European Union, personal data refers to all information that relates to an identified or identifiable living individual, and also includes pieces of information that can lead to the identification of someone when collected together. This means that assets like images and videos can also fall into this category, and may result in GDPR breaches if not managed correctly.


Today, images are everywhere - on an organization’s website, social media pages, marketing campaigns, and much more, often featuring people. With the rise of advanced technologies like Artificial Intelligence and Cognitive Services, facial recognition and image searches are more efficient than ever, resulting in most visuals containing individuals being classified as personal data.

LEARN MORE: How two of Norway's largest enterprises solved GDPR challenges with images

#2 Consent must be documented when storing or managing personal data

According to Article 7, the data controller should be able to demonstrate that consent has been given when processing personal data. This means that when storing, managing, or using images or videos featuring identifiable persons, you must be able to document that they have granted prior consent.

LEARN MORE: How to comply with Article 7 for photos and videos of employees

The featured individual also has the right to withdraw their consent, meaning that you can be forced to change the consent status of all visuals relating to them. This can be a cumbersome process, as the content may be stored in different folders and drives, making them difficult to find. Additionally, everyone you store images of must know what they’re consenting to and be informed of this right, which can be challenging to document if you rely on informal agreements.


Is your image management GDPR compliant?

Is your organization's use of images compliant with the GDPR? Take our quiz to find out!                              


#3 Individuals have the right to be erased

Just like individuals have the right to withdraw their consent, they also have the right to be forgotten, meaning that they may demand you to unpublish and delete all their personal data immediately. It’s not uncommon to use the same visuals across many different sites and platforms, oftentimes leaving marketing teams with a massive clean-up process should someone withdraw or change their consent.

LEARN MORE: How to collect and manage consent forms in FotoWare


#4 The term ‘data controller’ encompasses a wide variety of actors

The person(s), public authority, agency, or other body that either alone or jointly determines the purposes and means of the processing of personal data, is referred to as the ‘Controller’ by the EU. As you may have noticed, the definition is rather broad and may encompass anyone who’s working with the data, including private individuals as well as enterprises. This suggests that people managing personal data can be held personally accountable for GDPR breaches, which has already happened in a German court in early 2022.

Over the past few years, we’ve witnessed an increased focus on personal privacy that shows no signs of slowing down. Therefore, it’s likely that the German court case is just one of many that apply a broader definition to the term ‘Controller’. This may result in high-level professionals being held accountable for breaches that are results of poor personal judgment or failure to abide by internal routines.

Having rules for data management is, therefore, insufficient for effective GDPR compliance. A modern organization should also ensure that it’s easy for employees to follow these since mistakes are often made when the established processes are too inefficient.


The ultimate guide for GDPR compliance for images!

Discover the best practices when managing your visual assets in compliance with the GDPR.                              


#5 Being GDPR compliant with images is possible

After reading this, you may be thinking that ensuring GDPR compliance with your images is close to impossible. Fortunately, that’s not the case.

As the world becomes more complicated, so does technology, and we’re now at a place where many processes can be streamlined or automated. At FotoWare, we help several enterprises improve their processes to manage visuals in a GDPR-compliant way. If you’d like to see an example of how it can be done, click the button below to watch our 3-minute demo video.

FotoWare empowers organizations to be GDPR-compliant through proper use of its Digital Asset Management system, and cannot advise on any legal aspect of the GDPR. FotoWare makes no representation, warranty or guarantee of GDPR-compliance when using the product.

Digital Innovation in Law Enforcement & Defense 2022

Lately, the law enforcement and defense industries have increasingly begun to digitize records to make information more searchable, auditable, and...

Introducing Asset Linking to FotoWare Consent Management

Introducing Asset Linking: Helping you ensure efficient GDPR compliance

We’re proud to announce that Asset Linking is now available to all FotoWare SaaS users. This greatly improves our Consent Management feature, further...

The main differences between an On-Premises and a SaaS DAM system

SaaS vs. On-Premises: What system to choose?

When looking into Digital Asset Management (DAM) systems, you might have stumbled upon the terms SaaS and On-Premises. A SaaS DAM system is hosted in...