( read 5 min)

Is Your Use of Employee Photos GDPR Compliant?

By Alex Kronenberg on February 26, 2020

If you work in marketing, communications, or HR, it’s highly likely that your job involves producing, using, or sharing employee photographs from time to time. But did you know that photos can constitute personal data under the GDPR laws? In this article, you will discover how to identify if your organization is GDPR compliant when using images of employees.

Why is this important?

Since the General Data Protection Regulation act (GDPR) came to force on May 25, 2018, there has already been more than 150 fines handed out, accumulating almost €460,000,000. For the most severe offences, an organization can be fined up to 20 million euros or 4% of its global turn-over - whichever is higher - while the framework for less severe offences includes fines up to 10 million euros or 2% of global turn-over (again, whichever is higher).

The GDPR Checklist for Images

Do you use images of employees in your marketing materials? Download the GDPR Checklist for Images to help ensure you’re compliant.

At the time of writing, there has been over 160,000 reported notifications of GDPR breaches since the 2018 deadline. Given the severity of the fines for breaching the GDPR, it is absolutely vital to ensure that your use of employee data (like photos) is GDPR compliant in order to avoid costly fines which could be extremely damaging. Read about the Top 5 GDPR fines here. 

Is your use of employee images GDPR compliant?

When it comes to working with images, there are 3 main questions you can ask in order to determine whether your organization's use of photos is in line with the GDPR:

1. Do you appropriately inform employees of their rights?

Your organization must inform its employees about their rights under the GDPR - and they must know how to exercise those rights. This includes the right to withdraw consent at any time (Article 7 - Conditions of Consent), the right to see their data (Article 15 - Right of Access), and the right to be forgotten (Article 17 - right to erasure).

2. Do you adequately obtain consent from employees?

Consent must be obtained from employees and it should be “freely given, specific, informed and unambiguous” without a fear of repercussions for choosing not to give consent. This means consent cannot simply be included as part of an employee’s employment contract. It must be clear what consent is being given for, including how the photos will be used. A standard form with a generic statement is therefore not in compliance with GDPR.

3. Can you find every image of an individual in your organization?

This is arguably the most difficult aspect of the GDPR for organizations to comply with, regarding the use of employee photos. What this means is that the employee can request for the organization to erase all their personal data, and the organization has one month to respond.

A typical example might be when the employee leaves the organization and doesn't want their image to be used any more. For the vast majority of organizations, searching and finding these images will end up being a manual task, taking hours to trawl through hundreds if not thousands of folders of photos. However, the same goes for if a current employee withdraws their consent, as per Article 7(3).

Do you suspect your organization isn't compliant?

There are plenty reasons why business aren't fond of the GDPR. It can be confusing and unclear, especially when there's no legal precedent to help understand certain situations. However, what’s absolutely certain is that organizations must process personal data about your employees, including any photographs, just as seriously as they would process customer data. The number of fines for GDPR breaches are rapidly increasing, so it’s essential that organizations make sure they are properly prepared for every process - including managing images of staff.

If you want to ensure your organization's GDPR compliance when producing or using images of employees, download the GDPR Checklist.

New call-to-action

Tags: GDPR