Are photos personal data?

Images may contain personal information such as facial expressions, clothing and background that can identify an individual. Therefore, they are subject to the EU’s General Data Protection Regulation (GDPR), which protects citizens’ privacy. This means, among other things, that people must give consent for their images to be recorded and used. Consent must be informed and voluntary, and the person must know how the image will be used and who will have access to it.

There are a number of GDPR rules associated with handling images. It is important for businesses and organizations to understand their responsibility to protect individuals’ privacy and personal data when handling images.

You may have wondered if photos are personal data under GDPR. The short answer is, yes. Photographs of living people, that can be used to identify them, are personal data/PII. Let’s look at different types of images that count as PII and how to handle them.

Under GDPR, personal data refers to all information that relates to an identified or identifiable living individual. Pieces of information that can lead to the identification of someone when collected together also count as personal data.

Certainly, many images and videos can fall into this category. For example:

• Employee photos and IDs, particularly if the photographs reveal the person’s national origin, race, disabilities, etc.
• CCTV footage of people where they can be identified. Performing this type of surveillance might require a DPIA (Data Protection Impact assessment).
• High-resolution videos of people’s faces that could be used for facial recognition count as biometric data. These are special category or sensitive data under the GDPR.
• A photo of someone along with its metadata. This can show a person’s location, GPS location, and more. It could be used to track someone down or incriminate them in court.
• Images of photo IDs combine a facial image with sensitive ID numbers + and other personal data. This could harm someone if it falls into the wrong hands.

Photographs taken for purely personal use are exempt from GDPR. But companies and organizations that use someone’s photograph should have one of the following legal bases for doing so:

• Consent
• Contract
• Legal obligation
• Vital interests
• Public task
• Legitimate interest

As a rule, you should get consent before using an image of someone for commercial purposes, if the following are true:

• The person in the image is recognizable
• The person is the main subject of the image

Use unchecked opt-in boxes to get consent. Alternatively, an individual can say ‘yes’ to a clear oral request for consent. Regardless of how you get consent to use a photo, keep evidence of it. Even if someone gives consent, they have the right to withdraw it at any time.

You probably store images of your employees that you use internally for security and other purposes. You may also use images of your employees on your website, and on social media. Maybe you use the images to advertise special events and to make your company feel more personal to customers.

Employee photographs are personal data under many global privacy laws, including GDPR. Therefore, you should do the following when using them:

• Give your employees proper notice about the intended purposes of use for images taken of them.
• Maintain reasonable security measures to protect the images.
• Update registrations with data protection authorities to reflect the use of the image.
• Ensure adequate protection for and international transfers of the image.
• If an employee photograph might qualify as sensitive personal data, because, for example, it reveals the person’s national origin, race, and disabilities it should get more protection, and you should get specific consent to use it.

If you take pictures of customers using your products or services, you must get consent before using the photos on your website or social accounts.

This is because anything you share on social media with your business account counts as commercial use.

For instance, suppose you are a dentist, esthetician, or hairstylist. Do you take photos of your clients to show their progress? If so do you only use the images internally, or do you share them on social media to promote your business?

If so, make sure your consent forms specify the purposes for which you will use the photos. Make it easy for people to opt out if they prefer you not to use their likeness publically.

Pay special attention to images of minors and children, as GDPR requirements for using photos of children are more stringent.

Naturally, photos of children that parents take themselves for personal use are exempt from GDPR. However, everyone else will need to treat taking, collecting, storing, and publishing images of children with extreme care and take extra precautions.

For most organizations, it is going to be vital to get clear and unambiguous consent from parents before publishing photos of children for any purpose. This includes photos of groups or class photos of children.

Avoid publishing the children’s names or other personal info along with their photos. Along with following GDPR requirements, use common sense to think about how your use of a child’s photograph could put them at risk.

If you start a new data processing activity that includes images of children, you should prepare a DPIA (Data Protection Impact Assessment). The DPIA should show that you have reviewed potential risks attached to the use of photos of minors and are taking steps to protect them.

Under GDPR, EU citizens can ask you to delete their personal data, including photos, in many cases. For example:

• If the data you collected about them is no longer relevant to the reason it was collected and contains sensitive personal information or if such information is outdated.
• If the person withdraws their consent for you to use their data (and you have no other legal basis for collecting it).
• If the person objects to you collecting data for direct marketing purposes.
• If the individual’s data was unlawfully processed or considered sensitive data.
• If deleting the data is legally required.
• If the data belongs to a child.

In all of these cases, you must erase the person’s data and images as soon as possible. Respond to the person with confirmation that you have deleted their photos and other personal data within 30 days.

People can also ask for information about the data you store, including photos. They can ask you to forward their data to third parties, restrict your use of it, and more. Read more about data rights here →

Over the years, your company has probably collected many photo IDs and screenshots of official photo IDs. Your current, former, and potential employees will have all shared copies of their passports or driver’s licenses with you at some point. Your customers and others may also share their photo IDs with you to verify their identity for security purposes.

A photo ID contains a combination of personal data that could be especially damaging to someone if the wrong person got a hold of it. Make sure you know where photo IDs are and who has access to them. Don’t keep them forever. Delete the ones you no longer need.

We suggest storing recognizable images of people that you plan to use for marketing with complete tags identifying them, together with their consent forms. Have clear policies and procedures in place to protect these images and minimize risks of complaints/data breaches.

You should keep a data inventory. This will help you minimise, monitor and protect personal data. It will also make it easy to create DPIAs. Additionally, you will be able to pull up specific person’s data quickly. This will aid you in responding on time to data access requests (DSARs) such as the right to be forgotten.

Because images and their motives are unstructured data, it is not easy to detect sensitive information in them, unless you go trough them manually or have a data discovery tools. With our DataMapper you can identify text within pictures that is classified as personal information, e.g. in:

• Passport
• Driver’s license
• National Insuarance Numbercard/Social security card
• Tax information papers
• Medical records
• Dentist information

DataMapper can find pictures in either files or images embedded in email bodies. The formats that DataMapper support is jpg, jpeg, png and heic files. The image sizes that DataMapper support are phone images of any size (the metadata will be registered) and screenshots and other images from 150kb to 6-7mb. DataMapper do not scan images from graphic sources (such as adobe) dslr cameras, etc. As a data discovery tool DataMapper can help you create a data inventory and keep track of your images.

Learn more about DataMapper →