Short answer: Yes – images can constitute personal data if they depict an identifiable individual. This applies both to portrait photos and situations where a person can be recognised based on, for example, clothing, surroundings or context. Therefore, images must be handled in accordance with the GDPR, especially when they are shared or stored digitally. To simplify the handling of images containing sensitive content, there are dedicated tools available – including those that can help identify GDPR-relevant content.
Photos and privacy
Today, companies use images for everything from internal documentation to marketing. It is therefore crucial for businesses to understand whether images are considered personal data and, if so, what implications this has for data protection. The UK-GDPR imposes strict requirements for protecting personal information, and any violation of these rules can have serious consequences for a business.
This guide explores whether images are regarded as sensitive personal data and how companies should manage images to remain compliant.
Are photos personal data?
You may have wondered if photos are personal data under UK-GDPR. The short answer is, yes. Photographs of living people, that can be used to identify them, are personal data.
When are photos personal data?
Under UK-GDPR, personal data refers to all information that relates to an identified or identifiable living individual. Pieces of information that can lead to the identification of someone when collected together also count as personal data.
Certainly, many images and videos can fall into this category. For example:
- Employee photos and IDs, particularly if the photographs reveal the person’s national origin, race, disabilities, etc.
- CCTV footage of people where they can be identified. Performing this type of surveillance might require a Data Protection Impact assessment (DPIA).
- High-resolution videos of people’s faces that could be used for facial recognition count as biometric data. These are special category or sensitive data under the UK-GDPR.
- A photo of someone along with its metadata. This can show a person’s location, GPS location, and more. It could be used to track someone down or incriminate them in court.
- Images of photo IDs combine a facial image with sensitive ID numbers + and other personal data. This could harm someone if it falls into the wrong hands.
When should we get consent to use photos?
Photographs taken purely for personal use are exempt from GDPR. However, companies and organizations that use a person’s photo must secure the right to use photos whenever they are used in a context where individuals can be identified or when they are used commercially. The right to use a photo involves both legal and ethical aspects, requiring consent from the individuals appearing in the image.
By proactively securing these rights in advance, you can avoid potential legal issues and show respect for those featured in the photos. A good approach is to develop a standard consent process that can be consistently applied across all relevant activities and situations where images are collected and used.
How to obtain consent to use photos
When collecting photos, it is essential to obtain explicit consent, especially when the images can identify individuals. According to GDPR, consent must be voluntary, specific, informed, and unambiguous. This means the person must clearly understand the intended use of their image and have the option to withdraw consent.
A good practice is to prepare a written consent form that outlines the purpose of the image, how long it will be used, and how it will be stored. Such a form can be provided at events, photoshoots, or as part of employee agreements. Storing consents digitally can also be helpful for easy access and management.
Start your privacy cleanup with the big picture
A GDPR Risk report gives you a complete overview of the privacy risk in your company. The report is based on a scan with DataMapper.
Photos and the Right to be Forgotten
Under UK-GDPR, British citizens can ask you to delete their personal data, including photos, in many cases. For example:
- If the data you collected about them is no longer relevant to the reason it was collected and contains sensitive personal information or if such information is outdated.
- If the person withdraws their consent for you to use their data (and you have no other legal basis for collecting it).
- If the person objects to you collecting data for direct marketing purposes.
- If the individual’s data was unlawfully processed or considered sensitive data.
- If deleting the data is legally required.
- If the data belongs to a child.
In all of these cases, you must erase the person’s data and images as soon as possible. Respond to the person with confirmation that you have deleted their photos and other personal data within 30 days.
People can also ask for information about the data you store, including photos. They can ask you to forward their data to third parties, restrict your use of it, and more. Read more about data rights here.
Using employee photos
The use of employee photos on a company’s website or in marketing materials is common practice. However, it is important to be mindful of employees’ rights, including their right to anonymity. Although many employees are willing to have their photos taken, it is still necessary to obtain their consent, especially if the images are used publicly.
When an employee leaves the company, it is also advisable to assess whether the photos are still relevant and necessary to retain. Establishing that consent is not permanent and can be withdrawn can foster a better workplace culture and respect for employee privacy.
Using photos of customers
Using customer photos can be an effective way to build credibility and engagement, but it requires extra care. Customers may feel their privacy is compromised if their images are used without permission, especially in advertising and marketing contexts. The best practice is always to ask for written consent from customers and specify how and where the photos will be used.
To streamline the process, you can create a standard consent form, which can be presented during customer onboarding in your CRM, at events, or in other situations where you collect customer photos. You should also inform customers that they can request the removal of their photos at any time.
Using photos of children
Photos of children require extra care and protection, as children are considered under GDPR to need special safeguards for their data. This means that consent must always be obtained from parents or guardians before using photos of children, especially when they can be identified. Additionally, it is important to consider whether it is necessary and appropriate to publish images of children in public or commercial contexts.
When publishing images of children, for instance, in school reports or at events, it can be beneficial to use photos where the children are not recognizable—either by taking photos from behind or by blurring faces. This provides a degree of anonymity and further protects the children.
These guidelines can help your organisation comply with the law and establish a safe and ethically responsible use of images.
Want to know more about personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Keep track of your photos
To ensure that you handle sensitive image content in compliance with the UK-GDPR, I recommend establishing an effective workflow for managing images. This involves not only storing them but also documenting who has given consent and the scope of that consent. Here are some practical steps for organising and managing your images:
- Create an Image Database: A central, secure database can help you keep track of all images and associated consents. Ensure the database includes metadata, such as date, purpose, and consent information.
- Determine Storage Duration: Consider how long the images remain relevant and update your database with an expiration date for when images should be deleted. For example, you can set a deletion policy where images are automatically removed after a certain period unless renewed consent is given.
- Track Consents and Permissions: Note which images require consent and document all permissions obtained. For each person in the image, record whether they have given consent and the specific usage approved. This makes it easy to retrieve information if someone wishes to withdraw their consent.
- Access Control and Protection: Ensure that only relevant staff have access to the database, and that images are protected against unauthorised use. Consider using password protection and encryption to safeguard images from unauthorised access.
- Review and Update Regularly: Regularly review your image files and ensure consents remain valid. If a person whose image has been used withdraws their consent, you should be able to locate and remove the image quickly and effectively.
This task naturally requires time. The first step should be to identify the sensitive images you currently hold.
FAQ about images and privacy
1. When is an image considered personal data?
An image is regarded as personal data when an individual can be identified – either directly through facial features or indirectly through elements such as clothing, surroundings, body shape, or context.
2. Do I need consent to take photos of people?
Generally, yes – particularly if the image is intended for publication or commercial use. For internal purposes (such as documentation), other lawful bases may apply, but GDPR must still be observed.
3. What about photos taken in public spaces?
Although it is legal to take photos in public places, you still need to consider whether the individuals in the image can be identified – and whether the image will be used in a context that requires consent or another valid legal basis under GDPR.
4. Can I use images found on social media?
Not without caution. The fact that an image is publicly available does not mean it can be reused freely. You are still responsible for complying with data protection laws, including having a lawful basis and meeting your information obligations.
5. How do I store images lawfully under GDPR?
Images that qualify as personal data must be stored securely – for example, using encryption and access controls. You must also define the purpose of processing, establish retention periods, and document the legal basis for storing them.
Start by finding your photos with sensitive information
How can you identify all images that contain embedded sensitive terms? You could manually review every image, but that would be extremely time-consuming. Unlike text, you can’t search an image for GDPR-related terms in a straightforward way. This makes it particularly challenging to locate sensitive information within images.
At Safe Online, we’ve developed the Data Discovery tool DataMapper, which is specifically designed to identify sensitive expressions depicted in images. This could include, for example, photos of passports, driving licences, health insurance cards, tax information, patient records, and much more.
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
