Without a legal basis, processing photographs in which someone is recognisable is in principle prohibited. The Belgian Data Protection Authority clarifies the appropriate legal basis for the processing of photographs under the GDPR.
Almost every employer processes photos of its employees or sometimes even of those external to the company (e.g., clients, contractors or family members of employees). This could happen in all sorts of situations. Think of the photos on security badges in the framework of access control, photos which can be linked within a company to an electronic account or are shared so that employees can put a face to a name (“who’s who”), photos taken at company events and shared afterwards, but also photos which are used externally, for example on the company’s website, on social media or even in marketing.
Visual material of a person has always been, also prior to the GDPR, protected in the sense that the person involved had to give his/her consent for the taking and further exploitation of the photo. This is included in, on the one hand, image rights which were created by case law and, on the other, in the portrait rights enshrined in law, both of which require the consent of the person for both the taking of the photograph, as well as for the reproduction of it or making it publicly available.
Companies usually assumed that when a person posed for a photo and did not object to this being further used, the person involved had implicitly given his/her consent. The old case law usually followed that view.
The logical question arose whether after the GDPR this reasoning could still be followed. According to the GDPR, a company needs a certain legal basis for the processing of personal data and there are only two relevant legal grounds for the processing of photographs: on the one hand, the subject’s consent, on condition that the consent is freely given, specific, informed and unambiguous, or on the other hand, the company’s (or a third party’s) legitimate interests which outweigh the person’s interests, in which case the processing of the photo is necessary to serve those interests.
The first legal basis – consent – requires the most preparation since the company will need to be able to prove such consent in case of dispute. A specific, informed consent form, either signed in writing or electronically accepted (e.g., by ticking a checkbox), which clearly states why the photos are taken and processed, has to be provided.
The second legal basis – the legitimate interests – implies less administration, although the company still has to give the information required in accordance with the GDPR (which also is the case for consent). But in this case, the person cannot block the processing beforehand by not consenting.
In both cases, the person can dispute the processing afterwards, either by withdrawing consent (in case of consent as the legal basis), or by objecting to the processing (in case of legitimate interests as the legal basis). The withdrawal of consent only has consequences for the future: the consent which was given beforehand justifies the past processing either way. If a person objects to the processing which the employer relied on for its legitimate interest, the past processing can also be disputed. In that case, the employer will have to be able to argue that its interests are even more imperative to proceed with the processing.
The Data Protection Authority (DPA) has now, in response to our questions on this topic, clarified which legal basis is appropriate. According to the DPA, consent is the appropriate legal basis for the processing of photos which are “nice to have” for a company, and not “need to have” within the framework of legitimate interests. For the processing of photos necessary in the framework of for example a company’s safety policy – think of identification photos on badges – an employer could in other words rely on legitimate interests. This is not possible for processing which is not strictly necessary within the framework of a legitimate interest: such photographs would include those aimed at improving good relations, depicting a pleasant working environment or social cohesion at work, or those published on the website with the commercial consideration that clients want to know who they are dealing with. In those cases, the employer will have to ask for the photographed person’s consent.
The fact that employees are generally considered not to be able to give their consent freely to their employers does not prevent this. According to the DPA, such consent is possible – and in this case also appropriate – if the employee does not suffer any disadvantage if he/she withholds this.
> Action point
It is important to map in which cases your company processes photos and, subsequently, to determine which processing activities require consent. If the company decides not to rely on consent, it is important – as was confirmed by the DPA – to document the reasoning prior to this decision, taking into account the accountability principle.