GDPR regulations – everything photographers should know

We are sure you’ve heard about these four daunting letters: GDPR. You may have received a bunch of emails asking you to re-confirm your subscription to someone’s newsletter due to these new regulations.

But what does GDPR stand for and most importantly, what does GDPR mean for you as a photographer?

What is GDPR?

GDPR stands for the General Data Protection Regulation and, as the name says, protects general data of European Union citizens. As of May 25, the new GDPR rules replace the Data Protection Directive 95/46/ec.

GDPR aim not only to protect EU citizens’ data, but also give them an insight into how their data is stored and used. That means, for example, that you have to make it public now if you’re selling people’s data to third party marketing companies (not that you were, but just sayin’). Because GDPR are EU laws, they apply before each country’s individual legislations.

When do I have to comply with GDPR?

You have to comply with GDPR if you have European clients and are handling their data or, as we photographers do, take images of their recognizable faces and process them, post them our websites or social media.

What does it mean to process personal data according to GDPR?

Faces count as biometric data which, in the GDPR, is defined as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data” (Art. 4 [14]).

Biometric data can be used by criminals, for identity theft and getting access into buildings, for example.

Thus, for all pictures you’re taking and processing from now on, you have to

  • get explicit consent from all recognizable individuals in the image
  • prove that processing is necessary for a contract, legal reasons, legitimate interests, and/or the performance of a task (Art. 9).

All of this has to be regulated by a contract.

Also, thanks to GDPR regulations, EU citizens have the rights to access and rectify their data, have their data erased or available in a structured format, file a complaint with their country’s data processing authorities and withdraw consent for the use of their data (Art. 28).


What are the fines for GDPR violations?

The GDPR state that in severe cases of GDPR violations, up to US $20 million may be billed and companies would have to pay “up to 4% of their total global turnover in the previous fiscal year, whichever is higher” ( In less severe cases, you’re “only” looking at half of these numbers – but keep in mind that in each individual case, fines will vary.

If you’re lucky, a person shown in your picture without their prior consent will tell you to take down an image. If that person decides to take legal measures that can range from a simple threat letter of their attorney to a full-blown trial, good luck!

So what do I have to do to comply with GDPR?

If you’re handling data of European citizens, you should update your privacy policy and explain for what you’re using their data as well as asking them to re-opt-in to your newsletter with updated GDPR info.

You must store the data in a safe place – there are specific softwares for that – and use an email marketing system that complies with GDPR. Both will track when and how your client consented to you using his/her data, so you don’t need to worry about that if you ever need proof of these things (years) later.

To be on the safest side, explicitly state the use of people’s data and images in the contract or model release that they sign before shooting with you. If you’re taking pictures at an event, for example at a wedding or at a club, you should have a contract with the couple or the club owner that will state where the photos will be used – your website, social media, etc.

On top of that, to have every individual’s concept as GDPR requires, you should theoretically have everyone read and agree to a paper you pass around. Every single person should theoretically sign to give you their consent that if they’re participating in this event and you’re taking pictures, they may see their face online. But let’s be real here: What are the chances that someone is really going to hunt you down? Just sayin’ – not having everyone’s consent is definitely a risk and depending on how much time and effort you can put into these things, it may be worth it. But that’s up to you.

Last, but not least and for your amusement, check out what Marianne Chua had to say in her updated privacy policy about GDPR regulations.

Here’s an excerpt:
“I’m happy to show you the information I have on you, and unsurprisingly it’ll probably be exactly the things you’ve told me because sadly I am neither a spy nor a mind reader. If some of the information is wrong, you have the right to correct it, and I would definitely recommend this because neither of us want me turning up at the wrong wedding! If you’d like me to delete all your personal data, you have the right to request it, but I wouldn’t recommend asking for that before your wedding otherwise my journey to your wedding will become a saga akin to The Matrix films.” (Marianne Chua)