In today’s age of social media, people post pictures and videos of themselves and their peers online all the time. Companies have also been increasing their use of social media to communicate their brand and let the audience meet the team behind the organisation. Because of this, it is likely that your company too, has a social media page with pictures and/or videos of employees. Considering the GDPR, there are some things one should be aware of when posting pictures and videos online. We’ll discuss the most important rules in this blog post.
Are the pictures private or work-related?
People post pictures and videos online all the time, both as private persons and as part of their professional or volunteer commitments.
From the perspective of an organisation, it’s perfectly fine for employees to post private pictures and videos of themselves online because the GDPR does not apply to private people alone.
When these pictures, however, are taken in a work-related context, or they are published by your organisation or on behalf of it, then the GDPR does apply. This is because your organisation acts as the data controller for all personal data relating to the organisation.
Pictures and videos with people in them are personal data just like any other form of personal data, and so your organisation should handle this per the principles of data protection.
Take for example an NGO or charity organisation that’s organiLsing an event to raise funds and awareness for their cause. Naturally, the organisers will want to post some behind-the-scenes pictures on their charity’s Instagram page in the run-up to the event to create some hype. These pictures of people doing work for the organisation, posted by the organisation, are subject to the GDPR.
What are legal grounds for processing?
When processing personal data in an organisation, you always need legal grounds to be allowed to process the data.
In simple terms, having legal grounds for processing pictures and videos means having permission to publish those pictures and videos.
There are several ways to get this permission.
A simple form of consent
Through a contract.
For example, the employment contract in your organisation could specify that each employee allows the use of a headshot on the company’s ‘about us’ page.
If your organisation has no such formal ways of obtaining legal grounds, it can still use something called legitimate interest. Concretely, this means that whoever is in the photo or video should have no reason to feel exposed, violated, or in any way uncomfortable when it is published. Simply ask yourself if the person in the photo or video would have any reason whatsoever to feel uncomfortable if it were published.
If you are sure there are no such reasons, you can go ahead and publish the pictures or videos.
Therefore, it is important that the employees responsible for posting pictures and videos online (e.g. the social media or marketing people) are aware of the concept of legitimate interest and how to apply it. If they are in any way unsure whether they can use legitimate interest for a particular photo or video, they should always ask the person responsible for GDPR for help.
Going back to the example of the NGO, let’s say that Sophie, the NGO’s social media manager, has taken some pictures of the preparation for the event. Among the people in those pictures is Peter. In the pictures, Peter is just putting up some decorations and hanging out with other volunteers and so Sophie thinks it’s fine to post these pictures online based on legitimate interest.
Duty of disclosure and right to object
In theory, there is no need to ask for permission to publish a photo or video when using legitimate interest as legal grounds. However, there is a duty of disclosure: you must inform the relevant persons of when and where the pictures or videos will be published to give them the opportunity to object to the material being published.
Of course, different people have different boundaries at which they’d feel uncomfortable with a photo or video being published. Therefore, it’s best practice to simply always ask for permission to publish the photo or video. This way, the person in question has an easy opportunity to object and you prevent any unpleasant surprises for both sides.
Again, the relevant people in your organisation must be aware of this duty of disclosure, so that it is always applied properly when dealing with pictures or videos.
Inn our example, Sophie informs Peter beforehand that some pictures of him will be posted on the NGO’s Instagram page. As it turns out, Peter is not very comfortable with pictures of him being posted on the Internet. Sophie is very understanding and agrees to not publish any photos with Peter in them.
Legitimate interest is not good enough for sensitive personal data
Being considered personal data, pictures and videos are also subject to distinction between normal and sensitive personal data.
Examples of sensitive personal data are:
Race or ethnicity
Religious or philosophical beliefs
Sexual relationships and/or orientation
Trade union membership
For example, pictures of employees taken in a hospital, at a political rally, or in a church would classify as sensitive personal data and need to be handled more carefully. In this case, legitimate interest is not a legal ground and you must use another way to obtain permission, such as consent.
Taking back to the example of the NGO one last time, let’s say the NGO is organising an event for a politically or religiously motivated cause. In that case, Sophie publishing a picture of Peter working at this event would mean that Sophie has exposed Peter’s political or religious beliefs. This is sensitive information that Peter may not want to be public knowledge at all. Therefore, stronger legal grounds are necessary.
Conclusion: your employees should be aware of the different legal grounds
The people in charge of your organisation’s social media pages might not always realise that not everyone is as comfortable as they are with having their faces online. That’s why it is a good idea to create a strong awareness among these employees so that they understand and can apply the GDPR rules.
In short, it is quite important to create an awareness in your organisation that, yes, photos and videos are personal data, and yes, it’s best practice to always ask for permission of the relevant people if they are comfortable with the photo or video being published. Lastly, employees should always keep in mind the stricter rules regarding sensitive personal data. And if there’s any uncertainty, employees should always consult the DPO or person responsible for GDPR in their organisation.
To create a better overview of these suggested guidelines, we have created a simple flowchart that you or your employees could use when thinking about publishing pictures or videos.
The flowchart gives your employees a quick overview about the rules for publishing pictures or videos. We hope you find the chart useful and that you learned something in the blogpost.
You can always read more about our Awareness training and our courses if you are curious.