Which GDPR rules apply to images on the internet?

The Danish Data Protection Agency has just changed its practice with regard to publishing images on the Internet. In this article, Lund Elmer Sandager takes a closer look at the importance of the changed practice of the Danish Data Protection Agency.
News
GDPR

The data protection rules also apply to companies' publication of information about identifiable persons on the Internet. This applies, for example to publishing images of employees on the company's website or on social media. However, it may also apply to pictures taken in connection with social or professional events held by the company.

the Boundary between situational and portrait images

So far, the Danish Data Protection Agency has distinguished between two different types of images, namely portrait images and the so-called situational images.

  • Situational images typically aim to show a group of people in a particular situation, for example participants in a social or professional event.
  • Portrait images typically aim to profile one or more specific individuals, for example an employee profile on the company website.

In accordance with the Danish Data Protection Agency's previous practice, the starting point was that situational pictures did not, as a starting point, require consent (except with certain exceptions, including situational images of employees), while publishing portrait pictures as a starting point always required consent.

The Danish Data Protection Agency now has changed its practice, so that it, to a greater extent, is a concrete assessment when publication of an image requires consent and this practice applies both to publication of situational images and to publication of portrait images.

When assessing whether an image can be published, the company must, among other things, look at the nature of the image, including where and why the image was taken, the context in which the image is included and what the purpose of publishing the image is. It is imperative that the persons in the picture do not reasonably feel exhibited, exploited or violated.

If the images involve children and adolescents, special protection applies because children and adolescents often are less aware of the risks and consequences that may be associated with the publication of images.

Daily life examples

In their notification of the changed practice, which you can find here (in Danish), the Danish Data Protection Agency has listed a number of daily life examples where images as a starting point require consent and when images as a starting point can be published without consent.

Examples of images that normally cannot be published without consent:

  • Pictures of doctor's visits, bank customers and fitness center visitors or similar.
  • Pictures of visitors in a bar, nightclub, disco or similar.
  • Pictures of employees at work in a private company or public authority

Examples of images that can, as a starting point, be published without consent:

  • Pictures of the audience at a concert
  • Pictures of visitors in a zoo or similar
  • Pictures taken during activities in a leisure club or an association

Lund Elmer Sandager's comments

We recommend that companies organize their image publishing processes in a way that allows companies to make a concrete assessment of whether an image can be published without consent or not. In their decision, the companies can lean on the criteria and examples that the Danish Data Protection Agency has included, but there will of course be situations from time to time that fall outside the known examples and where the company hence must make a specific balance of interests.

As part of the general requirements governed by the General Data Protection Regulation (GDPR), companies should also ensure that they fulfill their disclosure obligations to the persons whose images are published, including the purpose of the disclosure.

If you need advice on GDPR and help to ensure that you use images on social media and the Internet appropriately and comply with the rules, you are welcome to contact Lund Elmer Sandager's specialists in GDPR and data protection, Associate Partner, Attorney Torsten Hylleberg or Attorney Anders Linde Reislev.