The new European privacy law, the GDPR, came into effect in May 2018.
Its goal is to better protect the privacy of European citizens.
The GDPR gives individuals greater control over their personal data. Citizens now have the right to:
Any information that can describe a person is considered "personal data." Obvious examples include names and addresses, but also IP addresses and even photographs can fall under protected personal data.
If this information can be used to identify a person, the GDPR applies, and consent is required to use that data. If identification is not possible, the GDPR does not apply.
A photograph can lead to the identification of a person. This is especially true when the photo is used as an identification tool, such as in staff directories or passport photos. In these cases, a photo is considered personal data and falls under GDPR.
This is one of the more complex aspects of GDPR. How easily can someone be identified in a photo taken in public? The law assumes that the photographer is the "data controller." This means the photographer is responsible for assessing whether a person in the image is identifiable.
This is not always straightforward. Larger organizations often have more advanced tools to assess identifiability, while independent photographers may have fewer resources. Still, the responsibility remains with the creator.
Copyright and portrait rights have long governed the rights of both the photographer and the subject. GDPR does not replace these laws but complements them. Photography remains possible, though explicit consent may be required in certain situations.
Ultimately, it all comes down to whether a photo qualifies as personal data. If it does, publishing it without consent is not allowed. This aligns with existing portrait rights, which allow subjects to object to publication.
Publishing means making a photo available outside the private circle of the subject—for example in books, newspapers, websites, or on social media platforms like Facebook, Twitter, Instagram, or Pinterest.
Taking and publishing photos is only permitted if there is a valid legal basis under GDPR. In practice, this means you cannot simply publish everything you photograph—you need consent from the subject or their legal representative. This principle already existed in copyright law, and GDPR clarifies it further.
Any use of personal data must have a legal basis. Without it, storing or processing that data is not permitted.
The GDPR defines the following legal grounds:
In photography, the most relevant grounds are typically points 1, 4, and 6. Consent is self-explanatory.
In portrait photography, when you are hired by a subject, a contract is automatically established. This allows you to take and store the photos. However, additional permission is usually required for publishing the images—unless this is already included in the agreement.
This also applies when you create a portrait commissioned by a third party rather than the subject themselves.
Photos taken for journalistic purposes often fall under "legitimate interest" and may be taken on that basis. However, consent may still be required for storage and further processing. Legitimate interest implies that the photo is necessary for professional or business purposes.
This overview of GDPR is not exhaustive. More details can be found through official sources. What matters most is that, as a photographer, you respect privacy regulations—even if they may sometimes seem complex.