Data Protection: Regulations for Photos at Events
Nowadays, photos are taken at almost all events. According to the current GDPR, these photos of the participants are classified as personal data.
With regard to data protection of photos at events, you as the organiser have a few points to consider. Before publishing them, you should understand this topic in detail and know the applicable regulations. With Sweap, you can even lay the foundation for this before the event.
I have been working in depth on data protection and the GDPR for a long time. If you would like to learn more about these sensitive topics, you can find detailed information about them on my blog PrivacyTutor.
An important note beforehand: I am neither a lawyer nor do I have a legal background. For this reason, this text is not a legal advice. Nevertheless, I have researched the topic to the best of my knowledge and belief and think that it will provide you with the most important principles.
GDPR and photos at events: What is the current status?
As an event organizer, you are subject to strict rules regarding the data protection of photos from your events.
As the person responsible, you have a duty to inform your guests. You must therefore inform visitors that photos and videos will be taken at the event.
For example, you can place a sign at the entrance with a corresponding notice. If visitors buy tickets in advance, you can inform them that photos will be taken at the event. There are also numerous sample forms that you can use to obtain consent.
The participants must be informed in advance, e.g, who will be taking photos, what will happen to them and what rights they have. The situation is different for so-called "accessories".
If a person can only be seen at the edge of a photo and is not in the foreground, he or she is considered an accessory. In order to be allowed to publish this picture, you do not need their consent.
5 years GDPR
The implementation of the General Data Protection Regulation (GDPR) has brought significant changes to the event industry in the past five years. Event professionals play a crucial role in ensuring GDPR compliance within their organizations. Key considerations include establishing a lawful basis for data processing, minimizing data collection, managing consent effectively, evaluating third-party vendors' compliance, implementing data security measures, understanding international data transfer rules, and adapting to technological advancements.
GDPR also affects event registration, ticketing, virtual and hybrid events, marketing and communication strategies, cross-border events, event contracts, and privacy notices. Notable penalties have been imposed on organizations for non-compliance, emphasizing the importance of adhering to GDPR regulations.
The future of GDPR may involve updates, evolving regulations, technological advancements, enhanced rights for data subjects, privacy impact assessments, and collaboration with data protection authorities. By prioritizing GDPR compliance, event professionals can protect participants' privacy, enhance data security, and build trust in the industry.
Art Copyright Act (KUG): Also relevant for event photos?
If photographs or films are taken at your event, not only the GDPR but also the German Art Copyright Act (KUG) could be relevant. This legal text regulates the right to one's own image.
According to the KUG, the right to one's image falls under the right of personality. Each person may therefore decide for themselves which pictures of them are published and which are not. So here, again, it is stipulated that you need consent before publication.
What is interesting is the contradiction that arises between the GDPR and the KUG. Because according to the KUG, such consent cannot be revoked (§ 22 KUG). However, the GDPR states that the declaration of consent must be revocable at any time (Art. 7 para. 3 GDPR).
After the GDPR came into force, the state did not regulate whether the KUG continues to exist and when which regulation is authoritative. Therefore, even lawyers currently find it difficult to make a generally valid statement on this important topic.
The KUG also has exceptions: Similar to the GDPR, this law also allows publications with people as accessories. Photos of meetings and other large events may also be published without consent.
The 3 most important questions
Whether you may publish images and whether it is explicitly necessary to obtain consent from each participant can vary from event to event. The following three questions are decisive for this.
1. Where will the photo be published?
A general distinction is made between internal and external publication of the images. Group photos, for example, can be used internally if individual persons are not recognisable on them. You can also lower the resolution so that faces can no longer be identified even with a zoom.
If, on the other hand, you want to publish the photos externally, for example on social networks or on your website, then you should obtain consent in advance. Because especially in social media, unlawful publication can quickly lead to considerable problems.
2. Who is being photographed?
If you want to photograph individuals or small groups of people, you should definitely obtain consent beforehand. It is important that the photo does not cause any disadvantages for the persons concerned.
Photographing guests in unpleasant situations, or in settings that could damage their reputation, and then publishing the pictures can get you into a lot of trouble. No matter whether they are published internally or externally.
3. Is it a public or private event?
If you take photos at private events and want to publish them externally afterwards, you should take care of a declaration of consent in advance, as already recommended. The situation is different for publicly advertised events.
The decisive factor is whose interests prevail in the case of publication. If you want to use the photos as documentation for a successful public event, the photos can be used - just make sure that individual persons are not in the foreground.
However, if the photos are detrimental to the persons concerned, then the interests of those photographed prevail and you could be in breach of the GDPR.
Who is liable in the worst case for breaches of data protection?
If all else fails, you have to ask yourself who is actually liable for a data breach. First and foremost, it is you as a legal entity or as a natural person. You probably bear the economic risk, make important decisions and appear to the outside world as the organiser and are therefore also responsible for possible missteps.
However, co-organisers or staff are not excluded from this. You can also be liable if you do not properly collect, process or store personal data. This could be the catering agency, the landlord or the website operator, for example.
If a data breach occurs, you should report it immediately to your data protection officer. He or she has 72 hours to decide whether you need to report it to the supervisory authority.
May name badges & business cards still be used?
Many events place a high value on personal interaction. To make the intro easier, you may want to prepare pre-printed name tags. In addition, your guests will probably be busy handing out business cards to keep in touch with their new acquaintances.
Since both name badges and business cards involve personal data, the question arises as to whether they are even possible from a current data protection perspective.
Business cards only exist in the analogue world, which is why the GDPR does not apply to them for now. This changes as soon as the data from them is used digitally.
You also do not have to do without pre-printed name tags at a data protection-compliant event. After all, everyone can decide for themselves whether or not to use this. The only concerns I have are with the software responsible for processing and printing the name badges. Since personal data is managed here, it must be protected against misuse and theft. The same applies to external service providers who take over the printing of the name badges.
How Sweap helps you with data protection
The GDPR and the KUG give you a lot of extra work as an organiser. Obtaining a declaration of consent from all participants in advance can involve a lot of effort. Violations can result in considerable penalties.
Sweap helps you with this time-consuming process: You can use the registration form to obtain the consent of your guests in advance. The form can be designed flexibly by you - consent can simply be confirmed via a checkbox.
At the same time, you don't need to worry about data protection and the security of the data collected. At Sweap, comprehensive data security measures are implemented and continuously updated. All data is stored on servers in Frankfurt without exception.
You don't want to take any risks and prefer to use stock photos? In this article on stock photos we explain to you what you need to bear in mind and how you can achieve the best possible advertising effect with high-quality photos.
When are you allowed to publish photos of your events?
Whenever you want to publish a photo from an event, you should keep the right to the persons own image in mind. As a general rule, you may only publish photos of people if there was prior consent.
This becomes necessary as soon as a person can be recognised beyond doubt in a photo. I advise you to always obtain consent in writing. Verbal declarations are difficult to prove afterwards.
Exceptions only apply to important pictures of contemporary history, if people appear as accessories or if the photos are of large gatherings.
To obtain consent simply and easily, the Sweap registration form will help you. You use it to obtain permission from participants in advance and can concentrate on the upcoming event.