The Danish Data Protection Authority has changed its position regarding the legal basis for posting pictures online under the General Data Protection Regulation (GDPR). Rather than a distinction between "situational" and "portrait" pictures, Datatilsynet now requires a case-by-case analysis.

Past Position: Portrait vs. Situational Photos

• Since 2002, the Danish DPA held the position that that the assessment of whether images can be published on the internet varies according to whether it is a situational picture or a portrait picture.
• Situational images are images where an activity or situation is the real purpose of the image, such as photos of the audience for a concert.
• Portrait pictures are pictures the purpose of which is to depict one or more specific persons.
• Where publication of situational images on the Internet could normally have taken place without the consent of the persons in the image, the Danish DPA has, as a starting point, required consent to the publication of portrait images.

New Position: Case-by-case Analysis

The Danish DPA will no longer distinguish between situational and portrait images. It now holds that the question of whether a picture can be published on the Internet — without the consent of the person concerned — will depend on a comprehensive assessment of the picture and the purpose of the publication.

Key Takeaways

• Publishing images on the internet by recognizable persons is considered a processing of personal data.
• You must make sure that the person(s) in the picture are aware that you intend to publish the image on the internet to allow them to respond, e.g. object.
• Consent can be a legal basis for posting.

If you want to rely on legitimate interest consider:

• the nature of the image
• where and why the image was taken
• the context in which the image is included
• what the purpose of the publication is
• age of the person in the picture (children are more vulnerable)
• does the person feel exposed or exploited by the publication (e.g. if to be used for marketing)

• Consent not needed for photos of:
  • audience for a concert
  • visitors to a zoo or similar
  • leisure club or association's activities

• Consent needed for photos of:
  • visitors to the doctor
  • customers in a bank, fitness center or similar
  • visitors to a bar, nightclub or similar

• Consent is also generally needed for photos containing sensitive information about the person.
• A person can object to the posting at any time, before or after it is posted.
• If the person does not want the image on the Internet, you must remove it without delay.

Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at okagan@foxrothschild.com or 215.444.7313.

Further Reading:

EDPB Opinion Provides Guidance on Controller-Processor Agreements Under GDPR

French Privacy Regulator Releases Long-Awaited Rules for Use of Cookies

How To Determine If Europe’s GDPR Law Applies to a U.S.-based Retail Business

European Regulator Provides Guidance on Conducting Clinical Trials Under the GDPR