Picture, Picture on the Wall: Danish DPA Takes New Position on the GDPR Legal Basis for Posting Online Photos

September 27, 2019Alerts

The Danish Data Protection Authority has changed its position regarding the legal basis for posting pictures online under the General Data Protection Regulation (GDPR). Rather than a distinction between "situational" and "portrait" pictures, Datatilsynet now requires a case-by-case analysis.

Past Position: Portrait vs. Situational Photos

  • Since 2002, the Danish DPA held the position that that the assessment of whether images can be published on the internet varies according to whether it is a situational picture or a portrait picture.
  • Situational images are images where an activity or situation is the real purpose of the image, such as photos of the audience for a concert.
  • Portrait pictures are pictures the purpose of which is to depict one or more specific persons.
  • Where publication of situational images on the Internet could normally have taken place without the consent of the persons in the image, the Danish DPA has, as a starting point, required consent to the publication of portrait images.

New Position: Case-by-case Analysis

The Danish DPA will no longer distinguish between situational and portrait images. It now holds that the question of whether a picture can be published on the Internet — without the consent of the person concerned — will depend on a comprehensive assessment of the picture and the purpose of the publication.

Key Takeaways

  • Publishing images on the internet by recognizable persons is considered a processing of personal data.
  • You must make sure that the person(s) in the picture are aware that you intend to publish the image on the internet to allow them to respond, e.g. object.
  • Consent can be a legal basis for posting.

If you want to rely on legitimate interest consider:

  • the nature of the image
  • where and why the image was taken
  • the context in which the image is included
  • what the purpose of the publication is
  • age of the person in the picture (children are more vulnerable)
  • does the person feel exposed or exploited by the publication (e.g. if to be used for marketing)
  • Consent not needed for photos of:
    • audience for a concert
    • visitors to a zoo or similar
    • leisure club or association's activities
  • Consent needed for photos of:
    • visitors to the doctor
    • customers in a bank, fitness center or similar
    • visitors to a bar, nightclub or similar
  • Consent is also generally needed for photos containing sensitive information about the person.
  • A person can object to the posting at any time, before or after it is posted.
  • If the person does not want the image on the Internet, you must remove it without delay.

Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at [email protected] or 215.444.7313.

Further Reading:

EDPB Opinion Provides Guidance on Controller-Processor Agreements Under GDPR

French Privacy Regulator Releases Long-Awaited Rules for Use of Cookies

How To Determine If Europe’s GDPR Law Applies to a U.S.-based Retail Business

European Regulator Provides Guidance on Conducting Clinical Trials Under the GDPR