Picture, Picture on the Wall: Danish DPA Takes New Position on the GDPR Legal Basis for Posting Online PhotosSeptember 27, 2019 – Alerts
The Danish Data Protection Authority has changed its position regarding the legal basis for posting pictures online under the General Data Protection Regulation (GDPR). Rather than a distinction between "situational" and "portrait" pictures, Datatilsynet now requires a case-by-case analysis.
Past Position: Portrait vs. Situational Photos
- Since 2002, the Danish DPA held the position that that the assessment of whether images can be published on the internet varies according to whether it is a situational picture or a portrait picture.
- Situational images are images where an activity or situation is the real purpose of the image, such as photos of the audience for a concert.
- Portrait pictures are pictures the purpose of which is to depict one or more specific persons.
- Where publication of situational images on the Internet could normally have taken place without the consent of the persons in the image, the Danish DPA has, as a starting point, required consent to the publication of portrait images.
New Position: Case-by-case Analysis
The Danish DPA will no longer distinguish between situational and portrait images. It now holds that the question of whether a picture can be published on the Internet — without the consent of the person concerned — will depend on a comprehensive assessment of the picture and the purpose of the publication.
- Publishing images on the internet by recognizable persons is considered a processing of personal data.
- You must make sure that the person(s) in the picture are aware that you intend to publish the image on the internet to allow them to respond, e.g. object.
- Consent can be a legal basis for posting.
If you want to rely on legitimate interest consider:
- the nature of the image
- where and why the image was taken
- the context in which the image is included
- what the purpose of the publication is
- age of the person in the picture (children are more vulnerable)
- does the person feel exposed or exploited by the publication (e.g. if to be used for marketing)
- Consent not needed for photos of:
- audience for a concert
- visitors to a zoo or similar
- leisure club or association's activities
- Consent needed for photos of:
- visitors to the doctor
- customers in a bank, fitness center or similar
- visitors to a bar, nightclub or similar
- Consent is also generally needed for photos containing sensitive information about the person.
- A person can object to the posting at any time, before or after it is posted.
- If the person does not want the image on the Internet, you must remove it without delay.
Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues contact Odia at [email protected] or 215.444.7313.