If you have a support question or comment, click the Post New Topic link below. Sytist Manual | Sytist Articles | Facebook Page.

Gdpr & Photos .... Thought

Please log in or Create an account to post or reply to topics.
Tim - PicturesPro.com
10618 posts
Sat May 05, 18
11:25 AM
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union.

As I have been working on and studying GDPR (which is more complex than you think it would be and more complex than it should be), something came to mind.

With GDPR, have you guys & gals thought about the implications and uploading customer photos? The GDPR applies to "any personal data" or "personal identifier". In theory (perhaps in fact) and photo would be a personal identifier which means you would have to have consent to upload their photos. Maybe a written/paper contract signed before uploading photos.

Event photographers, that would almost be impossible.

Thoughts about this or anyone with any knowledge of this aspect?
Tim Grissett, DIA - PicturesPro.com || My Email Address: info@picturespro.com
86 posts
Sat May 05, 18
2:58 PM
I believe that there are specific rules about what constitutes personal information, and faces are excluded.

Facial recognition isn't however, I believe.

This is my understanding, but I'm probably wrong.
Tim - PicturesPro.com
10618 posts
Mon May 07, 18
5:34 AM
It seems to be really unclear. I have read where some say a digital image would be Personally Identifiable Information (PII), and others say it's not. Hopefully, it will be cleared up.
Tim Grissett, DIA - PicturesPro.com || My Email Address: info@picturespro.com
Marco Cappalunga
111 posts
Mon May 07, 18
5:39 AM
I downloaded some guidelines from the Government Privacy Authority Italian site, as soon as I'll get trough them I'll post what I understood.
As all the European laws they are completely unclear, in order to leave work for attorneys.
Gary Williamson
8 posts
Thu May 10, 18
1:54 PM
Glad you are "on it" Tim as it is a change in the law that will need a bit of addressing.

I am currently trying to get 2 businesses compliant and will make the following observations.

The emphasis of the change in law is towards transparency of data being processed and consent being given to hold and process data.

The ICO and the UK Information Officer are on record as saying fines are a "last resort" so take a breath.

Everyone who "processes data" should consider having a Privacy Policy section explaining their process and how they manage data. This can be a simple "How I do it" type page. Most legal firms have these set up now so have a look there for some good - and bad - examples.

Reportage is the UK is still fairly open and will most likely be defended against any GDPR interpretations that restrict this so I am hopeful that Events Photography will similarly be defended (as long you have a way for people to engage with you about any personal data you may have that belongs to them). Street Photographers were used as an example of a tricky grey area by the Royal Photographic Society so I expect this debate will run on in the UK at least.

A tool to allow us to ask our registered customers to opt back in to marketing emails would be useful as this is a priority with a deadline of the 25th May. After that you cannot legally send an unsolicited email unless you can prove consent.

Not sure I have added much to the debate but I am fairly relaxed as I remember when all food companies had to make a GM Food statement. Who asks for that now?

Michael Weeks
220 posts
Sat May 12, 18
2:43 AM
"It seems to be really unclear. I have read where some say a digital image would be Personally Identifiable Information (PII), and others say it's not. Hopefully, it will be cleared up."

Seems to be open to interpretation, in Germany 100% but when you talk to the ICO (information Commissioners Office) they do not give a clear answer however the consensus is that you need to inform at the event you will be taking the images because it is too late to state your policy once loaded and the ICO will not give a clear answer on what the legal right to photograph is

my recent chat with the ICO which contains a partial answer

You are now chatting with ico_rachels
ico_rachels: Good Morning, Michael.
ico_rachels: How can I help?
Michael Weeks: Good Morning
Michael Weeks: I have some questions pertaining to my photographic business and GDPR
ico_rachels: No problem. How can I help?
Michael Weeks: I have to catalogue images from equestrian riders on my gallery system under rider name, is this an issue?
Michael Weeks: I obtain the names from publicly published lists
ico_rachels: If you hold information about individuals that you have gathered from publically available sources, you'll need to be aware that you will become the data controller for the information you now hold. The GDPR won't prevent you from using this personal information but you'd need to handle it in line with the GDPR's requirements. (For example, identifying a lawful basis for processing their information)
Michael Weeks: How do I identify if it is a lawful basis?
ico_rachels: There are several different lawful bases you can rely upon to process personal information. You'd need to identify which one you will be relying upon to process information in this way. We've produced an overview of these lawful bases here: https://ico.org.uk/…/guide-to-…/lawful-basis-for-processing/ Further explanation of each of these is also available in the guidance on this web page.
Michael Weeks: If I dropped the riders name and used the horses name would this change the constraint for lawful basis?
ico_rachels: Yes. The GDPR wouldn't apply if you weren't processing personal information so if you only have the name of the horses, this wouldn't be personal data.
Michael Weeks: second question. Riders that register to view from a gallery are automatically contacted by the gallery system to inform them that the gallery discount is ending and that the gallery will change to a pay to view basis
ico_rachels: I'm sorry, I'm not sure I understand what your question is. Can you advise further?
Michael Weeks: To view images the rider must enter a gallery, the gallery records who has viewed and it will automatically contact the rider on status changes of the gallery
ico_rachels: It's not clear what you're asking. Are you asking about how the gallery should handle personal information in this situation?
Michael Weeks: I am asking if i can legally contact them
Michael Weeks: or what do I have to do to legally contact them?
ico_rachels: Thank you for clarifying. You would need to identify a lawful basis. For example, if the individual has registered to receive a service from the gallery, it may be possible that 'performance of a contract' could be relied upon as your lawful basis. If you're contacting them to market your services, you'll usually require consent and will need to comply with the Direct Marketing regulations (The Privacy and Electronic Communications Regulation) to contact them in this way.
Michael Weeks: I have over 10,000 people that have previously registered to use the gallery, what actions must I take prior to GDPR as I will have names and addresses, importantly many of these have been used to fulfill orders
ico_rachels: If you're a small business, I would advise you to refer to our recent web page for micro businesses for guidance on preparing for the GDPR. This is designed with smaller businesses in mind. In particular, you may find it useful to refer to our 8 steps guidance document is this highlights the main areas you'll need to review to prepare: https://ico.org.uk/fo…/making-data-protection-your-business/
Michael Weeks: I know there is now a legal right to be deleted from a records but how do I confirm that the person has the legal right to request such a removal such as for guardianship?
ico_rachels: The right to deletion is not an automatic right. Certain criteria would need to be met for a request to be valid. If you still had a requirement to process their information, it's likely you could refuse to comply. We've produced further guidance on this here: https://ico.org.uk/…/gu…/individual-rights/right-to-erasure/
Michael Weeks: When does a photograph become personal data?
Michael Weeks: such as school photos where the school badge is clearly identifiable?
Michael Weeks: after face recognition processing?
ico_rachels: Photographs will usually be personal data. Personal data is defined as information that can directly or indirectly identify individuals. If you're able to identify the individual from the photograph, it will be their personal data.
Michael Weeks: How will I know / they know if photographing an event and they are spectators for example? Do I need their consent?
Michael Weeks: There is no way I can search a database of 1,000,000 to find if i hold such data if every photograph becomes personal data
ico_rachels: The requirements under GDPR are very similar to the current requirements under the Data Protection Act (DPA) - that photographs identifying individuals will be personal data.

If, however people are incidentally captured in an image or are clearly not the focus of an image (such as a busy street scene or a crowd), the image is unlikely to be personal data.

As with the current requirements under the DPA, you'll need to identify a lawful basis to process this information. Consent is only one of the lawful bases and is not the only one. You could therefore rely upon an alternative and don't always need consent.
Michael Weeks: I need to be more specific.
Michael Weeks: This weekend I will photograph approx 250 riders each day, do i need explicit consent to be able to store all such images?
ico_rachels: No. As advised above, you don't always need to rely upon 'consent' as your lawful basis. You could, for example, consider 'legitimate interest'. I would suggest looking at the guidance in the link I provided as this will help you establish which lawful basis is appropriate for you.
Michael Weeks: OK I will go away and read and return if I have further questions, many thanks
Marco Cappalunga
111 posts
Mon May 14, 18
4:15 AM
the links you indicated, drive to a "page not found"
Tim - PicturesPro.com
10618 posts
Mon May 14, 18
4:38 AM
One of the things I have added for the next update coming out this week is to add an option when people are creating an account to get consent to send them those gallery expiring, early bird special ending emails (along with some other things related to GDPR). I see that is one of the questions you asked but didn't get a clear answer.
Tim Grissett, DIA - PicturesPro.com || My Email Address: info@picturespro.com
Brooke Woollett
33 posts
Tue May 15, 18
3:47 AM
Here in New Zealand I have that covered off in a legal contract including a robust privacy policy before I even start with schools and sports clubs ... and in some cases events too. Events that I have covered include a disclaimer on the tickets stating that persons may be photographed (and for the purpose/where they could end up).
Eoin Ruairi O'Brolcháin
10 posts
Tue May 15, 18
4:34 AM
Michael ,

thank you for that in depth report on GDPR.

I rang the Irish data protection office and the person on the helpline was not sure of the issues for event/sport/public photographers.

Another worry I have is the reference in GDPR that people can get a copy of the personal data you hold on them.

If a photograph is personal data, then bang goes our industry!!

Anyone any ideas on this one?
Louise Mallan Photography
23 posts
Tue May 15, 18
4:53 AM
Hi Tim/Everyone

Please don't take this as the definitive but we have been looking at the GDPR in details.

Our main resources have been

Suzanne Dibble's GDPR Videos - https://www.youtube.com/watch?v=g6hB9P6-MvI&t=6160s
Suzanne Dibble's Facebook Group - https://www.facebook.com/groups/GDPRforonlineentrepreneurs/
Togs in Business - https://togsinbusiness.com/photographers-gdpr/

From our understanding and from the information we have found out through watching Suzanne's videos photographs are personal data but can only be deemed as sensitive data if they are used to identify an individual. That means that if we where to storage the bio metric information within that photo we would require an enhanced level of consent (Our business does not store any sensitive data in this category under GDPR)

As a business now we should have a data inventory listing where photographs will be stored and transferred (Web host, Printers, Album Manufacturers, Framers etc) all of the information regarding who is the controller and processor of that data should be within your gdpr compliant privacy policy, contracts and model releases (Particularly for under 16's)

In regards to processing photograph's your legal basis would be contractual, a customer has purchased your services and within your privacy policy/model release it details what will be done with that data and how that service is provisioned (I would suggest password protecting gallery should be defaulted, as it customers would reasonably assume that you will protect their data, unless specifically requested otherwise)

*** One thing to bear in mind is that if you seek consent, it can be removed at any time. So if you want to use photos for marketing your services it is better to get a model release/contract for use of those images rather than seeking consent under GDPR definition.

In regards to event photography. If you are at a wedding get the main wedding party to provide a model release with details regarding use and storage prior to the event. This will allow you to process their photographs, for all other guests they can be notified through an announcement that a photographer will be operating through out the day if you would not like your picture being taken to notify the photographer. Suzanne Dibble also mentions that consent doesn't have to be written down, it can be verbal, So it can be reasonable assumed that if you take a picture of someone smiling that consent has been given and it would be difficult to prove otherwise.

Sytist 2.9.0 Update

I noticed that you have added a new feature
"Added the option to get consent when someone creates an account and making a purchase to receive emails pertaining their gallery or photos (early bird special, expiring notices, etc..). "

I don't think this is necessary under GDPR as the customer has purchased your product and contractually it can be reasonable assumed that your will provide expiring notices as part of that service. Also under the lawful basis for processing of legitimate interest that balances the customers needs and your business needs, an early bird special is a benefit for the customer on the service you have sold so is perfectly reasonable use of data.

We have updated yet so don't know if this is optional feature or not yet.

Hope this all helps, PS Suzanne's GDPR pack has a lot of information on these subjects.

And lastly thanks for all the work you have put into the GDPR compliance Tim, great update!

Eoin Ruairi O'Brolcháin
10 posts
Tue May 15, 18
5:11 AM

Thank you for that clarification.

However, the issue of public photography and event photography/sport photography/reportage on public or restricted event is not clear, in my opinion.

The advice I have received is similar to what you have said about weddings which is if the event organiser publishes or announces that phtographer/s are working the event and those photographers have a system to remove images which people do not want put up on open web galleries, then it's ok. However, that is not certain, as the legislation and rules are apparently being changed and updated by day.

I see GDPR may help my business. I cover equestrian events mostly and often people with their own cameras are putting shots up on facebook etc (as happens with weddings and other events I believe). In my reading of the new environment, those posts without the accompanying adherence to the rules may be more limited.

I may be wrong.

With regard to some equestrian events (Horse Trials and hunter trials in particular) there could be several sole trader equestrian photographers with permission to cover the same event. A notice by the organisers that there are photograhers working the event may be enough, I am told.

Louise Mallan Photography
23 posts
Tue May 15, 18
10:57 AM
Hi Eoin,

What you have said sounds correct, At an event where model releases simply can not be collected from everyone the only possible option is the use of announcements, notices or event terms and conditions to notify individuals at that event that there will be photography occurring and where possible provide provision to allow people to remove consent.

In such cases if you complete a legitimate interest assessment, you will likely find that the balance of your needs as a business and the individuals rights would be in your favour for processing the data (photography).

If all measures have been put in place to make the individual aware that processing is being undertaken (i.e photography) and the processing doesn't negatively impact on that individual's rights, cause harm or distress then lawful grounds would be legitimate interest. GDPR isn't there to put you out of business which is what would happen if you couldn't take photograph's in this situation.

If you have all the necessary paperwork (Data Inventory, Privacy Policy etc) and you considered the interest of the individual (Legitimate Interest Assessment), if an incident did occur where you were reported to the ICO they would look at the procedures you have put in place, if there was something wrong they would likely offer advice to rectify it moving forward over fining you.

Have watch at this video https://togsinbusiness.com/photographers-gdpr/ 35 mins in.
Eoin Ruairi O'Brolcháin
10 posts
Tue May 15, 18
11:02 AM
Thank you Louise.

I will certainly look at the video and I wil post my response here. I am only starting to get my head and all I have to do, around GDPR. As I have not been actively pursuing my part-time photography business for at least 6 months, the issue of GDPR nearly slipped past me.

Marco Cappalunga
111 posts
Wed May 16, 18
6:08 AM
Hello everyone,
I went trough some documents of the Privacy Authority in Italy, plus watching the links here provided and following are the lines that I will follow :

1 GDPR Registry information

This is a sort of ISO 9000.
Here we have to describe how we collect, store and treat the personal information we collected (including photos ,and for that I’ll make a note at the end),who is in charge of manipulating them within our organization and for what reason.(It seems silly but if your wife is in charge to send the orders, you have to write it down).
This is a must, because in case of dispute we have to show that we took all the necessary measure to follow the GDPR guidance.

2 Actual registered customers

From 25th May we need a written authorization to treat someone data, so I will send an email to all of my customer telling about this change and if I do not get a reply to this mail to allow me to store the data I have by 24th May , I will erase all their information and they have to re-create an account.
This is a mess, but I’d like to sleep quiet.

3 New customers

Starting from today I will use the Privacy policy Tim provided, with some modification, like that without written authorization to keep their data they will be erased after six months from the last order.
(An expiration time to use someone data is another must of GDPR)

So far so good , let’s talk about photos.

For Italian laws, photos where someone is recognizable , ARE PERSONAL DATA , no matter about biometrics or whatever else, so it is not just about uploading, but it is how we collect, store and treat such personal data. Uploading has to be the last of our thoughts.

1 Collecting photos

If we are the official photographers of an event with a written note ,we are almost safe.
It is a due of the organizer ( I’m shooting mainly dance events and here the organizers or the dance schools already provide for it ) to write a note on the registration form of the event that there will be an official photographer that will hold such data and that data (photos) will be treated only for viewing and purchasing by the contestants.
If the deny , they will be refused to partecipate to the event.

2 Treating photos (upload and whatsoever)

For Italian laws a recognizable photo of an unknown (not famous person) shown in a way that the public is limited and identified does not need a particular authorization to be shown.
That means that if the event is not listed on our website, we provide a unique link (I use google shortener) and a password , than we are treating the data , collected as for point 1 in a GDPR compliant way , because this is not a public exposition of personal data but only to a limited (or closed ) group for legitimate interest (that in this case is also reciprocal).

3 Keeping the photos

This can be quite controversial, beacuse if we erase the customer personal data , we have to erase also the photos.
The only way is to inform the customer that photos will be online only for a certain amount of time and then they will be erased, I admit that for this I do not have an idea yet and I will discuss with some Italian colleagues.
In real terms we should be erasing also older photos we have in our system because they ARE personal data, even if I think that in case of dispute it will be very difficult for a customer to argue that we kept them not only for legitimate interest,

Any thoughts especially on this last statement will be very much appreciated,
Edited Wed May 16, 18 6:14 AM by Marco Cappalunga
Eoin Ruairi O'Brolcháin
10 posts
Wed May 16, 18
7:06 AM

Thank you for that, It has clarified most of what I have to do.

With reference to the last point about deleting photographs, people often look for images many years after they are taken. Therefore, as long as they are securely stored, I believe keeping images is legitimate interest. Obviously, the identifying information must be stored as well and my intention is to keep that, in encrypted form, separately from the images.

The situation in Ireland is not clear yet. When I spoke with the Irish data protection authority, the person I spoke with was unsure about the situation with regard to professional photographs.

Just the other day, I was asked for a portait I took of a lady 10 years ago.

Barry Moir
9 posts
Wed May 16, 18
7:24 AM
Ive just added this to my contract

I/we consent to the following use of the wedding photographs:

On the website of Barry Moir Photography Yes/No [TEXT_INPUT_SHORT_REQUIRED]
On the Social media (Facebook/Instagram/Twitter) Yes/No [TEXT_INPUT_SHORT_REQUIRED]
In print for promotion material e.g. brochures Yes/No [TEXT_INPUT_SHORT_REQUIRED]

Signed ______ Date

covers the photograph issue, and im led to beleive that any third party in a photos at the moment doesnt matter, not an issue because most of mine are just of a couple, and now dealing with the data issue which is easy, its all stored in a passworded database, credit card details that arrive via email are deleted after processed and computer recycle bin is emptied at end of play.
Michael Weeks
220 posts
Fri May 18, 18
12:24 AM
In Photocart there was a system that meant users had to validate their email address before they could log in.

Personally I think it would be good to see that in Sytist as it demonstrates control of data being that images can now be considered data.

Also has the benefit of stopping registration with a false account

Loading more pages
Loading more pages

Sign up for email promotions.

Your information is safe with us and won't be shared.

Thank you for signing up!

©2003 - 2018 Grissett, LLC. All Rights Reserved.

By continuing to browse or by clicking Accept Cookies, you agree to the storing of cookies on your device necessary to provide you with the services available through our website.

    Accept   Privacy & Cookie Policy
Loading More Photos
Scroll To Top
Close Window