About photographing attendees to an event


GDPR.Young photographer takes pictures of a character hiding behind an inscription General Data Protection Regulation.Flat cartoon design

Author: Mădălina Bucur

Is it legal to photograph[1] attendees to an event and then use the photos, for example, for marketing purposes?

It definitely can be.

Taking portrait or wide-angle photos of a group of people who attend an event is not prohibited if the applicable legal requirements are met.

Most often this kind of activity involves processing of personal data if it is possible, even indirectly, to identify an attendee whose image was captured in the photo.

Therefore, the legal requirements in the data protection field are applicable. Furthermore, other requirements from different areas of law (e.g., intellectual property) could apply as well.

Like any other data processing activity, we need a legal basis to legitimize the processing.

Do we always need the attendees’ consent?


We must determine the applicable legal basis on a case-by-case basis, depending on the specific circumstances of the event to be organized.

Is there an instance where we can rely on the contract concluded with a certain attendee?

Yes, where photographing that attendee and further using the photos is necessary, from an objective perspective, for entering and/or performing the contract with that attendee.

Of course, that contract must be valid considering all substantive and formal conditions laid down in the common contractual law. Insofar attendees are or could be minors, the general representation rules for concluding a contract must be complied with.

But this is not all.

We must see if the processing is necessary in the context of the contract with the attendee.

For instance, the controller must be able to demonstrate, including by virtue of the data minimization, purpose limitation and accountability principles, that taking photos of that attendee and further using such is one of the objectives of the contract. A processing would probably not pass the necessity test if it is vaguely or expressly permitted by the general terms of the contract having other objective not related to the processing.

In other words, the processing must not only be useful to the controller, but it must also be the only reasonable way in which the controller can exercise one of the objectives it pursues when considering entering the contract.

What about legitimate interest as a legal basis?

It could work.

In the absence of a contract with the attendees or if the processing is not necessary for entering into and/or performing the contract, legitimate interest could be an applicable legal basis.

For this, certain aspects must be prior assessed and documented[2] (usually by means of the so-called legitimate interest assessment). Such aspects could be that:

  • controller can justify an interest in the processing;
  • its interest is legal, real, well determined and corresponds to its current needs;
  • the processing is necessary for achieving that interest;
  • the interests or the fundamental rights and freedoms of the attendees do not prevail over the legitimate interest of the controller.

A key part of assessing the proportionality of the processing is to evaluate if attendees have reasonable expectations on the processing, if there is a potential negative impact for the attendees and the measures that can be implemented to avoid or reduce that impact, e.g., informing in advance the attendees on the intention to take photos and their subsequent use.

What if no legal basis except for consent can be identified?

Then consent should be obtained from all attendees that are to be photographed.

This could however not be an easy measure to implement, especially due to the strict conditions for consent to be valid under the GDPR[3] and particularly in case of events with large number of attendees.

For sure, the safest way would be trying to collect a statement of the attendees that they consent to the processing, subject to the rest of the conditions under the GDPR to be met as well. The statement could be obtained in written form or by using electronic methods (e.g., a link to be included in confirmation e-mails attendees could access to express their consent by clicking a button).

If this is not feasible, other methods for obtained consent must be sought.

If attendees enter the place where photographs are to be taken is this a valid consent?

Not a yes or no answer.

In-depth analysis should be considered but this could work subject to implementing certain measures.

In any case, accountability should be considered, so actions for documenting the approach chosen should also be considered.

Not least, controller must not lose sight of the fact that attendees have the right to withdraw their consent at any time. This can also cause difficulties, including from an operational and financial point of view, for example, if resources were invested in the creation and publication of advertising materials that include photos of the attendee who successfully withdraws consent.

There are many more data protection requirements to be observed in this context, but the one relating to legal basis is one of the most problematic.

[1] Aspects pointed out herein are pretty much relevant also in case of filming event attendees, instead of photographing them.

[2] For details on the conditions to be met in order for the legitimate interest to be an appropriate basis for processing, please see, for example, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC adopted by Article 29 Working Party (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf). This Opinion 06/2014 is relevant also for guidelines on the applicability of other legal basis.

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)