Why This Matters
GDPR fines can reach up to €20 million or 4% of global annual revenue, whichever is higher. In 2025, the average GDPR fine for privacy violations in marketing was €890,000. Don't risk it.
What is Personal Data Under GDPR?
GDPR defines "personal data" as any information that can directly or indirectly identify a living person. In the context of photos, this is broader than most businesses realize.
Personal Data in Photos Includes:
🚨 High Risk (Always Identifiable)
- • Faces (even partially visible)
- • ID cards, passports, driver's licenses
- • Full names visible in images
- • Credit card or bank account numbers
- • Medical records or health data
- • Biometric data (fingerprints, retina scans)
⚠️ Medium Risk (Potentially Identifiable)
- • Email addresses
- • Phone numbers
- • Physical addresses
- • Employee ID badges (even blurred numbers)
- • Unique tattoos or distinguishing features
- • Vehicle license plates
- • Screenshots with usernames
The 7-Step GDPR Compliance Checklist for Photos
Audit Your Existing Photo Library
Review all photos currently used in marketing materials, websites, social media, and advertising.
Where to look:
- ✓ Website team pages and about sections
- ✓ Social media posts (Facebook, Instagram, LinkedIn)
- ✓ Active advertising campaigns
- ✓ Email marketing templates
- ✓ Case studies and client testimonials
- ✓ Blog posts and articles
Identify Photos with Personal Data
Flag any image that contains identifiable information. This includes faces, documents, screens with data, and more.
⚠️ Common blind spots:
- • Background details in office photos (whiteboards with names, computer screens)
- • Reflection in windows or mirrors showing faces
- • Zoom-able screenshots with small but readable text
- • Name badges in conference photos
- • Documents on desks in workspace photos
Check for Valid Consent
GDPR requires "freely given, specific, informed and unambiguous" consent for processing personal data.
Valid consent must be:
- ✓ Written: Verbal permission doesn't count
- ✓ Specific: Must mention the exact use (e.g., "website marketing")
- ✓ Informed: Person knows where image will be used
- ✓ Revocable: Person can withdraw consent anytime
- ✓ Recent: Old blanket consents may not be valid under GDPR
Invalid consent examples:
"I took photos at our company event" (no explicit consent), employee contracts with vague photo clauses, assuming social media followers consent to their images being used in ads.
Choose Your Remediation Strategy
For images without valid consent, you have three options:
Option 1: Obtain Proper Consent (Best)
Contact individuals, explain usage, get written consent. Time-consuming but allows original image use.
Option 2: Redact Personal Data (Fastest)
Use PhotoComply to automatically blur faces and black-box sensitive information. Keeps the image useful while removing identifiable data.
→ Try PhotoComply FreeOption 3: Replace with Compliant Images
Use stock photos with model releases, or create new images with proper consent processes in place.
Apply Redaction (If Needed)
If redacting, ensure it's done properly. GDPR requires that personal data be "irreversibly anonymized."
✅ Acceptable redaction methods:
- • Heavy blur: Gaussian blur that makes features unrecognizable
- • Solid overlay: Black boxes over sensitive areas
- • Pixelation: Heavy pixelation (not light mosaic)
- • Complete removal: Cropping out individuals entirely
❌ NOT acceptable:
Light blur that can be sharpened, thin black lines over eyes only, emoji faces (often semi-transparent), any method where AI could potentially reconstruct the original.
Update All Instances
Replace non-compliant images everywhere they appear. A single violation can trigger investigations.
Update checklist:
- ☐ Website pages
- ☐ Active ad campaigns (Facebook, Google, LinkedIn, etc.)
- ☐ Social media posts (delete and repost if necessary)
- ☐ Email templates
- ☐ Printed materials (brochures, flyers, business cards)
- ☐ Presentations and pitch decks
- ☐ App stores and product listings
Implement Ongoing Compliance Processes
Fixing current violations is just the start. Create processes to prevent future violations.
Future-proof your photo workflow:
- ✓ Create a photo consent form template for events/photoshoots
- ✓ Require legal review before publishing photos with people
- ✓ Use PhotoComply as standard practice for all marketing images
- ✓ Train marketing team on GDPR requirements
- ✓ Maintain a database of consents with expiration dates
- ✓ Default to stock photos or AI-generated imagery when possible
Special Cases & Exceptions
When You DON'T Need Consent
GDPR provides limited exceptions where consent isn't required:
- Legitimate interest: In rare cases, if you can prove a compelling business need that outweighs individual privacy rights. This is a high bar and requires documentation.
- Public figures: Politicians, celebrities in public settings may have reduced privacy expectations. However, this doesn't extend to using their likeness in commercial advertising.
- Large public events: Crowd shots where individuals aren't identifiable may not require consent. But if you can recognize faces, you likely need consent.
⚠️ Legal advice recommended: Don't rely on exceptions without consulting a GDPR-qualified attorney. The penalties for getting it wrong are severe.
Employee Photos: Special Considerations
Employee photos are a common violation. Here's what you need to know:
❌ Common Mistake
"I can use employee photos because they work for me" — WRONG. Employment contracts don't automatically grant photo usage rights, especially for marketing purposes. You need separate, specific consent.
✅ Correct Approach
Get explicit written consent from employees for specific uses (website, social media, advertising). Make it clear they can decline without repercussions. Document everything.
Real-World Examples: Before & After
Example 1: Team Photo on Website
❌ Before (Violation)
Clear headshots of 12 employees on "Our Team" page. Only 4 signed consent forms 2 years ago for "company purposes" (too vague).
✅ After (Compliant)
Got new written consent from 8 employees specifying "website marketing." Redacted faces for 4 who declined using PhotoComply. Page still shows team diversity and size while being compliant.
Example 2: Customer Testimonial
❌ Before (Violation)
Facebook ad featuring customer photo with quote. Customer gave verbal permission 6 months ago for "maybe using it."
✅ After (Compliant)
Paused ad, sent formal consent form to customer specifying "Facebook advertising for 12 months." Customer signed and returned. Re-launched ad with proper documentation.
Example 3: App Screenshot with User Data
❌ Before (Violation)
Product demo screenshots showing real user dashboard with profile photo, email, and usage stats.
✅ After (Compliant)
Used PhotoComply to black-box profile photo and blur email address. Changed name to "Demo User." Screenshot still demonstrates product value without exposing personal data.
Fix GDPR Violations in Seconds
Automatically blur faces and redact personal data from your photos to achieve GDPR compliance fast.
Try PhotoComply Free →Processing is in-memory only. We never store your images.
Frequently Asked Questions
Can I use blurred images from Google Street View?
Google's blur is for their use. If you're taking their images and using them in your marketing, you need to ensure compliance yourself. Plus, you'd need rights to use Google's images at all.
What about photos I took before GDPR (pre-2018)?
GDPR applies to all current processing of personal data, regardless of when the photo was taken. If you're using old photos now, you need compliant consent or must redact them.
Do I need consent for photos taken in public places?
Generally yes, if using for commercial purposes and people are identifiable. "Public place" doesn't automatically mean "no privacy rights" under GDPR.
Can I use AI-generated faces?
Yes! AI-generated faces (that don't depict real people) are GDPR-compliant since they're not personal data. This is an increasingly popular solution for marketing imagery.