General Data Protection Regulation, GDPR, has become a reality for most of us, and it will change the way we treat our pictures. GPDR states that pictures containing peoples that can be identified are to be considered personal information and must be handled with care. Unless you are using the pictures for news or art, you must have a consent from the person giving you permission to publish the picture.
Consents should be given
There are a number of scenarios that will require you as an professional photographer to administrate consents from your subjects, for instance if you have taken pictures of the staff for a company.
In this case you must have a consent with each of the individuals, i.e. it is not enough to have an agreement with the company.
And you must keep track of these for a very long time. This can quickly become quite a challenge, especially since administration can become very time consuming and cumbersome. And if you are not carefully, you can be fined quite a large sum of money, there are scary articles out there on the Internet mentioning huge sums of money.
But why do I have to do all of this? Can't I just do as I've always have done?
Images of faces can be processed to automatically identify a person, an example of this is what Facebook has been doing with their auto-tagging of people in uploaded images.
The GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.
Pictures of people, especially where you can use it to identify a person is classified as personal data and can only be processed if:
- The data subject has given explicit consent
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (Note that this condition is not available to processing carried out by public authorities in the performance of their tasks.)
And on top of this you must always inform the individuals that you are taking a photo of about their data privacy rights:
The right of access - You can receive a copy of the personal data we hold about you.
Right to rectification - You can request your personal data to be up to date and accurate
Right to erasure - You can request to have your personal data erased unless it is needed to fulful a legal obligation.
Right to data portability - You can request to have your data available to you in a structured format.
Right to restrict processing - You can request the organisation to stop processing your personal data.
Right to lodge a complaint - You have the right to file a complaint with the data processing authority in your local country.
The right to withdraw consent - It must be as easy to withdraw consent as it was to give it.
But there is help to be found.
Konsento.io is an perfect solution for professional photographers, it helps you administrate consents with minimum effort, actually freeing up your valuable time that you can spend with your clients.
Konsento provides templates for creating consents, guiding you to enter the correct information that you are required to provide in a GDPR consent. After an consent is created, you can invite people to agree to the consent. Konsento will take care of reminding all parties of consents, if they have expired or been revoked.
Konsento 101 for photographers.
Tobias Alm - professional photographer explains how he used Konsento for his latest portrait assignement for a company. The first thing I agree with the client is how they plan to use the pictures, ex on the web, hanging on the wall etc. Then we finalize the other details of the agreement.
I then a write up an proposal, where I make sure to include GDPR handling as a yearly subscription fee, I will describe more on this in a later blog post.
After the client has agreed on the proposal I then create an consent in Konsento by filling in a template, with all the relevant information that affect the consent, such usage of the pictures, who to contact to have them removed etc.
Then I ask the client for email adresses to all the individuals that should be photographed. I try to this before being on location, in order to get their approval before the shoot. As an alternative, I publish the consent as a public registration webpage, then have the company distribute it internally. Either way, I try to get it done before the shoot.
Once at the shoot I will double check that the person I'm taking the picture of have given thier consent. I then easily add some additional information to each consent such as image name and other relveant information that I would like to be able to search for later on.
Thats all that is required - if you are managing GDPR consents for photographers using Konsento
Author: Tobias Alm, software developer expert and professional photographer.
Konsento helps photographers, associations, companies and sports clubs create and manage privacy notices, membership agreements, consents and keep a record of your personal data processing activities. Do you want to know how Konsento can help you? Contact firstname.lastname@example.org