The Data Protection Agency has changed its practice in relation to publication of images on the internet. In the future, the Agency will no longer distinguish between portrait photos and situational images.
When photos of people are published on the internet, it constitutes processing of personal data if the people photographed are identifiable. When assessing whether an image can be published without consent, the Data Protection Agency has until now distinguished between ”portrait photos” and ”situational images”, depending on whether the purpose of the image was to depict a person or a situation/activity.
So far publication of portrait photos has required consent from the person photographed. In contrast, situational images could be published without consent. The Agency has applied this practice since 2002, but the distinction has given rise to uncertainty. In light of such uncertainty, the Agency recently changed its practice.
Instead of distinguishing between portrait photos and situational images, the Agency will make an overall assessment of each individual image and the purpose of the publication in order to evaluate if the image can be published on the internet without consent from the person(s) photographed.
The data controller – including employers – must therefore prior to publishing an image determine the basis of the processing, including the purpose, of the publication. In addition, the data controller must make sure that the people photographed are aware that the image will be published to safeguard their rights, including their right of access.
The Agency’s article and comments on the new practice (in Danish) can be read here.
The content of the above is not, and should not be a substitute for legal advice.
Must the Data Protection Agency be notified in case of an “internal” personal data breach?
The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.
Access to work emails? Can a request to access data be too extensive?
Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.