The Data Protection Agency changes its practice regarding images on the internet

When photos of people are published on the internet, it constitutes processing of personal data if the people photographed are identifiable. When assessing whether an image can be published without consent, the Data Protection Agency has until now distinguished between ”portrait photos” and ”situational images”, depending on whether the purpose of the image was to depict a person or a situation/activity.

So far publication of portrait photos has required consent from the person photographed. In contrast, situational images could be published without consent. The Agency has applied this practice since 2002, but the distinction has given rise to uncertainty. In light of such uncertainty, the Agency recently changed its practice.

Instead of distinguishing between portrait photos and situational images, the Agency will make an overall assessment of each individual image and the purpose of the publication in order to evaluate if the image can be published on the internet without consent from the person(s) photographed.

The data controller – including employers – must therefore prior to publishing an image determine the basis of the processing, including the purpose, of the publication. In addition, the data controller must make sure that the people photographed are aware that the image will be published to safeguard their rights, including their right of access.

The Agency’s article and comments on the new practice (in Danish) can be read here.

Norrbom Vinding notes

• that the Agency does not specifically mention the use of images of employees; and
• that the legal position regarding publication of images of employees should be regarded as unchanged. Thus, as a starting point and as specified in the Agency’s guidelines on data protection in employment relationships, portrait photos of employees as well as other images cannot be published without the consent of the people photographed.