Understanding consent for photography

Almost everyone has a smartphone with a high quality camera and, as a result, there have never been more photos of us as there are at the moment.   

We’re getting so used to having our picture taken—whether by friends, family or even ourselves—that you’d be forgiven for thinking it was no big deal. However, just because smartphone technology has changed, that doesn’t mean UK data protection law treats privacy in relation to photos any less seriously.

Understanding consent for photography is essential for organisations planning to capture, store and use images of individuals, groups and employees.

GDPR and photography

According to both EU and UK GDPR law, ‘personal data’ includes all information that relates to an identifiable living individual, as well as information that can identify someone—and that includes photographs.

And, just like with any other personal data, the ‘data controller’—the person, organisation or other body responsible for determining how and where that data is to be processed—must be able to demonstrate a ‘legal basis’ for processing photographs of identifiable individuals.

In GDPR law there are six legal bases that can be applied to the storing, managing and processing of photographs. As per article 6 of GDPR, these legal bases are:

  1. “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
  2. “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
  3. “processing is necessary for compliance with a legal obligation to which the controller is subject”
  4. “processing is necessary in order to protect the vital interests of the data subject or of another natural person”
  5. “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
  6. “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”

Let’s take a look at the different circumstances and how they’re impacted by GDPR.

Photos where no one can be identified

If a photo contains people but no one can be identified, either because their faces are obscured or you’ve subsequently blurred them out, you’re free to use them.


In the example above, there are three people in the shot, but none of them can be identified.

Photographs of crowds

This is also the case for crowd shots where no single person can be identified.

However, if specific individuals can be identified then ‘legitimate interest’ applies. What’s more, there are some best practices to follow if you’re taking photos at an event your organisation is running.

Firstly, you should let people know that photos will be taken during the event—ideally both in written form and verbally. This will then give people the opportunity to opt-out of having their photograph taken. This can be managed by providing stickers or lanyards so photographers can easily identify the people who don’t want to be included in the photos.

Secondly, when non-posed photographs are being taken, photographers should inform people in the foreground that they’ll be in the picture and give them the chance to move away.

Photographs of individuals and posed groups

For photos where the individual or group willingly poses for a photograph there are three legal bases that can be applied: ‘consent’, ‘legitimate interest’ and ‘contractual obligation’.

Legitimate interest

This is the legal basis that is easiest to prove, and for that reason it is recommended by the ICO as the basis for photos of individuals and posed groups. 

However, legitimate interest still needs to be used correctly and, although it doesn’t require explicit consent for photography, you need to be able to demonstrate that taking the photograph was ‘necessary’. It’s important to note that this legitimate interest can be overridden if there was a good reason to protect that person’s likeness.


Your organisation is running an event and you’ve employed a photographer to capture images for marketing future events. Some of these images contain individuals or groups of people who have willingly posed for the camera.

Legitimate interest applies here as these pictures are required for producing marketing collateral to use for the next event.

However, it would still be best practice to give event attendees the opportunity to move away before photos are taken.


The reason consent for photography is harder to demonstrate than legitimate interest is that ‘consent’ in this context needs to be recorded and stored—it does not mean a photographer has verbally asked permission from the subject before taking the picture. This explicit consent should be stored together with the image in your Digital Asset Management system to make it easy to find if needed.

What’s more, this written consent should be stored for as long as the image is published, while individuals have the right to withdraw their consent at any time. Note that withdrawal of consent will only apply to images you still control. This means an image on your website should be removed, but if it was used in a leaflet that was sent to other businesses no action needs to be taken.


You’ve secured a case study from a client that includes their photograph, and you’ve published it on your website and within printed sales collateral. The sales collateral was handed out to attendees at an industry event.

The client previously gave written consent for their image to be used, but 12 months later they’re asking for the case study (and their likeness) to be removed.

Your organisation needs to honour their request for the image to be removed from the website, but does not need to take any action regarding the sales collateral given out at the event.

Contractual obligation

The contractual obligation legal basis can be applied in cases where taking the photograph was required for the purposes of fulfilling a contract. The most common example of this legal basis applying would be when an organisation uses a model for advertising products or services.

Bear in mind that taking the photo must be strictly necessary for this basis to apply. In the case of a professional model this is clear, but that doesn’t mean employees or contractors can be required to appear in photographs that aren’t necessary for the performance of their job.


Your organisation manufactures kitchen appliances, and you commission a photoshoot of a new range of products, featuring professional models.

In this case, contractual obligation applies, as it is necessary for the models to appear in the photographs to perform their contracts.

Photographs of children

Although consent law governing images of children is more or less the same as for adults, UK data protection legislation does require ‘extra care’ to be taken when processing the personal data of children.

READ MORE: Why ResourceSpace is perfect for... academic institutions

Depending on the child’s age, their parent or guardian must be told how the images will be used so they can consent on their child’s behalf. Best practice for keeping and managing parental consent is the same as consent from an adult for use of their own images.

Note that it isn’t specified in law at what age a minor is able to give consent for themselves. A typical guideline is 12 years old, but this should be taken on a case-by-case basis.

It’s possible that other legal bases can apply to photographs of children—for example, contractual obligation in the case of child models—but remember that extra care and consideration needs to be taken.

ResourceSpace supports photography consent management

To effectively manage consent for photography and ensure you can stay GDPR compliant, a dedicated Digital Asset Management system is essential. Not only does a DAM act as your single source of truth for all your digital assets, but you’ll also be able to keep images and consent forms together. With ResourceSpace, you can even set time limits and reminders for when consent expires, prompting the DAM manager to take action where necessary.

To find out more about how ResourceSpace can help you to manage consent, request your free 30-minute DAM demo below.