Selgitustaotlus

Dear Sirs/Mesdames,

Can you please let us understand the Estonian DPA’s/ Data Protection Inspectorate’s (“DPI”) view on the appropriate legal basis for the processing of employees’ photographs from internal company events, under the GDPR.

Our understanding is that there are two relevant legal grounds for the processing of photographs: on the one hand, the subject’s consent, on condition that the consent is freely given, specific, informed and unambiguous, or on the other hand, the company’s (or a third party’s) legitimate interests which outweigh the person’s interests, in which case the processing of the photo is necessary to serve those interests. Consent would of course be the appropriate way as concern processing of photos which are “nice to have” for a company, and not “need to have” within the framework of legitimate interests. 

However, according to the Swedish DPA (“IMY”) (Guidance from the Swedish DPA)  consent would become unnecessarily complicated, particularly as obtaining consent can be challenging when many individuals appear in the images. IMY therefore recommend companies to identify an alternative lawful basis. IMY further express that it, assumes that the company’s purpose is to inform about its business (author’s note: implying that this purpose overweighs the employees’ rights.) IMY continues by stating that for a company such publication may be permissible under the lawful basis of legitimate interests. It is further stated that this requires that the company’s interest in publishing the images to inform about its activities outweighs the interest of the individuals in the images in protecting their personal data. The reasoning behind this assessment shall be properly documented by the company.

Would this approach/reasoning also be made by DPI?

As concern consent (if that would be used as legal ground for the above case), our understanding is that, the fact that employees are generally considered not to be able to give their consent freely to their employers, does not prevent consent here. In this case would consent be both possible and appropriate – if the employee does not suffer any disadvantage if he/she withholds this.

Please let us understand if DPI share IMY’s view on the above and could confirm that i) a company would be able to argue legitimate interest as legal when sharing (processing) employees’ photos from internal company events and ii) otherwise would be entitled to ask for employee consent, even if this in general would not be deemed in compliance with the GDPR.

We would very much appreciate your prompt response and please do not hesitate to contact me directly if any queries related to our request for clarification related to this general question.

Yours truly,

Johanna Albihn