Answer to request

ERAELU KAITSE JA RIIGI LÄBIPAISTVUSE EEST

Tatari tn 39 / 10134 Tallinn / 627 4135 / [email protected] / www.aki.ee / registrikood 70004235

Yours: 13.01.2025 nr Ours: 23.01.2025 nr 2.2-9/25/129-3

Answer to request Estonian Data Protection Inspectorate (EDPI) received your questions regarding legal basis for processing of employees’ photographs from internal company events. EDPI is required by law to respond to requests of explanations without undue delay but not later than within 15 calendar days after the date of its registration.1 Firstly, Estonian legislation does not have a specific law to regulate such processing therefore we can only answer your request based on GDPR. European Data Protection Board (EDPB) has stated in their guidelines that it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will. Nonetheless the EDPB states that consent can be a legal basis for processing in employment context when it will have no adverse consequences at all whether or not they give consent.2 In your request you have stated that in that context the employee does not suffer any disadvantage if he/she withholds this. You have however not explained further where the photographs from internal company events will be published and what is the purpose of such processing. EDPI’s opinion is that consent could be the correct legal basis in employer-employee relationships if the photographs are published for employees only, e.g. published in the intranet and the employees do not suffer any disadvantage if they do not give consent. Of course, if there are many people in the photos the consent as a legal basis may be difficult to rely on if the employees have not given their consent beforehand. Additionally, the employer must ensure that consent can be withdrawn by the data subject as easy as giving consent and at any given time. Therefore, to use consent as a legal basis requires the employer to make sure the consent is freely given, specific, informed and unambiguous indication of the data subject's wishes.3 If there are no advere consequences at all whether or not the employees give consent for publishing photos from internal events – employer may rely on consent as a legal basis. Our recommendation would be to ask for the employee’s consent beforehand any internal event or alternatively in the beginning of the employment relationship and properly document the given consent. On the other hand, if the photographs are published to third parties, e.g. business partners/website, the employer may base the processing on legitimate interest. Legitimate interest requires for the controller to properly assess and conduct the balancing test. Employer in this case needs to have real and present interests. Interests that are too vague or speculative will not be sufficient. EDPI cannot confirm whether the business interests overweigh the employee’s rights by default due to

1 Response to Memoranda and Requests for Explanations and Submission of Collective Proposals Act § 6.

https://www.riigiteataja.ee/en/eli/529122024003/consolide#para6 2 EDPB Guidelines 05/2020 on consent under Regulation 2016/679, p 21.-24. https://www.edpb.europa.eu/our-

work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en 3 Ibid, p 11.

2 (2)

the fact the decision to process personal data on the basis of legitimate interest requires an in-depth analysis. Moreover, it is not clear what would be the purpose of publishing the photos from internal events. In summary, to answer your questions it is necessary to define how and where the photographs are published and what is the purpose of publishing the photographs from internal company events. Best regards

Grete-Liis Kalev

Lawyer

authorized by Director General