ERAELU KAITSE JA RIIGI LÄBIPAISTVUSE EEST
Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee / registrikood 70004235
Yours: 13.01.2025 nr
Ours: 23.01.2025 nr 2.2-9/25/129-3
Answer to request
Estonian Data Protection Inspectorate (EDPI) received your questions regarding legal basis for
processing of employees’ photographs from internal company events. EDPI is required by law to
respond to requests of explanations without undue delay but not later than within 15 calendar days
after the date of its registration.1
Firstly, Estonian legislation does not have a specific law to regulate such processing therefore we
can only answer your request based on GDPR. European Data Protection Board (EDPB) has stated
in their guidelines that it is unlikely that the data subject is able to deny his/her employer consent
to data processing without experiencing the fear or real risk of detrimental effects as a result of a
refusal. Consent will not be free in cases where there is any element of compulsion, pressure or
inability to exercise free will. Nonetheless the EDPB states that consent can be a legal basis for
processing in employment context when it will have no adverse consequences at all whether or
not they give consent.2
In your request you have stated that in that context the employee does not suffer any disadvantage
if he/she withholds this. You have however not explained further where the photographs from
internal company events will be published and what is the purpose of such processing.
EDPI’s opinion is that consent could be the correct legal basis in employer-employee relationships
if the photographs are published for employees only, e.g. published in the intranet and the
employees do not suffer any disadvantage if they do not give consent. Of course, if there are many
people in the photos the consent as a legal basis may be difficult to rely on if the employees have
not given their consent beforehand. Additionally, the employer must ensure that consent can be
withdrawn by the data subject as easy as giving consent and at any given time. Therefore, to use
consent as a legal basis requires the employer to make sure the consent is freely given, specific,
informed and unambiguous indication of the data subject's wishes.3
If there are no advere consequences at all whether or not the employees give consent for publishing
photos from internal events – employer may rely on consent as a legal basis. Our recommendation
would be to ask for the employee’s consent beforehand any internal event or alternatively in the
beginning of the employment relationship and properly document the given consent.
On the other hand, if the photographs are published to third parties, e.g. business partners/website,
the employer may base the processing on legitimate interest. Legitimate interest requires for the
controller to properly assess and conduct the balancing test. Employer in this case needs to have
real and present interests. Interests that are too vague or speculative will not be sufficient. EDPI
cannot confirm whether the business interests overweigh the employee’s rights by default due to
1 Response to Memoranda and Requests for Explanations and Submission of Collective Proposals Act § 6.
https://www.riigiteataja.ee/en/eli/529122024003/consolide#para6
2 EDPB Guidelines 05/2020 on consent under Regulation 2016/679, p 21.-24. https://www.edpb.europa.eu/our-
work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en
3 Ibid, p 11.