After entry of the GDPR into effect in 2018 the image officially started to be considered as an element of personal data. What conditions have to be met in order to effectively obtain a consent to image use and in which situations such a consent is not required?
The image of a natural person is a set of recognisable features which enable one to identify a given person. There are four acts in the Polish legal order which govern issues related to legal possibilities of processing and dissemination of the image of a natural person:
Before 25 May 2018, i.e. the effective date of the GDPR, the issues of image processing and dissemination were governed mainly by the Copyright Law and the Civil Code. Article 23 of the Civil Code states that the personal interests of a human being (including image, name and voice) are protected by civil law, independently of protection under other regulations. Article 24 of the Civil Code indicates means of their protection:
More detailed regulations are included in the Copyright Law where Article 81 indicates that dissemination of an image requires the permission (consent) of the person presented in it, except for the following situations:
According to the Civil Code and Copyright Law, the consent to image dissemination may be given in any form (not necessarily in writing), but it has to be unquestionable. This means that the person giving the consent has to be fully aware not only of the form of presentation of their image, but also of, e.g. the place and time of publication, combination with other images and the accompanying comment.
It should be noted that in the light of copyright law the very fact of image recording (taking a photo, making a film) does not require any consent and is not illegal. The above regulation concerns only dissemination of an image understood as making it available to the public, meaning an open group of individuals, with the use of any medium, e.g. TV, a film, press, a poster, a postcard, website or a social networking site, such as Facebook.
Therefore, the consent of a person whose image will be published in such media cannot be blank or general and should concern specific personal interests. What is more, when giving his/her consent, the holder of the right should specify the scope of actions which may be taken by the person obtaining the consent.
The person giving his/her consent to image dissemination should be aware of:
1) manner of presentation of their image,
2) place and time of publication,
3) image combination with other images or a specific text, and
4) advertising character of image use.
The entity which obtained the consent of the right holder to image dissemination cannot “transfer” such a consent to another entity, unless the contract clearly provides for such a possibility.
In specific cases images were also recognised as an element of personal data already before 25 May 2018. After the effective date of the GDPR the EU legislator finally settled that the image is an element of personal data, if it enables one to establish identity of a given person in an indirect or a direct way.
Already image processing itself is subject to protection guaranteed by the GDPR, contrary to one provided for in the Copyright Law. According to the GDPR the ”processing of personal data” means operations or sets of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The very fact of storing another person’s photo (e.g. in computer memory) constitutes the processing of their personal data in the form of the image of their face.
The basic prerequisite on which admissibility of image processing depends is the consent of the data subject. The consent to personal data processing has to be voluntary, specific, informed and unambiguous.
Legal regulations do not specify the form in which the consent is to be expressed – any statement or explicit action confirming permission for personal data processing will be sufficient.
If there are various purposes of processing, the person whose image is to be used has to consent to all those purposes. What is important, one should differentiate here the possibility of image processing on the grounds of copyright law from image protection on the grounds of the GDPR. In particular, it should be noted that in the case of the processing of an image as an element of personal data under the GDPR the exclusions referred to in Article 81 of the Copyright Law will not apply, e.g. the fact that the image is only an irrelevant element of a whole (inter alia, a public event).
In the case of the consent under the GDPR, the very fact that the image of a given person is visible – even as part of the overall view – in a manner enabling one to identify that person is sufficient to determine the need to obtain the consent. The consent does not have to be written.
In practice, the organiser of a public event obtains an implied consent of the event participants to image processing and dissemination informing them about audiovisual recording of the event and purposes of processing, which in consequence of logical thinking may lead to the conclusion that the image of the participant may be disseminated – on a ticket, poster, registration form, organiser’s website. Participating in such an event its participants consent to the fact that their image may be used by the organiser.
It has to be emphasized that the consent so given includes dissemination of the participant’s image for purposes related to event promotion. So, it cannot be used for a purpose not related to the context of giving the consent, e.g. to advertise a cosmetic product promoted during the event (unless the content of the consent directly states this). The organiser is obliged to inform event participants, among other things, about the party who will process their data, the purpose of processing and about the possibility of withdrawal of the consent in case it has to be expressed. One has to definitely bear in mind that such a way of giving the consent by the participant and the fact of providing the said information has to be documented, so that in the future the organiser is able to prove that the participants gave their consents and the organiser fulfilled his/her obligations.
Another prerequisite enabling one to process personal data are the legitimate interests of the controller. Pursuant to motive 47 of the GDPR preamble “The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. (…) The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest “.
The legal grounds for processing so understood include image publication on the Internet, in social media or in the photographer’s/ camera operator’s portfolio and the processing of an employee’s image for purposes of ensuring safety and proper functioning of the workplace. In order to evaluate whether the above grounds for processing are observed one has to each time carefully assess if during the time and in the context in which personal data is collected the data subject may reasonably expect data to be processed for that purpose.
Not in all cases data subjects assume that their image may be used by the controller for direct marketing purposes. Lack of such information from the controller prevents him/her at a later stage from referring to the “legitimate legal and business interests” as the legal grounds for the processing of a given person’s image.
One has to bear in mind that in this case the overriding right of the photographed / recorded person, prevailing over the interests of the photographer / camera operator are that person’s personal interests or the right to decide on permitting for a specified manner of dissemination of his/her image in the light of the provisions of copyright law. Thus, acting in the legitimate interests of the controller, one has to remember about fulfillment of the disclosure obligations of the personal data controller.
Regardless of the above, it has to be indicated that the provisions of the GDPR will not apply to all instances of image processing. The basic exclusions relevant from the perspective of the subject of the article are:
The above basic rules and differences with regard to the possibility of processing of such an element of personal data as the image are very general. In practice, this may frequently cause a threat to or infringement of this personal interest. Even if such an infringement does cause damage, it may create an opportunity for a compensation request from a person whose image was an object of infringement, e.g. by way of too broad processing activities and use for purposes other than as specified previously.
TGC Corporate Lawyers
TGC Corporate Lawyers offers full support in implementation of correct rules of processing of the image and other personal data, as well as in respect of advisory services aimed at ensuring compliance of clients’ operations and actions with copyright law, personal data protection law and other rights protected by law, including personal interests. We assist clients operating in capital groups, but also small and medium-sized enterprises, public companies, non-governmental and not-for-profit organisations.