19
Fri, Apr
44 New Articles

About Photographing Attendees to an Event

About Photographing Attendees to an Event

Romania
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Is it legal to photograph[1] attendees to an event and then use the photos, for example, for marketing purposes?

It definitely can be.

Taking portrait or wide-angle photos of a group of people who attend an event is not prohibited if the applicable legal requirements are met.

Most often this kind of activity involves processing of personal data if it is possible, even indirectly, to identify an attendee whose image was captured in the photo.

Therefore, the legal requirements in the data protection field are applicable. Furthermore, other requirements from different areas of law (e.g., intellectual property) could apply as well.

Like any other data processing activity, we need a legal basis to legitimize the processing.

Do we always need the attendees’ consent?

No.

We must determine the applicable legal basis on a case-by-case basis, depending on the specific circumstances of the event to be organized.

Is there an instance where we can rely on the contract concluded with a certain attendee?

Yes, where photographing that attendee and further using the photos is necessary, from an objective perspective, for entering and/or performing the contract with that attendee.

Of course, that contract must be valid considering all substantive and formal conditions laid down in the common contractual law. Insofar attendees are or could be minors, the general representation rules for concluding a contract must be complied with.

But this is not all.

We must see if the processing is necessary in the context of the contract with the attendee.

For instance, the controller must be able to demonstrate, including by virtue of the data minimization, purpose limitation and accountability principles, that taking photos of that attendee and further using such is one of the objectives of the contract. A processing would probably not pass the necessity test if it is vaguely or expressly permitted by the general terms of the contract having other objective not related to the processing.

In other words, the processing must not only be useful to the controller, but it must also be the only reasonable way in which the controller can exercise one of the objectives it pursues when considering entering the contract.

What about legitimate interest as a legal basis?

It could work.

In the absence of a contract with the attendees or if the processing is not necessary for entering into and/or performing the contract, legitimate interest could be an applicable legal basis.

For this, certain aspects must be prior assessed and documented[2] (usually by means of the so-called legitimate interest assessment). Such aspects could be that:

  • controller can justify an interest in the processing;
  • its interest is legal, real, well determined and corresponds to its current needs;
  • the processing is necessary for achieving that interest;
  • the interests or the fundamental rights and freedoms of the attendees do not prevail over the legitimate interest of the controller.

A key part of assessing the proportionality of the processing is to evaluate if attendees have reasonable expectations on the processing, if there is a potential negative impact for the attendees and the measures that can be implemented to avoid or reduce that impact, e.g., informing in advance the attendees on the intention to take photos and their subsequent use.

What if no legal basis except for consent can be identified?

Then consent should be obtained from all attendees that are to be photographed.

This could however not be an easy measure to implement, especially due to the strict conditions for consent to be valid under the GDPR[3] and particularly in case of events with large number of attendees.

For sure, the safest way would be trying to collect a statement of the attendees that they consent to the processing, subject to the rest of the conditions under the GDPR to be met as well. The statement could be obtained in written form or by using electronic methods (e.g., a link to be included in confirmation e-mails attendees could access to express their consent by clicking a button).

If this is not feasible, other methods for obtained consent must be sought.

If attendees enter the place where photographs are to be taken is this a valid consent?

Not a yes or no answer.

In-depth analysis should be considered but this could work subject to implementing certain measures.

In any case, accountability should be considered, so actions for documenting the approach chosen should also be considered.

Not least, controller must not lose sight of the fact that attendees have the right to withdraw their consent at any time. This can also cause difficulties, including from an operational and financial point of view, for example, if resources were invested in the creation and publication of advertising materials that include photos of the attendee who successfully withdraws consent.

There are many more data protection requirements to be observed in this context, but the one relating to legal basis is one of the most problematic.

[1] Aspects pointed out herein are pretty much relevant also in case of filming event attendees, instead of photographing them.

[2] For details on the conditions to be met in order for the legitimate interest to be an appropriate basis for processing, please see, for example, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC adopted by Article 29 Working Party (https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf). This Opinion 06/2014 is relevant also for guidelines on the applicability of other legal basis.

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

By Madalina Bucur, Senior Associate, NNDKP

NNDKP at a Glance

Nestor Nestor Diculescu Kingston Petersen (NNDKP) is a promoter of business law in Romania with more than 30 years of experience, independently acknowledged as a pioneer of the Romanian legal market.

NNDKP offers full-service and integrated legal and tax advice to companies from diverse industry sectors. For the past three decades, NNDKP lawyers have assisted corporations, financial institutions, private equity funds and local entrepreneurs in landmark deals and projects in Romania, contributing to the evolution of the Romanian business environment, including in innovative and niche economic sectors.

NNDKP’s team brings together knowledgeable, talented and dedicated lawyers and tax advisors active in Romania, with an impressive track record that reflects a mix of industry insights, courtroom experience and practical business sense. Over 120 lawyers & tax & IP counsellors and 50+ business support professionals form one of the largest and most respected teams of independent professional services providers in Romania. We are on the ground where needed, working either from our headquarters in Bucharest or from our regional offices in Timisoara and Cluj-Napoca – major cities and important economic, academic and social hubs in Romania.

NNDKP provides assistance in virtually all areas of practice including Advertising, Banking & Finance, Capital Markets, Competition and State Aid, Consumer Protection, Corporate / M&A and Commercial, Data Protection, Dispute Resolution, Employment, Energy and Natural Resources, Environment, EU Law, Gaming, Immigration, Insurance and Private Pensions, Intellectual Property, Pharmaceuticals and Healthcare, Infrastructure, Public Procurement and PPP, Real Estate and Construction, Tax and Telecommunications and Media.

Along the years NNDKP has established strong connections with leading international law firms and high-profile professional networks. NNDKP represents Romania in the prestigious international professional alliances Lex Mundi, World Services Group, International Attorneys Club and is a founding member of SEE Legal.

The firm is constantly top ranked in all practice areas by the renowned international guides Chambers & Partners, Legal500 and IFLR 1000. NNDKP is a 6-time winner of the much-coveted “Romania Law Firm of the Year” award at the Chambers Europe Awards gala, in 2022, 2021, 2017, 2013, 2012 and 2009.

Firm’s website: www.nndkp.ro