Overview

Employers around the globe grapple with the complex task of seamlessly incorporating employee photos into their branding and marketing efforts. From the digital landscapes of corporate websites to the dynamic realms of social media platforms and promotional materials, the use of employee images has become an inseparable aspect of modern workplace culture and how a business presents itself to the surrounding world. However, this prevalent practice has raised legitimate concerns regarding the delicate balance between respecting individual privacy and upholding ethical standards on the one hand, and meeting commercial needs on the other.

As a comprehensive legal framework governing data protection, the General Data Protection Regulation (GDPR) is a complex landscape of rules and regulations for employers in the EU to navigate in, especially concerning the use of employee photos in various media. Recognizing the paramount importance of adherence to these regulations, employers increasingly seem to address the various concerns proactively. Obtaining explicit consent from employees emerges as a common practice, acting as an employer's safeguard against potential breaches of GDPR provisions. This consent, in its ideal form, is informed, specific, and voluntary, ensuring that employees have a thorough understanding of how their images will be used and distributed.

In the spring of 2023, the Danish Data Protection Agency (Datatilsynet) issued its updated guidelines on data protection in employment relationships. This update came in response to the evolving nature of practices in recent years and mirrors the insights gathered through the latest decisions by the Datatilsynet. As the use of employee photos and the necessity of obtaining consent may give rise to doubt, the updated guidelines seek to provide a more thorough understanding of the regulatory landscape, offering updated insights to employers seeking to align their practices with the latest legal standards.

The legal framework

The GDPR forms the core of personal data protection, including the use of employee photos.

In the context of the GDPR, transparency and communication on the use of personal data play essential roles. Employers must communicate clearly to the employees how their photos will be used, empowering employees to make informed decisions about their personal data and giving them the option of refusing without facing reprisals. This approach not only ensures legal compliance but also contributes to a workplace culture that respects privacy and values the individual and personal rights of every employee.

In Denmark, the Data Protection Act (the Act) supplements the GDPR. Section 12 of the Act concerns personal data within the context of employment relationships and refers to Article 6 of the GDPR. Consequently, the processing of personal data in an employment relationship will often be based on a legal basis other than consent. For instance, processing of personal data will often be necessary for the performance of the employment contract or for compliance with a legal obligation to which the controller is subject, such as reporting salaries to the tax authorities. Quite often the legal basis for processing of personal data in the employment relationship is to be found in Article 6(e) for public employers and Article 6(f) for private employers weighing the balance between the legitimate interests pursued by the employer and the interests or fundamental rights and freedoms of the employee. In general, the use of consent as the legal basis for processing of personal data in the employment relationship should be limited to situations where no other legal basis can be found. So, the big question is where to place the use of photos and videos of employees in this legal framework.

Guidelines on data protection in employment relationships

Nowadays, many people communicate their private life intensively through social media platforms with photos and videos of themselves and accompanying friends being posted in a smooth stream. Often, others may be left with the impression that many posts are being made with the posting person not necessarily paying much attention to the overall picture and potential long-term consequences. However, the risk of a person's photo being used by others with negative intentions and without the knowledge, consent, and approval by the person in the photo seems to increasingly attract awareness.

Nevertheless, no matter how many social media posts a person makes, photos showing 'me' will often be considered intertwined with a person's individuality and personal image in public. An employer should take this into consideration in order to be privacy smart. Therefore, an employer should never assume that an employee does not have strong feelings about how photos of them are being used by the employer in a commercial context.

The Datatilsynet guidelines allow, in specific situations, the publishing of portrait photos of employees on the employer's website without consent based on weighing up the balance between the legitimate interests pursued by the employer against the interests or fundamental rights and freedoms of the employees. This is especially applicable to positions where the employee's persona is central to the job or when the employee has functions directed toward the public. The rationale behind this involves considering factors such as the employee's position and the duties they are required to perform and is based on the balancing of legitimate interests in Article 6(1)(f) of the GDPR for private employers and Article 6(1)(e) for public employers. These provisions permit the processing of personal data when it is necessary for the legitimate interests pursued by the data controller, provided that these interests do not outweigh the interests or fundamental rights and freedoms of the data subject. Therefore, in certain circumstances, it can be acceptable to publish photos of an employee without explicit consent, with due regard to the nature of their role and responsibilities.

Voluntary consent?

In other situations, the employer must ensure that the employee agrees – in the form of consent – to the publication of photos or videos featuring them. In particular, consent is applicable in relation to images, including portrait photos, that can be easily replaced as the possibility of the consent being withdrawn by the employee should always be kept in mind. The obtained consent should of course be properly filed by the employer so that there is no doubt as to whether consent is given.

However, in case of material that is costly to produce, such as marketing videos, the employer will not be able to base the processing of personal data on consent because of the risk of the employee withdrawing the consent. Such withdrawal would leave the employer in an unfortunate position, having paid for the production of marketing material that is suddenly rendered useless.

In the quest for a thoughtful strategy on this issue, the Datatilsynet guidelines bring additional insights to the table when it comes to handling images. While it is clear that some personal data can be processed without direct consent, a thorough assessment of when and how images are used is crucial. Employers are advised to be careful about legal requirements and consider being more vocal towards their employees about the use of images and videos.

On the one hand, the Datatilsynet has shifted its approach by stating that consent is now only rarely considered a valid legal basis for data processing in employment relationships due to the inherent power dynamics between employers and employees. This acknowledgment recognizes that consent may not be truly voluntary in such relationships, and therefore it may not be considered a valid basis for data processing. The Datatilsynet is addressing concerns related to the potential lack of genuine consent given the hierarchical nature of the employer-employee relationship.

On the other hand, the Datatilsynet has introduced a nuanced perspective by indicating that employee photos can be published if the employees are 'informed' or 'in agreement' with such publication. However, the guidelines do not explicitly clarify the distinction between being informed and in agreement with giving consent. This introduces a level of uncertainty regarding the precise requirements for processing employee photos. The concept of being informed may suggest a more contextual and communicative approach, potentially emphasizing open dialogue between employers and employees. Yet, the lack of a clear differentiation from consent leaves room for interpretation and raises questions about the practical implications of the guidance. This dual stance from the Datatilsynet highlights the complexity and evolving nature of data protection considerations in employment contexts, underscoring the need for employers to carefully navigate these nuances while respecting the privacy and rights of their employees.

Best practices for photographing

A pivotal element of the revised Datatilsynet guidelines revolves around the use of employee photos. Whether they take the form of professional portraits or candid snapshots, employers are now generally required to reflect on whether to obtain explicit consent before disseminating these images publicly, be it on company websites or elsewhere, including social media platforms.

Crucially, these guidelines do not hinder the practice of capturing photos for legitimate business purposes. The shift lies in the need for a more comprehensive evaluation of each image. Providing advance notice to individuals about upcoming photo sessions affords them the choice to refuse if they prefer not to become part of the employer's visual narrative.

The guidelines advocate for an equitable and thoughtful approach. Employers are encouraged to foresee potential issues on this and exercise due diligence before sharing photos and engage in proactive communication about photography plans. If employees raise concerns or objections, employers should promptly address these by removing images if necessary. Acknowledging the varying degrees of individual sensitivity, it is prudent to announce when photos will be taken. However, it is important to note that making an announcement that is not met with protest does not equate to obtaining explicit consent, and explicit consent can always be withdrawn.

Consequences

A recent decision by the Datatilsynet, in which an employer received criticism for using photos of a former employee in video format, underscores the crucial nature of compliance with data protection regulations, particularly in the context of handling employee photos. This case explores the potential implications for employers that fail to respect privacy rights.

In this instance, the Datatilsynet decided against an employer in a complaint case (No. 2021-31-4820) involving the unauthorized use of a former employee's photos in a recruitment marketing video on Facebook. The complainant argued that there was a lack of consent for use for marketing purposes, while the employer claimed it had a legitimate interest. The Datatilsynet found that the employer violated the data protection rules by not obtaining consent and stated that the balancing –of interests rule did not apply. Consequently, the Datatilsynet criticized the employer's use of the images and mandated the removal of the pictures from the marketing video.

The consequences of such misuse extend across both legal and reputational realms. Legally, employers failing to uphold data protection standards may face repercussions, such as fines and potential liability. Furthermore, the mishandling of employee photos can cast a shadow on a company's reputation, eliciting negative publicity and eroding trust among clients and business partners.

The crucial role of consent and a sound legal foundation in processing personal data, especially in the realm of employee photos, is underscored by the Datatilsynet's decision. Ensuring informed and specific consent prior to using employee images is critical to steering clear of GDPR violations.

Moreover, the decision serves as a reminder to heed the guidelines of the Datatilsynet. Employers are urged to familiarize themselves with the guidelines set forth by supervisory authorities, aligning their practices with these guidelines. This entails a meticulous assessment and documentation of the basis for processing personal data.

Drawing lessons from the decision, employers are prompted to establish clear procedures and guidelines for the use of employee photos. Employers can benefit from being clear in their communication and, for instance, incorporate this information into a privacy notice for their employees. This encompasses obtaining consent when relevant, adherence to privacy rules, and a cautious approach to avoid unnecessary disclosure of personal information.

The decision also stresses the ongoing responsibility towards former employees, emphasizing the need to handle their personal data in compliance with the GDPR, even post-employment.

In conclusion, the Datatilsynet's decision concerning the employer signals a continued effort to fortify data protection regulations. Employers should interpret this decision as a cautionary tale, emphasizing the need for respecting privacy and adhering to the applicable rules, particularly when navigating the complexities of employee photo processing. Establishing clear guidelines, obtaining consent, and aligning with supervisory authority guidelines emerge as indispensable strategies to sidestep legal and reputational consequences.

Elsebeth Aaes-Jørgensen Partner
[email protected]
Norrbom Vinding, Copenhagen