GDPR compliance for photo libraries
Not the legal theory. The practical steps for managing face data in your photo archives day to day. Start with our face data audit guide, then build ongoing compliance processes.
When is a photo "biometric data" under GDPR?
Not every photo is biometric data. But the moment a photo contains a recognizable face, you are processing personal data. Under GDPR Article 4(14), if you use facial images to identify someone — or if you could — it becomes biometric data under Article 9, a special category with stricter rules.
The practical takeaway: every photo library containing faces is a GDPR compliance concern. The question is not whether you have obligations — it is whether you are meeting them on an ongoing basis.
Key GDPR articles for photo data
Definition of personal data
Facial images are explicitly listed as personal data
Special categories
Biometric data for identification requires explicit consent or another Article 9(2) basis
Right of access
Data subjects can ask what photos you hold of them
Records of processing
You must document what face data you process and why
What you actually need to do
Forget the legal abstractions for a moment. Here are the concrete operational requirements for photo libraries under GDPR.
Know what you have
You need an inventory of where face data exists in your organization. Not a vague awareness that "we have photos somewhere" — a documented inventory of sources, approximate volumes, and what categories of people appear in them (employees, customers, members of the public).
Document your legal basis
For each category of photo processing, you need a documented legal basis and entries in your Record of Processing Activities (RoPA). Event photos on your website might rely on legitimate interest — but that requires a legitimate interest assessment on file. Employee portraits in HR systems might be covered by the employment contract — document that in your RoPA. Marketing photos featuring identifiable people need explicit consent — with records proving when and how consent was obtained. If you are using or planning to use face recognition technology, a Data Protection Impact Assessment (DPIA) is very likely required under Article 35. The basis can differ by use case, but it must be documented and maintained as your photo libraries evolve.
Be able to respond to rights requests
When someone asks "what photos do you have of me?" — you need to be able to answer completely and within 30 days. When someone asks you to delete their photos, you need to find and remove all of them. This is the part that breaks most organizations, because photos are not searchable by person unless you have the right tooling. See our DSAR response guide for practical strategies.
Maintain ongoing compliance
Compliance is not a one-time audit. New photos are added constantly — to your website, your marketing materials, your event archives. You need processes that keep up: weekly website scans, quarterly internal library reviews, automated monitoring when new photo sources are deployed, documented review cycles for retention compliance. Build these routines into your compliance calendar the same way you schedule data protection training or vendor assessments.
Photo library compliance checklist
Use this as a starting point for your own compliance assessment. If you cannot check every box, you have work to do.
Discovery & inventory
- Identified all locations where photos with faces are stored
- Documented approximate volume of face-containing photos per source
- Categorized data subjects (employees, customers, public, minors)
- Included archived and backup sources in the inventory
Documentation
- Legal basis documented for each category of photo processing
- Photo processing included in Record of Processing Activities (RoPA)
- Retention periods defined for each photo source
- Data Protection Impact Assessment completed (if using face recognition)
Data subject rights
- Process exists to find all photos of a specific person within 30 days
- Process exists to delete or anonymize photos upon erasure request
- Search results can be documented for audit trail
- Confidence level in search completeness is documented
Ongoing processes
- New photo sources are reviewed before deployment
- Periodic review of photo archives for retention compliance
- Website photo content monitored for consent compliance
- Staff trained on photo handling procedures
Most of this checklist can be automated
Ansikt handles the operationally difficult parts: discovering face data, indexing it, making it searchable by person, and maintaining an ongoing inventory as your photo libraries change.
Automated discovery
Crawl websites and scan photo libraries automatically. Know exactly where face data exists without manual review.
Person-level search
Find every photo of a specific person across all sources in seconds. The capability that makes DSAR responses practical.
100% EU-hosted
All processing stays within the EU. No international data transfers. No third-party AI services.
Start your compliance audit with a website scan
Begin your photo library compliance audit by scanning your most visible source. Our free scan crawls your website and reports how many photos contain faces. Two minutes, no signup required.