GDPR for Images: Compliance Overview for Visual Data Protection

Updated: June 2026

From employee headshots and security footage to marketing photographs and event documentation, images containing identifiable individuals are subject to strict compliance requirements that many organisations overlook.

Two areas have added new complexity in 2026. AI tools that generate or manipulate photorealistic images of real people raise questions about whose personal data is involved and who is responsible for it. And wearable cameras built into smart glasses capture footage of bystanders who have no practical way of knowing they are being recorded, prompting dedicated regulatory action by the EDPB and France’s CNIL.

Key Takeaways

• Images constitute personal data when individuals can be identified, whether directly through visible faces or indirectly through distinctive clothing, tattoos, or surroundings. When biometric data is extracted for unique identification, images become special category data requiring additional protection under Article 9.

• Consent management is the central requirement for compliant image processing. Organisations must obtain, document, and manage explicit consent where required, while providing clear information about data subjects’ rights, including the right to erasure and to withdraw consent.

• Technical and organisational measures are mandatory for image security, covering encryption, access controls, audit trails, and automated deletion systems, particularly for large-scale repositories and cloud storage environments.

• AI-generated images of real people are personal data when the individual is identifiable, and become special category biometric data when facial features are used to create or manipulate the image. The EU AI Act entered into force on 1 August 2024; its Article 50 transparency requirements for AI-generated content, including deepfakes, become enforceable on 2 August 2026. 

When do images count as personal data under GDPR?

Images are personal data under GDPR whenever they allow an individual to be identified, directly or indirectly. This covers most photographs of people in professional and commercial contexts. Organisations that process such images must identify a lawful basis, meet transparency obligations, and honour data subject rights.

What makes an image directly or indirectly identifiable?

Images become personal data through direct identification (visible faces, name tags, or other obvious identifiers) and indirect identification (distinctive clothing, unique tattoos, or recognisable backgrounds). Anonymous crowd shots in which no individual faces are distinguishable typically fall outside the scope of the GDPR. Group photos where people are recognisable require full compliance.

When do images become biometric special category data?

When organisations process photographs to extract biometric identifiers for unique identification purposes, the data becomes special category personal data under Article 9. This applies when facial recognition software analyses images for access control, when biometric templates are created, or when images are processed for automated identification systems.

What lawful basis do you need to process images under GDPR?

Before processing any images of identifiable individuals, organisations must identify a valid Article 6 lawful basis. The right basis depends on the context: consent for marketing, legitimate interests for security, public task for law enforcement, and contract performance for operational needs such as employee ID photos.

When is consent required for image processing?

Consent is the primary lawful basis when organisations use images for marketing, website content, or promotional materials. Valid consent requires an explicit opt-in without pre-checked boxes, specific purpose statements detailing intended use, easy withdrawal mechanisms accessible at any time, and documented proof that consent was obtained. Event organisers collecting attendee photos for future marketing must use specific consent forms detailing image use, storage, and distribution.

Can organisations use CCTV without consent?

Organisations operating CCTV cameras for security can rely on legitimate interests as their lawful basis. This requires balancing security needs against individual privacy by implementing safeguards such as masking non-relevant individuals, providing clear signage about recording, and limiting access to footage to authorised personnel only. A retail store using security cameras to prevent theft meets this basis when proper safeguards are in place.

What is the public task basis for image processing?

Public authorities may process images under the public task basis when fulfilling legal obligations. This applies to municipal surveillance systems, traffic enforcement cameras, border control, and law enforcement purposes authorised by legislation.

When can contract performance justify processing images?

When images are necessary to fulfil a contract, organisations can rely on this basis. Examples include employee ID photos for building access, professional headshots for directories, client photos for service delivery, and contractor images for security clearance. Each lawful basis requires different implementation, with consent demanding the most rigorous documentation.

How should organisations manage consent for photography?

Effective consent management is one of the most demanding aspects of GDPR compliance for visual data. Organisations need systems that capture, document, and honour consent throughout the data lifecycle, with clear procedures for handling withdrawal quickly and completely.

What makes image processing consent valid under GDPR?

GDPR Article 7 sets four requirements: consent must be freely given without coercion, specific to clear purposes, informed through clear information about the data controller and rights, and unambiguous via active opt-in. Pre-ticked boxes and bundled consent do not meet these requirements.

What records must organisations keep about image consent?

Organisations must maintain detailed records demonstrating consent was obtained, including the timestamp, consent language used, consent method, identity verification, and withdrawal tracking. Consent forms should specify exactly how images will be used, who will access them, and how long they will be stored. Generic consent statements rarely meet GDPR standards.

What must organisations do when someone withdraws image consent?

Withdrawal of consent requires organisations to stop processing the relevant images, remove them from all storage locations, document the withdrawal, and, where feasible, notify third parties. Organisations must be able to act on withdrawal requests efficiently, which requires knowing where every image is stored.

What are the consent rules for event photography?

Large-scale event photography requires entry-point notices about photography, opt-out mechanisms, digital consent collection, and clear identification of photographers and their affiliations. Organisations must have procedures to handle consent withdrawal requests affecting images already distributed.

What rights do individuals have over their images under GDPR?

Data subjects hold rights of access, rectification, erasure, and restriction in relation to their images. Organisations must establish procedures that can locate images across all storage systems, respond within one month, and document every action taken.

What is the right of access for images under GDPR?

Individuals can request copies of images containing their personal data. Organisations must locate all instances, provide copies in an accessible format within one month, include relevant metadata, and verify identity before disclosure.

What is the right to rectification for image data?

Data subjects can demand corrections to image metadata or associated information, including name tags, location details, event descriptions, or consent records.

What triggers the right to erasure for images?

The “right to be forgotten” requires organisations to remove images from all storage locations, delete backups, notify third parties where possible, and document erasure actions. It applies when consent is withdrawn, processing becomes unlawful, or the original purpose of processing no longer exists.

What does the right to restrict processing mean for images?

Data subjects can request that active use of their images is paused while storage is maintained for legal compliance. This may require blurring faces in public images, limiting access to essential personnel, and marking records to prevent inadvertent processing.

How quickly must organisations respond to image data requests?

Organisations must respond within one calendar month, with a possible two-month extension for complex cases. Procedures should cover identity verification, request tracking, cross-departmental coordination, and documentation requirements.

How long can organisations keep images under GDPR?

GDPR’s storage limitation principle requires clear retention periods and deletion procedures for each type of visual data. Retention must be justified by the original processing purpose, not by operational convenience. Different image types require different approaches.

How long should different types of images be retained?

Marketing and promotional images are typically retained for 2-3 years, with regular consent renewals or automatic deletion upon expiry. Security and CCTV footage is generally kept for 30 days unless an investigation justifies longer retention. Employee photographs should be deleted after employment ends unless legal requirements dictate otherwise. Event documentation retention depends on purpose, with internal records often kept longer than marketing images.

How should organisations automate image deletion?

Organisations processing large volumes of visual data should implement automated systems that schedule purges based on retention periods, tag images with deletion dates, generate alerts before deletion, log deletion activities, and handle distributed storage across multiple systems and cloud platforms.

When can organisations suspend image deletion schedules?

Certain circumstances require the suspension of normal deletion: active litigation, regulatory investigations, criminal proceedings, or contractual obligations. Organisations must have procedures for implementing and releasing legal holds while maintaining compliance with overall retention policies.

What security measures are required to protect images under GDPR?

Protecting visual data requires technical and organisational measures that address the specific risks of image processing and storage. These cover encryption, access controls, audit trails, and specific requirements for cloud environments.

How should organisations encrypt image data?

All image data should be protected through encryption at rest and in transit using industry-standard algorithms. Key management procedures must include regular rotation, secure storage, and access controls.

What access controls are needed for image data?

Access to visual data requires role-based permissions, multi-factor authentication, regular access reviews, and automated deprovisioning when roles change or employees leave.

What audit requirements apply to image processing?

Comprehensive logging helps detect unauthorised access and supports compliance. This covers access logging, modification tracking, failed access attempts, and regular log reviews.

What are the GDPR requirements for storing images in the cloud?

Organisations using cloud platforms must have data processing agreements in place, geographic location controls for cross-border compliance, vendor security assessments, and data portability mechanisms.

How can organisations automate GDPR compliance for images?

Organisations processing large volumes of visual data across multiple platforms use automated systems to manage compliance at scale. These tools cover face detection, metadata management, consent integration, and AI governance.

How do automated face detection tools support GDPR compliance?

Automated face detection systems identify images with identifiable individuals for consent verification, automatically blur faces lacking consent, flag sensitive content for review, and generate compliance reports.

How does metadata management support image compliance?

Metadata platforms link images to consent records, track retention periods, document lawful bases, and efficiently generate subject access reports.

How should image systems integrate with consent management?

Modern compliance systems connect image repositories to consent management platforms to automatically verify consent status before publication, flag images requiring renewal or deletion, process withdrawal requests, and maintain compliance documentation.

What GDPR rules apply when AI processes images?

When using AI to process images, organisations must address training data consent, transparency in automated decision-making, bias monitoring, and data subject rights in relation to automated processing.

What special GDPR rules apply to specific photography contexts?

Some photography contexts require compliance steps beyond the standard GDPR framework: public photography, images of children, cross-border transfers, biometric authentication, and AI training each raise distinct issues that standard policies may not cover.

Do GDPR rules apply to public photography and journalism?

Images captured in public places raise complex questions. Private individuals taking photos for personal use generally fall outside GDPR scope. Commercial photographers and organisations must comply in full. Journalistic exemptions may apply, but they require balancing the public interest against individual privacy rights.

What extra rules apply to images of children?

Processing images of minors requires parental consent, age verification, special safeguards for vulnerable groups, and consideration of the educational context.

What rules apply when transferring images outside the EEA?

Transferring images outside the European Economic Area triggers additional requirements, such as adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules.

What GDPR requirements apply to biometric authentication using images?

Using images for biometric identification creates special category data requiring explicit consent or another Article 9 legal basis, enhanced security measures, data protection impact assessments, and regular auditing.

What are the GDPR constraints on using images to train AI?

Using photographic data for AI development involves purpose limitation, scope of consent, data minimisation, and data subject rights, including removal requests. Organisations must ensure that the original consent covers the use of AI for training, or obtain a separate lawful basis.

When does image processing require a Data Protection Impact Assessment?

Article 35 of GDPR requires a Data Protection Impact Assessment before starting any processing that is “likely to result in a high risk” to individuals. For image processing, three scenarios typically trigger this obligation: systematic and extensive profiling of individuals using facial features or biometric data; large-scale processing of special category data such as images used for unique identification; and systematic monitoring of publicly accessible areas, which includes most CCTV deployments covering streets, car parks, or building entrances used by the public.

Organisations that run loyalty schemes, access control systems that use face matching, or employee monitoring systems that regularly capture footage of identifiable individuals should treat a DPIA as mandatory before deploying or expanding those systems. The assessment must document the processing purpose, the necessity and proportionality of the approach, the risks to individuals, and the measures in place to address those risks. For guidance on structuring the assessment, see conducting a DPIA: best practices for AI systems.

What GDPR rules apply to AI-generated images of real people?

AI tools can now generate photorealistic images of specific individuals from text prompts, alter existing photos to place people in situations they were never in, or produce synthetic faces built partly from real biometric data. Each of these involves personal data and, in some cases, special category data, even though the final image was generated rather than photographed.

Are AI-generated images of real people personal data under GDPR?

An AI-generated image is personal data if the person depicted can be identified. The identifiability test is the same as for a photograph: if a reasonable person could identify the individual from the image, data protection obligations apply. A generated image of a named public figure, a synthetic portrait based on someone’s uploaded selfies, or a manipulated image of a real employee all qualify as personal data about that person.

Where the AI system uses facial geometry or other biometric features to generate or manipulate the image, the result may also qualify as special category biometric data under Article 9. This applies not only to overtly realistic deepfakes but to any AI output that derives identifiable characteristics from real biometric input. Explicit consent or another Article 9(2) condition is required before any organisation generates, stores, or distributes such content.

What does the EU AI Act add for AI-generated images?

The EU AI Act entered into force on 1 August 2024. Its Article 50 transparency requirements apply to deployers of AI systems that generate synthetic images, video, or audio of real people that could be mistaken for real content: deployers must label the content as AI-generated in a way that is detectable and legible. This covers deepfake creation tools, AI image editors, and generative models used in commercial contexts. These Article 50 obligations become enforceable on 2 August 2026. Organisations that generate or use AI-created visual content should review whether their labelling practices meet the requirement before that date.

The labelling obligation is separate from GDPR compliance. An organisation generating AI images of real individuals must satisfy both a lawful basis under Articles 6 and 9 of the GDPR and the AI Act’s Article 50 transparency requirements. Satisfying one does not satisfy the other.

How do wearable cameras and smart glasses change the compliance picture?

Wearable cameras, the most widespread being smart glasses with built-in cameras, carry the same GDPR obligations as any other recording device. What makes them harder to manage in practice is that bystanders typically cannot tell they are being filmed, and the wearer may not be making an active, deliberate choice to record at each moment.

Why are smart glasses a specific compliance problem rather than just another camera?

GDPR does not distinguish between device types. Recording identifiable individuals is recording identifiable individuals. What has drawn specific regulatory attention to smart glasses is the structural difficulty of meeting notice and consent requirements during ordinary use. EDPB chair Anu Talus said in June 2026 that smart glasses “really bring the filming, collecting information from people, into a new level if you compare it with smartphones.” France’s CNIL, in its May 2026 alert on connected glasses, described the surveillance risk as “almost invisible and omnipresent.”

The EDPB has commissioned a report on the social acceptability of smart glasses due in summer 2026. France’s CNIL has announced a dedicated action plan and is coordinating with other European authorities through the EDPB. Both are examining whether the ordinary use of these devices can be made compatible with the GDPR, or whether the technology creates a consent problem that cannot be resolved through standard mechanisms such as signs or privacy notices.

What should organisations do when staff or visitors use smart glasses?

Organisations where staff, visitors, or customers might wear smart glasses should treat the device the same as any other recording equipment: document a lawful basis under Article 6, define what is recorded and why, set retention periods, and run a DPIA where systematic filming of staff or members of the public is involved.

Practical steps include updating acceptable use policies to explicitly cover wearable cameras, reviewing whether employees wearing smart glasses in customer-facing roles create notice obligations for those customers, and assessing whether any AI features on the device, such as automatic transcription, AI assistant query logging, or facial recognition, activate Article 9 obligations. For a full analysis of how EU regulators are approaching smart glasses in 2026, see Smart Glasses and GDPR: Why Europe Is Cracking Down on Camera-Equipped Eyewear.

Frequently Asked Questions

Are photos always personal data under GDPR?

No. Images only constitute personal data when individuals can be identified. Generic landscapes, anonymous crowd shots, and images where people are not recognisable do not trigger GDPR obligations. Identifiable features are what bring images into scope.

Can I process CCTV footage for crime prevention without consent?

Yes. Security cameras typically operate on a legitimate interests or public task basis rather than on a consent basis. Balancing assessments, safeguards, clear signage, and access limitations are required.

What are my obligations if someone withdraws consent for an image published online?

You must remove the photo from all locations under your control, document the withdrawal and deletion actions, and make reasonable efforts to notify third parties. The right to erasure requires comprehensive removal, not just hiding or archiving.

Can I request removal of an AI-generated image of myself under GDPR?

Yes. GDPR rights apply to AI-generated images that make you identifiable, including the right to erasure under Article 17. If the image was generated using your biometric data without your consent, the processing was likely unlawful from the start, which gives a strong basis for an erasure request. In practice, identifying the controller and locating every copy of a generated image can be difficult, but the legal right applies regardless of the enforcement challenge.

Are smart glasses with built-in cameras legal to use under GDPR?

Owning and wearing smart glasses is not illegal. GDPR applies to how the footage they capture is used. Recording identifiable people without a lawful basis, adequate notice, or appropriate safeguards creates a compliance risk, just as with any other camera. The difficulty specific to smart glasses is that standard notice mechanisms are hard to apply when the camera is worn by someone moving through a space. Organisations deploying smart glasses in any professional context should complete a DPIA before doing so.