Is your free QR photo app a GDPR problem?

For professional or corporate work, yes. Free consumer apps often do not disclose where guest data is hosted or whether it leaves the EU, rarely offer a data processing agreement, and may monetise data or show ads -- and retention and erasure can be opaque. Once your name or your client's is on the event, those gaps become your liability. For client work, a platform built for professional use (EU-hosted, DPA available, clear retention and erasure) avoids the risk. This is general guidance, not legal advice.

Not the quality -- the compliance posture. Consumer apps are not built to answer what professional and corporate work demands: documented data location, a DPA, defined retention, consent handling and erasure. When a client's legal team asks for these (or an incident occurs), a free tool that cannot provide them leaves you exposed. The convenience is real, but for paid client work the missing compliance layer makes it a risk you carry on the client's behalf.

Often you cannot, which is the problem. Many free consumer apps do not clearly disclose their hosting location or whether data is transferred outside the EU, and they may not offer the documentation to confirm it. For EU events, not being able to answer the data-location question is itself a red flag. A professional platform states it plainly -- Gathmo is EU-hosted in Frankfurt with no third-country transfer -- so you can answer the question instead of guessing.

Usually not. A data processing agreement (GDPR Article 28) is something professional platforms provide, but free consumer tools generally do not -- which means you cannot document the controller-processor relationship a corporate client needs. Without a DPA you cannot satisfy corporate procurement, so a free app effectively caps you out of professional client work. Gathmo provides a DPA on request, removing that blocker.

A platform built for professional use: EU-hosted, with a DPA available, clear retention windows, and consent and erasure tools, plus moderation to keep UGC safe under your brand. That combination lets you put your name on guest media without inheriting a compliance gap. Gathmo provides all of these (EU hosting in Frankfurt, Article 28 DPA, no third-country transfer, retention and erasure tools), which is why it is suited to client work where a free consumer app is not.

The risk scales with the client, not the event size. A small private celebration you run informally is low-risk; the moment you are paid by a business client, or handling photos of children or staff, the compliance expectations rise regardless of guest count. Corporate clients in particular will ask for the documentation a free app cannot provide. For any paid client work, using a professional, EU-hosted platform is the safer default.

It handles the processor side and removes the biggest gaps, but the controller-side responsibilities remain yours: a lawful basis, clear notice to guests, and your retention choices. An EU-hosted platform with a DPA, consent capture and erasure tools does most of the heavy lifting and gives you the documents clients ask for. For the specifics of your own obligations, see our guide on GDPR for event photographers and, for anything contractual, consult a professional.