GDPR and Event Photos: What Every Host Needs to Know in 2026

If you're collecting photos and videos from guests at your wedding, party, or company event, you're handling other people's personal data — and in the EU that means GDPR applies. The good news: for an ordinary private event, the rules are far more reasonable than the acronym suggests. Here's what actually matters, in plain language, with the relevant articles cited so you can check them yourself.

Not legal advice. This is a plain‑English summary of the law for event hosts, citing the regulation directly. For a specific situation — especially a corporate or public event — talk to a qualified data‑protection adviser.

A photo that identifies a person is personal data. But here's the nuance that trips people up: a photograph is not automatically "special category" (biometric) data. Under Recital 51 of the GDPR, an image only becomes biometric data when it's run through "a specific technical means allowing the unique identification" of someone — i.e. facial recognition. So a normal shared photo album is ordinary personal data; an app that face‑matches guests to group their photos is processing biometric data and faces a much stricter regime (Art. 9), normally requiring explicit consent. (GDPR Recital 51; Art. 9(1))

Takeaway: a simple QR photo album is low‑risk. Face‑recognition photo finders are not — if you use one, get explicit opt‑in.

To process guests' photos you need a lawful basis under Art. 6. Two are realistic for a host:

Takeaway: for a private wedding or party, legitimate interest usually covers a guest photo album. Lean on clear consent when children are prominent, when you'll publish photos publicly, or whenever you're unsure.

GDPR has a "purely personal or household activity" exemption (Art. 2(2)(c), Recital 18). A private individual collecting photos at their own birthday or wedding, shared only with guests, generally falls outside GDPR's full reach. But the exemption is narrow: the moment photos are published publicly or systematically cover people beyond your household, it no longer applies — the CJEU made this clear in Ryneš (C‑212/13, 2014). And it never applies to a business running an event. (Art. 2(2)(c); Recital 18; CJEU C‑212/13)

Takeaway: a private, invite‑only album = low obligation. A public gallery, or any company event, = full GDPR.

Under Art. 13, when you collect data directly from people you must tell them — at the time — who's collecting it, why, and on what legal basis (and, if you're relying on legitimate interest, what that interest is). For an event, this is as simple as a line on your QR sign and on the upload screen: "Photos you upload are collected by [host] to create a shared event album; hosted in the EU; you can ask for any photo of you to be removed." (GDPR Art. 13(1))

The right to erasure (Art. 17) lets a guest ask you to delete their data (for example, after they withdraw consent). You must act without undue delay, and within one month of the request (Art. 12(3)), extendable by two further months only for genuinely complex cases, with notice. So whatever tool you use should make deleting a specific photo easy. (GDPR Art. 17(1); Art. 12(3))

Takeaway: pick a platform where you (or the guest) can remove a photo quickly — a one‑month legal clock is real.

For online services, Art. 8 sets a consent age that varies by country — Germany keeps it at 16, Austria at 14. At a kids' party, the practical answer is simple: get the parents' agreement before collecting and especially before sharing photos of their children, keep the album private, and delete on request immediately. (GDPR Art. 8(1); BDSG (DE); § 4(4) DSG (AT))

This is where tool choice becomes a compliance decision. Sending EU residents' photos to a US‑hosted service is an international transfer governed by Chapter V. After Schrems II (C‑311/18) struck down Privacy Shield, transfers leaned on Standard Contractual Clauses; the EU‑US Data Privacy Framework then restored an adequacy route in 2023 — though it remains subject to legal challenge. The cleanest way to avoid the entire question is to keep the data in the EU. (GDPR Chapter V; CJEU C‑311/18; Commission Implementing Decision (EU) 2023/1795)

Most event‑photo apps are US‑hosted. A few — including Gathmo (EU/Frankfurt) and EventPics (Cloudflare R2 EU) — host in the EU, which sidesteps the transfer analysis for EU events. (research‑foundation/02 — eu‑residency tab, captured 2026‑06‑08)

Art. 5 requires data minimisation and storage limitation — collect what's necessary and don't keep it forever. In practice: set an album expiry, and delete the collection when the event's purpose is served. A platform that auto‑expires albums (rather than silently archiving them) makes this automatic. (GDPR Art. 5(1)(c),(e))

If you're running a company event, the platform is processing employee/guest data on your behalf — that's a controller–processor relationship, and Art. 28 requires a written Data Processing Agreement covering the scope of processing, security, sub‑processors, assistance with data‑subject rights, and deletion at the end of the service. Ask any vendor for their DPA before you sign; a serious B2B tool will have one ready. In Germany, employee‑data processing also engages BDSG § 26.

For a private wedding, the lowest-risk setup is usually simple: keep the album invite-only, show a short notice next to the QR code, avoid face recognition unless guests actively opt in, and let people ask for removal. The couple should not need a legal workflow for every candid photo, but they should avoid turning a private album into a public gallery without thinking through consent.

For a kids' birthday party, the same basics apply, with a higher standard of care. Parents should know where photos are going, who can see the album, and how long it stays online. A private QR album is very different from posting every child's face on a public social network. If a parent asks you not to include their child, remove the photo and move on.

For a company offsite or conference, treat the process like a small data-processing project. Decide who the controller is, confirm the platform's DPA, place a clear upload notice on the QR sign, avoid unnecessary face recognition, and use a defined retention window. If employees are involved in Germany, HR should also be aware of the BDSG § 26 angle.

For a public or ticketed event, assume GDPR applies in full. You may also need venue signage, staff instructions, and a moderation workflow so uploaded images do not expose people who did not expect to be featured. The more public the event, the less you should rely on "everyone knows photos happen at events" as your privacy plan.

You do not need legalese on a table card. You need clarity. A practical notice can be short:

Photos and messages you upload will be collected by [host name] for this event album. The album is private, hosted in the EU, and available to invited guests. If you want a photo of you removed, contact [email/phone].

For a corporate event, add the company name and link to the full privacy notice. For a wedding or private party, the contact can be the host. For children's events, mention that parents can request removal for their child. The point is that the guest understands the basic exchange before uploading: who collects the media, why, where it lives, and how to object.