GDPR for event photographers: what you're liable for

Yes. Guest photos are personal data, so if you collect them at events in the EU (or for EU residents), GDPR applies to you, not only to the platform you use. Your responsibilities centre on having a lawful basis and clear notice for collection, sensible retention, and the ability to honour erasure requests. Using an EU-hosted platform with consent and erasure tools and an available DPA handles much of it, but the controller-side judgement remains yours. This is general guidance, not legal advice.

Usually a controller (sometimes jointly with your client), because you decide why and how the guest media is collected. The platform that stores and serves the photos is typically the processor, handling the data on your documented instructions. The distinction matters because obligations differ by role, and because the relationship should be documented -- generally through a data processing agreement (DPA) that the platform provides. For specifics, consult a professional.

A data processing agreement (DPA) is the GDPR Article 28 contract that formalises the controller-processor relationship. You need one in place with your platform (the processor), and corporate or public-sector clients will often ask you for it as part of their procurement. Gathmo provides a DPA on request, so you can have it ready. Having the DPA prepared before a client asks is part of presenting yourself as a professional, compliant supplier.

GDPR expects you not to keep personal data longer than necessary for the purpose, but it does not set a fixed number -- you choose a sensible retention period and apply it consistently. A platform with defined retention windows and erasure tools makes this manageable: you set the window, guests' data is removed afterwards, and you can honour deletion requests. Document your retention choice so you can explain it if asked.

You need a lawful basis and clear notice -- guests should understand what is being collected and why. Consent is one lawful basis, and clear signage plus an upload flow that explains the purpose supports this. The exact basis can depend on context (for example, legitimate interest may apply in some cases), which is where professional advice helps. Practically, transparent notice at the point of upload and a platform that captures consent covers the common cases.

It handles the processor side and reduces your burden. Gathmo hosts guest media in the EU (Frankfurt), offers a GDPR Article 28 DPA, has no third-country transfer of guest data, and provides consent capture, defined retention windows and erasure tools. That covers the technical and contractual pieces clients ask about, leaving you the controller-side judgement (notice, lawful basis, retention choice). A consumer app without these makes the same compliance much harder to demonstrate.

It can be, because transferring EU guests' personal data to a third country requires appropriate safeguards (such as Standard Contractual Clauses) and adds complexity you have to manage and document. An EU-hosted platform with no third-country transfer avoids that question entirely, which is simpler for you and more reassuring to corporate clients. If you do use a non-EU tool, confirm its transfer safeguards before handling EU guest data -- and consider whether EU hosting is the easier path.