GDPR and Employee Event Photos: What HR Needs to Know in 2026

Your company just ran its summer offsite. Three hundred photos are scattered across personal phones, a WhatsApp group nobody can export cleanly, and a shared drive folder somebody set up "temporarily" in 2023. Internal Comms wants twelve good shots for the newsletter. And one employee has just emailed to ask that no pictures of them be published anywhere.

That last email is the one that should make HR pause. Because the moment your organisation collects, stores, or publishes photos of identifiable employees, the General Data Protection Regulation applies — and "it was just the Christmas party" is not a defence a data protection officer will accept.

This guide walks HR managers and internal event planners through the GDPR obligations that attach to employee event photos: what your legal basis actually is, when you need consent versus when you don't, how long you can keep the images, and what to demand from any photo-collection tool before it touches a single employee's face. It is written for the EU/EEA context, with specific notes for Germany.

Not legal advice. This article explains the relevant GDPR provisions and is for general guidance only. It cites the regulation directly so you can verify each point, but it is not a substitute for advice from your own data protection officer or counsel on your specific situation.

Yes — and the "personal use" exemption that gets passed around the office does not save you.

The GDPR carves out processing carried out "by a natural person in the course of a purely personal or household activity" with no connection to a professional or commercial activity (Art. 2(2)(c)). A guest privately keeping their own snaps of the party may fall under that exemption. The employer does not. A company-organised event, photographed for company purposes — a newsletter, an intranet, a recruiting page, the next all-hands deck — is a professional and commercial activity by definition. The exemption shields the individual; it does not shield the organisation acting as controller, nor any platform acting as processor on its behalf.

There is a further limit worth knowing. The Court of Justice of the EU, in the Ryneš case (C-212/13), read the household exemption narrowly: processing "directed outwards from the private setting of the person" — there, video surveillance covering a public space — cannot count as purely personal. Applied to events, publishing photos of other people beyond a closed private circle (for instance, on the open internet) is likely to fall outside the exemption and pull the publisher squarely into the GDPR's scope.

So the practical answer for HR is simple: assume GDPR applies to every identifiable employee in every photo your company collects, the second you collect it.

Every act of processing personal data needs a lawful basis under Article 6. For ordinary event photos, two are realistic: legitimate interest (Art. 6(1)(f)) and consent (Art. 6(1)(a)).

Legitimate interest is available where the processing is necessary for the interests of the controller or a third party, and those interests are not overridden by the rights and freedoms of the data subject — a balancing test you have to actually perform and document, with heightened protection where a child is involved. For low-risk, internal-facing event documentation, many organisations can rely on it.

Consent must be specific, informed, and freely given. It is the safer basis, and it becomes the required basis where the legitimate-interest balance fails or where special-category data is involved.

Here is the catch that trips up HR specifically: the employment relationship. Because employees depend on their employer, regulators are sceptical that consent in that context is ever truly "freely given." Germany's Federal Data Protection Act addresses employee data directly in BDSG § 26, allowing processing of employee data where necessary for the employment relationship, and recognising that consent in the employment context can be valid but must be assessed for voluntariness given that dependence — and should generally be in writing.

The honest reading for corporate event photography is this: necessity under § 26 is usually a poor fit for marketing or newsletter photos (a glossy recruiting shot is not "necessary" to carry out the employment contract). So for anything outward-facing or promotional, the defensible route is freely-given, documented consent, with a clear right to refuse without any disadvantage to the employee. Note too that, following EU and German case law, § 26(1) was held in part contrary to EU law, and processing may also rest directly on Art. 6 GDPR — another reason to ground your photos in a clean, explicit consent rather than a stretched necessity argument.

A workable rule of thumb for HR:

This is the question that separates a normal photo gallery from a legal minefield — and it is where a lot of consumer-grade event apps quietly create risk.

A photograph of a face is not automatically special-category data. Recital 51 of the GDPR is explicit: photographs are covered by the definition of biometric data "only when processed through a specific technical means allowing the unique identification or authentication of a natural person." Merely storing and displaying photos does not trigger Article 9.

But the moment a tool runs facial-recognition feature-extraction — building a face template to group or identify guests, or to let people "find all photos of me" by selfie — it is processing biometric data for the purpose of uniquely identifying a person, which Article 9(1) prohibits unless a specific exception applies (typically separate, explicit consent). That is a materially higher bar than the consent you gathered for ordinary photos.

This matters when you choose a vendor. Several competitors in this market lead with face-recognition photo-finding as a headline feature. That capability is genuinely useful at a wedding; at a corporate event with employees, it converts your photo collection into Article 9 processing and obliges you to obtain explicit biometric consent and document an Article 9 ground. For an HR team that simply wants the offsite photos in one place, that is risk you did not ask for.

Worth noting on tooling: Gathmo does not offer facial recognition or face-search at launch (it is a Phase 2 item on the roadmap, not a live feature). For HR, the absence is a feature: ordinary photo galleries that do not build face templates keep you out of Article 9 territory by default. If you do want face-search one day, treat it as a deliberate, separately-consented decision — not something switched on quietly inside an app.

Transparency is not optional, and it is not satisfied by a sign nobody reads. Where you collect personal data directly from the data subject, Article 13(1) requires you to provide — at the time of collection — a defined set of information, including the identity and contact details of the controller, the purposes and the legal basis of the processing, and, where you are relying on legitimate interest, the specific legitimate interests you are pursuing.

For an event, that means a clear, accessible information notice at the point of capture or upload: who controls the photos, why, on what legal basis, how long they will be kept, and what rights the data subject has. A QR code that takes employees to an upload page is a natural place to surface this — the landing or upload screen can carry the notice so that consent (where you rely on it) is captured in context, with the information right there.

A short, plain checklist for your notice:

Not indefinitely. Two principles in Article 5 govern this:

In practice, that means defining a retention period before the event, not after the complaint. A corporate gallery that auto-deletes after a set window, rather than living forever on a shared drive, is the cleaner posture. This is one place where a purpose-built tool with defined, automatic retention beats an ad-hoc folder: the system enforces storage limitation for you instead of relying on someone remembering to clear it out.

For reference, Gathmo's per-event tiers carry explicit, finite retention windows — 14 days on the Free tier through to 365 days on the top tier — rather than open-ended storage, which is the behaviour Article 5(1)(e) is asking for. Whatever you use, the principle is the same: a defined end date for the data.

This is the right to erasure — the "right to be forgotten" — and it is not a courtesy you can decline.

Under Article 17(1), a data subject can require the controller to erase their personal data without undue delay where a ground applies (for example, the data are no longer necessary for the purpose, or consent is withdrawn and there is no other legal basis). And there is a hard clock: Article 12(3) requires you to respond on the request without undue delay and in any event within one month of receipt. That period can be extended by two further months where the request is genuinely complex or numerous — but only if you tell the data subject about the extension, and why, within that first month.

For HR, two operational consequences follow:

When you evaluate any vendor, ask the direct question: can you delete a specific person's content, on request, within the statutory timeframe — and will you commit to it? For Gathmo, GDPR-compliant deletion on request is part of the model — actioned within the statutory window on every tier. The point for procurement is to get the erasure path in writing, not to discover it during a live request.

If your attendees are spread across EU member states, the GDPR still governs — there is no internal EU border that changes the analysis. The bigger question is where the data goes, and that is where the choice of platform becomes a compliance decision, not just a feature one.

Transfers of personal data outside the EU are lawful only on an adequacy decision (Art. 45) or appropriate safeguards such as Standard Contractual Clauses (Art. 46), with enforceable rights and remedies. As of mid-2026, the EU-US Data Privacy Framework adequacy decision (adopted July 2023) remains in force — the EU General Court dismissed the first challenge to it in September 2025, and an appeal is pending before the CJEU with no hearing date announced. That makes transfers to DPF-certified US organisations possible, but the framework is not risk-free, and SCCs plus a transfer-impact assessment remain the prudent fallback.

The simplest way to avoid the entire transfer question is to keep the data in the EU in the first place. And here the market splits sharply. Looking at publicly available company information as of June 2026:

Gathmo's position here is built for this exact concern: data residency in the EU, with object storage in the EU jurisdiction, the primary database in Frankfurt, EU compute, and Data Processing Agreements in place with its processors. For an HR or procurement team whose default question is "does this keep employee data in Europe?", that is a yes you can put in front of legal — and the residency comes with the proof (named data centre, processor DPAs) rather than a marketing badge. It is worth being precise, though: several vendors claim European servers, so the differentiator is verifiable proof and a signed DPA, not the EU claim alone.

This is the part procurement cannot skip. When an external tool processes personal data on your behalf and on your instructions, the relationship is controller-to-processor, and the GDPR requires it to be governed by a binding written contract — a Data Processing Agreement — under Article 28(3).

That contract is not boilerplate you can wave through. Article 28(3) mandates that it set out the subject-matter, duration, nature and purpose of the processing, the types of data and categories of data subjects, and the controller's rights and obligations — and that it impose on the processor a specific set of duties: processing only on your documented instructions, confidentiality, Article 32 security measures, conditions for engaging sub-processors, assistance with data-subject rights, deletion or return of the data at the end of the service, and submission to audits.

In plain terms: your organisation is the controller; the photo tool is the processor; and you need a compliant DPA with it before employee photos go anywhere near it. A vendor that cannot produce one is not a vendor an EU enterprise can use.

When you assess tools, this is the single highest-value question:

Gathmo provides a DPA — available on request across the per-event tiers, and included on the B2B Studio, Agency, and Enterprise subscriptions. The contrast worth flagging to your legal team: across this market, a dedicated, downloadable DPA and a published sub-processor list are the exception, not the norm — many consumer-focused tools simply do not offer one.

If you collect photos via a scannable code on lanyards, table cards, or stage signage, a couple of practical specs keep it usable — and the upload page is also the right place to put your Article 13 information notice. For lanyards and badges, keep the code at least 2 x 2 cm (2.5 x 2.5 cm is more comfortable at arm's length); on a stage banner viewed from across the room, size it far larger. Keep the required quiet-zone margin around it, use a dark code on a light background, and always test-print and scan a proof at the real size before you print hundreds. A code that fails to scan does not just lose photos — it sends frustrated employees somewhere other than your consent notice.