GDPR Checklist for Corporate Event Photography: A Guide for Event Planners

You are three weeks out from a 400-person conference. The agenda is locked, the badges are at the printer, and someone from legal has just asked whether the photo-collection tool you picked is "GDPR-compliant." You do not need a law degree to answer that — you need a checklist you can work through, tick off, and hand back with confidence.

This is that checklist. It is written for event planners, HR managers, and procurement leads running corporate events in the EU/EEA, where collecting photos and video of identifiable attendees is regulated personal-data processing the moment the first image lands. Work through the sections below before the event, and you will have addressed the obligations that actually get raised in a procurement review — legal basis, the information notice, retention, erasure, international transfers, and the Data Processing Agreement — with the regulation cited so legal can verify each line.

Not legal advice. This is general guidance that cites the GDPR directly so you can check each point against the source text. It is not a substitute for advice from your own data protection officer or counsel on your specific event. Where this checklist names a Gathmo capability, it is to show what a compliant tool looks like in practice — verify the equivalent for whatever platform you choose.

There are six sections, ordered the way an event runs. Each is a short list of yes/no checks: tick every box and you have covered what EU procurement teams test for; leave one empty and that is exactly where your DPO will push back. One scope note before you start — the checks assume ordinary photo and video galleries (storing and displaying images), not facial recognition. If your tool runs face-matching to group or identify attendees, you cross into a much stricter regime; see the dedicated check in Section 1.

This is where a corporate event differs most from a wedding or a birthday. The platform you pick is not just a feature decision; it is a data-processing decision your legal team will audit. Run these checks against any shortlisted vendor.

☐ Does the vendor provide a GDPR Article 28 Data Processing Agreement (DPA)? When an external tool processes personal data on your behalf and on your instructions, the relationship is controller-to-processor, and Article 28(3) requires a binding written contract. It must set out the subject-matter, duration, nature and purpose of processing, the data types and categories of data subjects, and your rights as controller — and impose on the processor a defined set of duties (processing only on your documented instructions, confidentiality, security, sub-processor conditions, assistance with data-subject rights, deletion or return of data at the end of service, and submission to audits). If a vendor cannot produce a DPA, an EU enterprise cannot use it. (GDPR Art. 28(3).)

☐ Will the vendor name its sub-processors and where they are located? The DPA conditions for engaging sub-processors are part of Article 28. You cannot complete a transfer analysis or a vendor-risk assessment if you do not know who else touches the data and from which country.

☐ Will the vendor commit, in writing, to deleting or returning your data at the end of the engagement? This is one of the mandatory Article 28(3) processor duties. Get it in the contract, not in a sales email.

☐ Where is the data hosted — and will the vendor state it plainly? A vendor that cannot tell you the hosting jurisdiction has just made your transfer analysis impossible. Treat "we don't disclose that" as a fail. (Section 5 covers what to do with the answer.)

☐ Does the tool use facial recognition — and if so, do you actually want that liability? This is the single check most likely to be overlooked, because face-search is marketed as a convenience. A photograph of a face is not automatically special-category data; Recital 51 confirms images fall within the definition of biometric data "only when processed through a specific technical means allowing the unique identification or authentication of a natural person."

But the moment a tool builds a face template to group attendees or let people "find all photos of me" by selfie, it is processing biometric data for the purpose of uniquely identifying a person, which Article 9(1) prohibits unless a specific exception (typically separate, explicit consent) applies. That is a materially higher consent bar than ordinary photos require.

Several competitors in this market lead with face-recognition photo-finding; at a corporate event with employees, that feature converts your photo collection into Article 9 processing and a documented explicit-consent obligation you did not ask for. (GDPR Art. 9(1); Recital 51.)

Tooling note. Gathmo does not offer facial recognition or face-search at launch — it is a Phase 2 roadmap item, not a live feature. For a corporate buyer, that absence is the point: ordinary galleries that build no face templates stay out of Article 9 by default. If you ever do want face-search, treat it as a deliberate, separately-consented decision rather than a toggle switched on quietly inside an app.

You are the controller: your organisation decides why and how the photos are processed. Every act of processing needs a lawful basis under Article 6. For ordinary event photos, two are realistic, and choosing correctly is the difference between a defensible position and a guess.

☐ Have you identified your Article 6 lawful basis — and is it the right one for the use? Legitimate interest (Art. 6(1)(f)) is available where processing is necessary for your interests or a third party's, and those are not overridden by the data subject's rights — a balancing test, with heightened protection where a child is involved. Consent (Art. 6(1)(a)) must be specific, informed, and freely given; it is the safer basis and the required one where the balance fails or special-category data is involved. (GDPR Art. 6(1)(a) and 6(1)(f).)

☐ If you are relying on legitimate interest, have you performed and recorded the balancing test? "We assumed it was fine" is not a documented balancing test. For low-risk, internal-facing documentation — a few shots in the next team update — legitimate interest can suffice, but only if you have actually weighed and recorded it.

☐ For employee photos specifically, have you accounted for the employment relationship? Because employees depend on their employer, regulators are sceptical that consent in that context is truly "freely given." In Germany, BDSG § 26 governs employee data directly: it permits processing where necessary for the employment relationship and recognises that employment-context consent can be valid but must be assessed for voluntariness and should generally be in writing. Necessity under § 26 is usually a poor fit for marketing or recruiting photos — so for anything outward-facing, the defensible route is freely-given, documented consent with a consequence-free right to refuse. (Note: § 26(1) has been held in part contrary to EU law, so processing may also rest directly on Art. 6 GDPR — another reason to ground promotional photos in clean, explicit consent.) (BDSG § 26(1).)

A rule of thumb to tick against:

Transparency is not optional, and a sign nobody reads does not satisfy it. Where you collect personal data directly from the data subject, Article 13(1) requires you to provide a defined set of information at the time of collection — including the controller's identity and contact details, the purposes and legal basis of the processing, and, where you rely on legitimate interest, the specific interests pursued. (GDPR Art. 13(1).)

Tick each element into your notice:

☐ Who is the controller (your organisation), how to contact them, and the DPO where you have one. ☐ Why you are collecting the photos (internal newsletter, intranet gallery, recruiting page). ☐ The legal basis — and, if legitimate interest, what that interest is. ☐ How long the images will be retained. ☐ What rights attendees have, including how to object and how to request erasure.

☐ Is the notice surfaced at the point of capture or upload — not buried elsewhere? For a QR-based collection flow, the upload landing page is the natural home for this notice. When the scan takes an attendee to an upload screen, the information can sit right there, and consent (where you rely on it) is captured in context rather than assumed. A tool that captures consent on upload makes this check easy to tick.

Indefinite storage is a finding waiting to happen. Two principles in Article 5 govern how long photos can live:

☐ Have you defined a retention period before the event — not after a complaint? A gallery that auto-deletes after a set window enforces storage limitation for you, rather than relying on someone remembering to clear a shared drive. This is one place a purpose-built tool with defined, automatic retention beats an ad-hoc folder outright. For reference, Gathmo's per-event tiers carry explicit, finite retention windows — from 14 days on the Free tier to 365 days on the top tier — rather than open-ended storage. Whatever you use, the box you are ticking is the same: a defined end date for the data.

☐ Are you collecting only what you need? Minimisation is its own check. If the tool hoovers up metadata or media you have no purpose for, that is a box you cannot honestly tick.

If your attendees span multiple EU member states, keep the same GDPR checklist in place. The harder question is where the data goes, and that is where your tool choice becomes a compliance decision.

☐ Do you know whether any data leaves the EU — and is there a lawful transfer mechanism if it does? Transfers outside the EU are lawful only on an adequacy decision (Art. 45) or appropriate safeguards such as Standard Contractual Clauses (Art. 46), with enforceable rights and remedies. As of mid-2026, the EU-US Data Privacy Framework adequacy decision (adopted July 2023) remains in force — the EU General Court dismissed the first challenge to it in September 2025, and an appeal is pending before the CJEU with no hearing date announced. Transfers to DPF-certified US organisations are therefore possible, but the framework is not risk-free; SCCs plus a transfer-impact assessment remain the prudent fallback. (GDPR Art. 45, Art. 46(2)(c); CJEU C-311/18 Schrems II; Commission DPF adequacy decision 2023.)

☐ The clean shortcut: does the tool simply keep the data in the EU? The simplest way to avoid the entire transfer question is to keep the data in the EU in the first place. Here the market splits sharply. Looking at each provider's own publicly available information as captured on 2026-06-08:

Gathmo is built for this exact check: data residency in the EU, with object storage in the EU jurisdiction, the primary database in Frankfurt, EU compute, and Data Processing Agreements with its processors. The residency comes with proof — a named data centre and processor DPAs — rather than a marketing badge. Be precise here, though: several vendors claim European servers, so the differentiator a procurement team should test for is verifiable proof and a signed DPA, not the EU claim on its own.

This is the right to be forgotten, and it is not a courtesy you can decline. Under Article 17(1), a data subject can require you to erase their personal data without undue delay where a ground applies (for example, the data are no longer necessary, or consent is withdrawn and there is no other legal basis). And there is a hard clock: Article 12(3) requires you to respond without undue delay and in any event within one month of receipt — extendable by two further months for genuinely complex or numerous requests, but only if you notify the person of the extension and the reasons within that first month. (GDPR Art. 17(1); Art. 12(3).)

☐ Do you know where every photo lives, so you could action a deletion in one place? If your event media is scattered across phones, chat groups, and shared drives, a one-month deletion request becomes a manual scramble. A single managed gallery with a clear deletion path turns it into one action — which is the entire operational reason to use one.

☐ If your basis is consent, is withdrawing it as easy as giving it? An attendee can pull consent, and you must then erase (absent another lawful basis). The withdrawal path has to be real, not theoretical.

☐ Has the vendor committed to actioning deletion on request within the statutory timeframe? Ask the direct question and get it in writing: can you delete a specific person's content, on request, within the statutory window — and will you commit to it? For Gathmo, GDPR-compliant deletion on request is part of the model. Across this market, a dedicated DPA and a published sub-processor list are the exception, not the norm — so getting the erasure path in writing before you sign, rather than discovering it during a live request, is the whole point.

If you collect via a scannable code on lanyards, table cards, or stage signage, the upload page it points to is also where your Article 13 notice should live — so a code that fails to scan does not just lose photos, it sends frustrated attendees away from your consent notice. A few specs keep it usable: on a lanyard or badge, keep the code at least 2 x 2 cm (2.5 x 2.5 cm is more comfortable at arm's length); on a stage banner viewed from across the room, size it far larger. Keep the required quiet-zone margin around it, use a dark code on a light background, and test-print and scan a proof at the real size before printing hundreds.

Print this and walk it past your DPO: