The office holiday party is the one event of the year where everyone has their phone out. By the end of the night your team has captured hundreds of photos and clips — and almost none of it will reach the rest of the company. It scatters across personal camera rolls, a WhatsApp group three people can't export, and a "temporary" shared-drive folder. Then Internal Comms asks for a handful of shots for the new-year newsletter, and the search begins.
There's a faster way to collect everything in one place — and at a corporate event, with employees in frame, the fast way has to be the compliant way too. The moment your organisation collects, stores, or publishes photos of identifiable staff, the General Data Protection Regulation applies, and "it was just the Christmas party" is not a position your data protection officer will sign off. This is a practical, step-by-step guide to doing it right: collect team photos without an app, capture consent at upload, keep employee images in the EU, set a sensible retention window, and honour a deletion request when one lands. It's written for the EU/EEA context, with notes for Germany; for the deeper legal treatment, see our companion guide, GDPR and Employee Event Photos: What HR Needs to Know in 2026.
Not legal advice. This explains the relevant GDPR provisions for general guidance only and cites the regulation directly so you can verify each point — but it is not a substitute for advice from your own data protection officer or counsel.
The defaults feel harmless, which is why they cause trouble. A WhatsApp or Teams group scatters employee photos across a chat nobody controls, with no clean export and no way to delete one person's images on request — and group chats get ignored anyway (40% of people feel overwhelmed by them; The Conversation, 2023). A shared-drive folder has no consent record, no retention limit, and lives forever. A pile of personal camera rolls means the photos never reach the company at all — around 70% of camera-phone photos are never revisited (Popsa / Digital Camera World, 2025).
None of these can answer the five questions a corporate event has to: What's our legal basis? Did we tell people? Where does the data live? How long do we keep it? How fast can we delete on request? A purpose-built collector can — and yes, this is squarely covered by GDPR. The "personal use" exemption that gets passed around the office (processing "by a natural person in the course of a purely personal or household activity," Art. 2(2)(c)) can shield an employee keeping their own snaps; it does not shield the employer. A company-organised event photographed for company purposes is professional/commercial processing, and identifiable colleagues in those photos are personal data.
The single choice of how photos come in determines how hard every later obligation will be. A QR-code, browser-based collector is the path of least resistance for a corporate crowd: guests scan one code and upload from their phone, with no app to install and no account to create. You can't ask 200 colleagues to download software and sign up before they'll share a photo — and the no-install approach works because smartphones and QR scanning are now near-universal (around 97% smartphone penetration in Germany in 2024, per Statista; 68% of consumers used a QR code in the prior year, per TEAM LEWIS, 2024).
For a corporate event the decisive questions aren't about filters and stickers — they're these, and the rest of this guide works through each:
One trap to avoid up front: several consumer event apps lead with face-recognition photo finding ("scan a selfie, get all your photos"). A neat trick at a wedding; at an office party, a liability. A photo of a face is not automatically special-category data — Recital 51 confirms images count as biometric data "only when processed through a specific technical means allowing the unique identification or authentication of a natural person." But the instant a tool builds a face template to match people, it processes biometric data to uniquely identify a person — which Article 9(1) prohibits absent a specific exception (typically separate, explicit consent). A plain gallery that doesn't build face templates stays out of Article 9 by default. (Gathmo does not offer facial recognition or face-search — it's a Phase 2 roadmap item, not a live feature. Here, the absence is the safer setting.)
Transparency isn't satisfied by a sign nobody reads. Where you collect personal data directly from people, Article 13(1) requires you to provide — at the time of collection — who the controller is and how to contact them, the purposes and the legal basis, and, where you rely on legitimate interest, the specific interest pursued.
The upload screen behind your QR code is the natural place for this. When a colleague scans and lands there, that page can carry the notice and capture consent in context — recorded where the photo is shared, not buried in a policy nobody opened. Keep the notice plain: who the controller is and how to reach them (plus the DPO where you have one); why you're collecting the photos; the legal basis (and, if legitimate interest, what that interest is); how long the images are kept; and what rights people have, including how to object and request erasure.
On legal basis, the employment relationship complicates things: because employees depend on their employer, regulators doubt consent in that context is ever truly "freely given." For low-stakes internal documentation — a few shots in the next team update — legitimate interest (Art. 6(1)(f)) may suffice, provided you've performed and recorded the balancing test. For anything outward-facing or promotional — recruiting, marketing, social — explicit, opt-in consent with a consequence-free right to refuse is the defensible route. In Germany, BDSG § 26 governs employee data directly, and "necessity" under it is a poor fit for marketing photos — another reason to lean on documented consent beyond the intranet.
A holiday party is exactly the event where you want a look at the photos before they're public — someone will upload a shot that's unflattering, off-colour, or simply not something a colleague wants on the all-hands slide. The compliant posture is review-before-publish: uploads land in a private queue, and an organiser approves what goes into the shared album, onto a screen, or onto Internal Comms' shortlist. AI pre-screening can flag obviously inappropriate content, with a human making the final call. This protects both the people in the photos and the company's brand — a control you don't have when images go straight into a group chat. (Gathmo runs visual AI moderation plus a human review queue; AI moderation is included from the Essential tier upward — the Free tier is unmoderated, worth knowing if you're collecting employee photos.)
For an EU company photographing its own staff, where the data sits is a compliance decision, not a feature preference — and keeping it in the EU avoids the third-country-transfer question entirely. Transfers outside the EU are lawful only on an adequacy decision (Art. 45) or appropriate safeguards such as Standard Contractual Clauses (Art. 46). As of mid-2026 the EU-US Data Privacy Framework adequacy decision (July 2023) remains in force — the EU General Court dismissed the first challenge in September 2025, with an appeal pending before the CJEU — so transfers to DPF-certified US organisations are possible, but the framework isn't risk-free, and SCCs plus a transfer-impact assessment remain the prudent fallback. The cleaner answer is to not export the data at all. Here the market splits sharply, on each provider's own publicly available information as captured on 2026-06-08:
(Gathmo hosts in the EU — object storage in the EU jurisdiction, the primary database in Frankfurt, EU compute — with Data Processing Agreements in place with its processors. To be precise, several vendors claim European servers, so the real differentiator is verifiable proof — a named data centre and signed DPAs — not the EU claim alone.)
Photos of employees can't sit on a drive forever. Two principles in Article 5 govern this: data minimisation (Art. 5(1)(c)) — collect only what's necessary — and storage limitation (Art. 5(1)(e)) — keep data identifiable no longer than necessary for the purpose. So decide the retention period before you collect: a gallery that auto-deletes after a defined window enforces storage limitation for you, instead of relying on someone clearing out a folder next year. Set it long enough that Internal Comms can pull what they need and the team can download their photos, then let it expire. (Gathmo's per-event tiers carry explicit, finite retention windows — from 14 days on the Free tier up to 365 days on the top tier — rather than open-ended storage, exactly the behaviour Art. 5(1)(e) is asking for.)
At some point a colleague will ask that pictures of them not be kept or published. That's the right to erasure (Art. 17) — the "right to be forgotten" — and it isn't a courtesy you can decline. Under Article 17(1), a person can require erasure without undue delay where a ground applies (for example, the data are no longer necessary, or consent is withdrawn with no other basis). And there's a hard clock: Article 12(3) requires you to respond within one month of receipt, extendable by two months only for genuinely complex requests, and only if you tell the person about the extension within that first month.
Two consequences: you need to know where every photo lives — scattered across phones, chats, and drives, a one-month request becomes a manual scramble; a single managed gallery with a clear deletion path makes it one action. And withdrawal of consent must be as easy as giving it — where consent is your basis, a colleague can pull it, and you must then erase. So ask any tool directly: can you delete a specific person's content, on request, within the statutory timeframe — and will you commit to it in writing? (With Gathmo, GDPR-compliant deletion on request is part of the model — actioned within the statutory window on every tier.)
This is the part procurement can't skip. When an external tool processes personal data on your behalf and on your instructions, the relationship is controller-to-processor, and the GDPR requires a binding written contract — a Data Processing Agreement — under Article 28(3). It's not boilerplate: Article 28(3) requires it to set out the subject-matter, duration, nature and purpose of the processing, the types of data and categories of data subjects, and to impose on the processor a defined set of duties — processing only on your documented instructions, confidentiality, Article 32 security measures, sub-processor conditions, assistance with data-subject rights, deletion or return of the data at the end, and submission to audits.
In plain terms: your organisation is the controller; the photo tool is the processor; and you need a compliant DPA with it before employee photos go near it. A vendor who can't produce one isn't a vendor an EU employer can use. Three questions: Can you provide a GDPR Article 28 DPA? (If the answer is "what's that?", stop.) Will you name your sub-processors and where they're located? Will you commit to deleting or returning our data at the end? (Gathmo provides a DPA — on request across the per-event tiers, and included on the B2B Studio, Agency, and Enterprise subscriptions. Across this market, a dedicated DPA and a published sub-processor list are the exception, not the norm.)
The upload page behind the code is where your Article 13 notice lives, so a code that fails to scan doesn't just lose photos — it sends people past your consent notice. A few specs keep it usable:
