Personal-data photos, consent, KUG vs. GDPR, events, children, model releases and a checklist — practical for your photography.
Author
Martin Kleinheinz
Photographer · Hannover
Updated
May 26, 2026
If you're reading this article, you're probably like many of your peers: creative, passionate — and a little overwhelmed by the legal side of your work. The GDPR sounds like bureaucracy and warning-letter lawyers, but at its core it carries a simple yet fundamental message: as soon as a person is identifiable in a photo, you are processing personal data. A portrait, a wedding shot, a picture from the company party — legally these are no longer mere works of art but data sets under strict protection.
For your day-to-day work this means: you are not only an artist or service provider but also a controller under the GDPR. That role brings duties of transparency, a clear legal basis and respecting the rights of every person depicted — starting at the moment you press the shutter, not just at publication.
This guide is not here to scare you. It's here to take away the uncertainty and show how the GDPR can be understood as a professional framework for your work — not an enemy. With the right processes you can refocus on what you love: making great pictures. Ready-made templates can be found at Model Release & Property Release, delivery to clients is covered in image delivery as a photographer, and the practical guide event photography tips rounds out the topic for events.
01
Introduction
Why the GDPR Really Concerns You
Before 2018, photography in many situations sat in a legal grey zone where people relied on the German Art Copyright Act (KUG) and their gut feeling. Since the General Data Protection Regulation took effect across Europe, the perspective has fundamentally shifted: it is no longer publication that sits at the centre, but the entire processing of data — and a photo in which a person is identifiable is exactly that: personal data.
This has consequences many photographers underestimate. The moment you press the shutter, data processing begins. The moment you write the image to the SD card, import it into Lightroom, upload it to a cloud or deliver it to a client, processing continues. Every one of those steps needs a legal basis — either explicit consent from the person depicted, or a legitimate interest that does not unreasonably violate their privacy.
The good news: the GDPR is not a talent killer. It is not a tool to suffocate creative work. What it demands above all is one thing — transparency. If you take the people in front of your camera seriously, explain what you do, and document your processes cleanly, you are usually already 90 % compliant. The remaining 10 % is solid contracts and a clear head for special cases like children or concerts.
If you ignore the topic, you risk more than a bad conscience: warning letters, damage claims and, in the worst case, large fines from supervisory authorities. Wedding, event and business photographers in particular are frequent targets of warning letters because their images are easy to find online. Once you've established clean standards, however, you can shoot calmly for years to come — the risk becomes manageable.
02
Basics
What Counts as Personal-Data Photo?
Before you can apply the GDPR properly, you have to understand what it actually means when it talks about "personal data". Article 4(1) defines it as "any information relating to an identified or identifiable natural person". A photo is precisely that kind of information — as soon as the person depicted is identifiable.
This is much broader than most people think. It's not only about the classic, well-lit portrait with a fully visible face. A person is considered identifiable as soon as they can be recognised directly or indirectly. Directly means: the face is clearly visible and anyone who knows the person would recognise them instantly. Indirectly means: even if the face is turned away, blurred or not in the frame at all, other features can still allow identification.
Such indirect features are often more important in practice than people think. A unique tattoo on the forearm, a particularly striking scar, the distinctive silhouette of a dancer in her training outfit, an athletic build in a certain jersey, or the combination of clothing and context can be enough. The setting itself can also contribute to identification: a person in front of their unique house or at their workplace can be recognisable even as a mere shadow. Even companions in the frame can enable identification of an otherwise anonymous person, because the combination becomes unique.
The test is always the same: could a third party with the right additional knowledge — a friend, family member, colleague — recognise the person depicted? If the answer is yes, the GDPR applies. This also holds when you don't know the person yourself. The question is not whether you can identify them, but whether the person is theoretically identifiable. A photo doesn't become anonymous just because you, as the photographer, don't know whom you've captured.
The invisible data layer: EXIF and IPTC
An often overlooked aspect is the metadata of your photos. Every modern camera and smartphone automatically writes a wealth of technical and contextual information into the image file — the so-called EXIF and IPTC data. This includes GPS coordinates of the shooting location, date and exact time, camera model and all settings, sometimes even the device's serial number.
On their own these are already sensitive. Combined with image content, they form genuine digital fingerprints. A photo that shows a person only from behind seems harmless — but if the metadata reveals the exact location and time, additional images can combine into a movement profile. You are therefore processing not only the visible image but also this invisible, but legally equally relevant, data layer. For client delivery it's worth stripping GPS data, at least for private shoots.
Analogue vs. digital — any difference?
The GDPR is technology-neutral. It doesn't differentiate between a Sony sensor and a black-and-white negative. Digital photos practically always fall under the regulation because their processing is automated. Analogue photos are also covered as soon as they are organised in a "filing system" — sorted by clients, events or names, for instance. As soon as you scan analogue images, they are digital data and follow the same rules. For most professional photographers, the GDPR is therefore omnipresent.
03
Law
KUG vs. GDPR — what really applies?
One of the most confusing topics in photography law is the relationship between the GDPR and Germany's old Art Copyright Act (KUG). In 2018, many colleagues hoped that the familiar KUG with its well-known exceptions would simply remain in force. Reality is more complicated and requires a clear mental separation.
In principle, European law (the GDPR) takes precedence over national law (KUG). The GDPR is therefore your primary legal source. However, Article 85 GDPR contains a so-called opening clause allowing member states to create exceptions for processing data for journalistic, scientific, artistic or literary purposes. The German legislator has used this; courts — including the Federal Court of Justice — have confirmed that §§ 22 and 23 KUG remain applicable as exceptions in the purely journalistic area.
What does this mean in practice? It depends on the purpose of your photography. If you work as a press photographer for a newspaper, magazine or online medium reporting on current events, you can still rely on the KUG. The well-known exceptions of § 23 KUG — figures of contemporary history, participants in assemblies and processions, persons as incidental subjects beside a landscape — apply in that context. But beware: this only holds when the purpose is exclusively journalistic. As soon as commercial self-interests like advertising or sales come in, things get tricky fast.
Most photo-business work is not journalistic: weddings, portrait shoots, corporate photography, event reportage for PR purposes, ad shoots, stock photography. All of that primarily serves a commercial or contractual purpose. In these cases the legal situation is disputed, but the prevailing view — and the safest practice — is clear: follow the GDPR completely. Relying on KUG exceptions here is a substantial legal risk that often doesn't hold up if it goes to court.
A fundamental difference remains, even when you consistently follow the GDPR: the KUG mainly regulates the distribution and public display of images — that is, publication. The GDPR regulates the entire processing of personal data. That process begins when you press the shutter and includes every further step: storing, editing, archiving, handing over to third parties, deleting.
The shift in perspective is therefore not academic but everyday. Your guiding question in 2026 is no longer "Is there an exception in the KUG?" but: "Which legal basis under Art. 6 GDPR allows me to take and use this photo?" If you work with this question from the start, you've already internalised most of GDPR compliance.
04
Consent
Obtaining Consent Properly
By far the most important legal basis for your work is the consent of the person depicted under Article 6(1)(a) GDPR. But consent isn't just a casual "yes" in conversation or a friendly nod. To be legally effective, it must meet several strict criteria from Article 7. An invalid consent is legally almost the same as no consent — with all the negative consequences that brings.
The four pillars of valid consent
Valid consent must be freely given. The person must have a real choice, without pressure, coercion or the threat of disadvantages. If they refuse, no harm may come from that. This is especially tricky in employment: a staff member asked for consent for a photo on the company website may feel subtly pressured. There needs to be genuine, clearly communicated freedom of choice — ideally with an explicit note that refusal has no professional consequences.
It must be informed. In practice this is the most common pitfall. A blanket consent like "I agree to the use of the photos" is legally worthless. You must clearly and understandably communicate in advance who you are (name and contact as controller), for which specific purposes the photos will be processed (e.g. "for the private wedding album", "for publication in the portfolio on martinkleinheinz.de", "for ad campaigns on Instagram"), how long you will store the photos, whether you pass them on to third parties (lab, cloud provider, image agency), and that the consent can be withdrawn at any time.
It must be unambiguous, given through an affirmative action. A pre-ticked box in an online form has been explicitly impermissible since the GDPR. The person must take action themselves — by ticking a box, clicking an "I agree" button or signing. Silence, inaction or politely cooperating in front of the camera is not enough legally.
And it must be demonstrable. This is where the accountability obligation in Art. 5(2) GDPR comes in: in case of dispute, you bear the burden of proof. You must be able to demonstrate at any time that valid consent existed. Clean documentation — be it a paper folder with signed releases or a digital archive with timestamps — is therefore not a "nice to have" but your safety net.
Written, electronic or oral?
In practice, written consent has become the standard — usually in the form of a Model Release. That is the gold standard and the safest method: a written contract that the person signs after being informed, fulfilling all information duties and clearly documented. Important: templates from before 2018 are often not GDPR-compliant and must be updated — an old "model contract" PDF from the web won't do. Ready, up-to-date templates can be found in the post Model Release and Property Release free download.
Electronic consent is also valid if implemented correctly. That can be an un-pre-ticked checkbox on your website, a clearly labelled button in an online booking flow or combined consent in your enquiry form. What's decisive is that you document the process technically so you can reconstruct it in case of dispute — via screenshots, server logs or an automatic protocol.
Oral or implied consent — someone smiles and poses for your camera — is theoretically possible but in commercial practice almost worthless. How will you prove months or years later that the person really consented and was informed about all purposes? Don't rely on it when publication is involved. For snapshots in the private sphere it may suffice, but as soon as you enter portfolio, social media or commercial delivery territory, you need a robust form.
Withdrawal and documentation
Every person has the right to withdraw their consent at any time, without giving reasons, with effect for the future. You have to point this out to them in advance. Withdrawal must be as easy as giving consent: if a click is enough to consent, a click must be enough to withdraw. In wedding or business contexts an informal email or letter usually suffices. After a withdrawal you may no longer use the photos for the originally agreed purposes — usually you must also remove them from all active uses and delete them going forward.
Keep all consents carefully. Whether signed paper documents in a folder or digital archives of your online forms — this documentation is your safety net. Without proof, an alleged consent is worthless in dispute, and supervisory authorities assume in case of doubt that none existed. Rule of thumb: keep model releases at least as long as you use the images — plus the three-year limitation period on top.
05
Events
Events and the Legitimate Interest
At a city festival, a concert or a big company party it's neither possible nor practical to get written consent from every single person. This is where another important legal basis comes in: legitimate interest under Article 6(1)(f) GDPR. But beware — it's not a free pass. You have to do a careful balancing test and inform the people concerned transparently.
The three-step test
Before you can rely on a legitimate interest, you have to mentally go through three steps. First: is there a legitimate interest at all? Clearly define what your interest or your client's is — for instance the public relations and documentation of the event, journalistic reporting or artistic purposes. Second: is photographing really necessary to achieve that interest? For event documentation that's usually trivial to confirm. Third — and that's the decisive step — you have to weigh your interest against the fundamental rights and freedoms of the people depicted.
In this balance the reasonable expectation of the people concerned is the central yardstick. What can a person realistically expect in a given situation? At a public event like a city festival, marathon, festival or demonstration, participants have to expect to be photographed as part of the crowd — their interest in remaining fully anonymous takes a back seat. At a large but closed event such as a company Christmas party or a conference, guests also have to expect photo documentation for internal and external reporting, especially if the event was publicly promoted.
In private or intimate situations the balance almost always tips in favour of the person. Nobody has to expect being deliberately photographed eating in a restaurant, on the beach or in the sauna. Even at otherwise public events, there are moments and spaces that feel more private to the person — the cloakroom, a smoking corner, an emotional phone call in the lobby. You generally shouldn't take such pictures, or only with explicit consent.
The old KUG exception for persons as "incidental" can flow into this balance: if someone appears only by chance and small in the frame, with the focus clearly on the scenery — a packed marketplace, a landmark, an overview of a hall — the interests of the individual person weigh less. As soon as you take targeted close-ups of individuals or small, recognisable groups, legitimate interest usually no longer suffices. Then you do need explicit consent again.
Signs and information obligations
When you rely on legitimate interest, you don't have to get individual consent from every person — but the information obligation under Art. 13 and 14 GDPR still applies. Because you aren't addressing people individually, you have to inform them transparently and comprehensively in another way. That is one of the most important practical duties at events — and a strategic tool, because you actively shape your guests' expectations with it.
A multi-level information concept has proved its worth. Place clearly visible signs at all entrances, ideally where nobody can miss them. These signs contain a clear notice ("Photo and video recordings are being made at this event"), the purpose of the recordings ("for our public relations on the website and social media"), the name of the controller and a QR code or short link leading to detailed information and a contact email for objections. If possible, organisers or the host should also point out the recordings verbally during the welcome. Best of all is informing guests already in the invitation or on the event website — that strengthens expectation and your position in the balancing test considerably.
These measures aren't just annoying formalities. They show fairness and transparency — both core GDPR principles — and protect you in practice from guests later complaining about being "completely surprised" by publication. A guest who walked past a clearly visible sign cannot credibly claim later they didn't know about the recordings.
06
Sensitive
Children, Employees and Especially Sensitive Situations
Photos of children: the strictest standards
Photos of children and teenagers are especially sensitive under data protection law. The GDPR requires a clearly higher level of protection than for adults — for good reason: children can hardly grasp the scope of a publication, and images on the web often remain findable for decades. In practice this mainly means two things: for every publication of a child photo you always need explicit, written consent from the guardians — usually both parents if they have joint custody. Legitimate interest as a legal basis is practically out here, even at parties, school events or sports.
This consent has to be — like any other — freely given, informed and withdrawable at any time. It should clearly regulate where and how the images may be used. At events such as school festivals, sports tournaments or club celebrations a separate consent is needed for every recognisable child. Blanket collective consents on the registration form are often not enough because the specific use cases are rarely clear in advance.
From around 14 years, case law increasingly assumes capacity for understanding. That means with teenagers you should ideally have not only the guardians sign but also the young person themselves — the so-called "dual signature". That protects you legally and at the same time respects the growing autonomy of teenagers. For nude or particularly personal shoots, both signatures should be mandatory anyway.
Employees: consent, not employment contract
For employee photos too, consent is mandatory — and it must not be embedded or hidden in the employment contract. It has to be separate, voluntary and provide clear information about the planned use. Consent that appears as a condition of employment is invalid in case of doubt, because the voluntariness is missing.
A seemingly harmless "group photo with the boss" on the company website is not permissible without consent from all employees depicted. The same applies to internal newsletters, career brochures, LinkedIn posts or social media — from the GDPR perspective those are all publications. If someone leaves the company or withdraws consent, the images have to be removed from all active uses promptly — including the careers page, old press releases and the company's LinkedIn profile. Backups may continue to exist but no longer be actively used.
In practice it has proved useful to have a separate, clearly distinct consent declaration during onboarding, listing planned uses and including an uncomplicated way to withdraw. That way you avoid individual employees later wanting publications removed retroactively from career pages or image brochures.
Nude and sensitive subjects
For nude, erotic or particularly intimate shoots, consent has to be much more detailed. The contract should explicitly state that nude or erotic shots are taken, which specific image types will be created, what may be published and which contexts are excluded (e.g. use in degrading advertising). The model's age of majority should be established beyond doubt — ideally with documented ID verification. The effort is greater here, but so is the risk.
07
Rights
Rights of Depicted Persons
The GDPR grants every depicted person extensive rights. These apply regardless of the legal basis on which you photograph or publish. As a photographer or studio you have to be able to fulfil them promptly — usually within a month. Anyone who fails to react to a serious request risks a complaint to the supervisory authority and possible fines.
Right to information
Under Art. 15 GDPR every person can demand to know whether and which photos you have stored or published of them, for which purpose, on which legal basis and how long you store them. In practice that means: you have to maintain a reasonably ordered archive that allows such information at all. Anyone who parks every job in a single, unsorted Lightroom catalogue with tens of thousands of images will quickly start to sweat.
Right to erasure
The "right to be forgotten" in Art. 17 requires that, on request, you delete photos unless compelling reasons speak against it — such as statutory retention obligations (invoices are not affected because accounting exists separately from the images) or overriding interests. Note: deletion in the GDPR sense doesn't only mean taking the image out of the active gallery. Backups, local copies on additional drives and files stored in the cloud must also be deleted or at least taken out of active use.
Right to object
If you rely on legitimate interest as a legal basis, people can object to the processing at any time on grounds relating to their particular situation (Art. 21). For direct marketing they can object without reasons. An objection must be taken seriously and usually implemented — you then have to specifically explain why your interest still outweighs, otherwise you lose the legal basis for further processing.
In practice it's worth establishing a simple, documented procedure for such requests. A central email address like `privacy@yourdomain.com` or a form on your website helps consolidate everything in one place. A short internal routine is important: verify the requester's identity, check the request, search the archive, document deletion or information steps, send the answer. If you set up a mini playbook once, you can handle requests confidently in under an hour.
08
Contract
Model Release — what really belongs in it
Consent is the heart of GDPR-compliant photography. In practice the Model Release has established itself: a written agreement between photographer and depicted person that does more than a classic contract over usage rights. At the same time it fulfils the GDPR requirements (consent and information), the KUG (image rights), and cleanly regulates copyright usage rights.
A good Model Release is voluntary, informed and transparent. It clearly describes who processes the data, which photos are even being created, for what purposes they may be used (portfolio, website, social media, image agency, print, advertising), how long storage may last and which rights the person has — including withdrawal with concrete contact details. A QR code on the release linking to your detailed privacy statement is basically standard in 2026 and a clear plus for your image.
Equally important is the clear differentiation of purposes. Consent "for any possible use" is invalid. List specifically: portfolio on martinkleinheinz.de, social-media posts on Instagram and LinkedIn, use in newsletter, use in advertising, sale via image agencies. The more precise you are, the more robust the consent — and the fewer discussions later.
Keep several templates for different situations on hand: individual portraits, group shots, children with parent signature, employees in the corporate context, nude with additional protective clauses. Adapt them individually to the job before the shoot begins — not when the cameras are already rolling. Ready-made templates and concrete examples can be found in the post Model Release and Property Release free download.
09
Practice
Practical Checklist for Everyday Use
Theory is one thing, the photo everyday another. This checklist summarises the most important points you can walk through before and after every job. It doesn't replace individual legal advice, but it gives you a solid orientation and protects you from the most common mistakes.
Before the shoot
◆Legal basis for the shots clarified — consent, contract or legitimate interest?
◆Model Release (or parent signatures for children) prepared and adapted individually?
◆Privacy notice with purposes, storage duration, right of withdrawal at hand?
◆For events: signs and QR codes prepared, organiser informed about the notice obligation?
◆DPA (data processing agreement) signed with cloud provider, lab and gallery platform?
During and after the shoot
◆Releases actually signed before you press the first serious shutter?
◆Images stored encrypted and access-protected, not on an open NAS share?
◆Culling and selection process structured so only authorised people have access?
◆Delivery to clients via a GDPR-compliant platform — see image delivery?
Ongoing in the studio
◆Privacy policy on your website current and matching your actual practice?
◆HTTPS active, cookie banner and tracking tools set up compliantly?
◆Defined deletion and objection process including central email address?
◆Archive structured enough to answer information requests within a month?
◆Backups and old hard drives checked regularly — withdrawn images may not be actively used there either?
Investing one hour every quarter to check these points keeps 90 % of the GDPR risks under control. For larger changes — new job type, new cloud provider, new publication channels — it's worth specifically booking a legal consultation. The cost is negligible compared to a single warning letter.
10
FAQ
Frequent Questions on GDPR in Photography
The following questions come up over and over in workshops and consultations. They're meant as quick orientation and don't replace the detailed chapters above — they summarise the most important points.
Do I need consent for every photo?+
No — but for every publication you need a robust legal basis. At events or in public, legitimate interest can suffice if you inform transparently. For targeted portraits, commercial shoots and sensitive situations, explicit, documented consent is mandatory.
How long may I store photos?+
Only as long as needed for the purpose. After the project ends, consent is withdrawn or the legitimate interest lapses, you should delete or at least archive so no active use takes place. If you have to keep accounting data, you can still delete image files — invoices are unaffected.
What about social media like Instagram or LinkedIn?+
The GDPR applies there too. You are responsible for every publication, even if the platform is based in the US. Inform the depicted people beforehand, get consent when needed and check regularly whether all posts are still covered by a current legal basis.
Does the GDPR also apply to hobby photographers?+
In principle yes, as soon as you systematically process and publish photos — for instance on Instagram, Flickr or your own website. A real exception exists only for purely private use within family and friends (family album, closed chat group). As soon as you publish images with identifiable people, you leave that exception.
What happens in the event of a breach?+
The range goes from a justified complaint by the depicted person, through warning letters with cease-and-desist and damages, to fines from the supervisory authority. Particularly critical are publications without any legal basis and missing information duties — both easily avoidable with a little preparation.
Is a photo of a dog or cat also personal data?+
Animals themselves are not "natural persons" under the GDPR. But as soon as the owner is recognisable in the image or context — for instance because the animal is a famous racehorse, a known service dog or visible in the owner's front garden — personal data flows in. For commercial use it's usually worth a Property Release here too.
The GDPR is not an enemy of your photography. It forces you to communicate clearly, document cleanly and treat the people in front of your camera as partners. Once you've internalised that, you gain trust, set yourself apart from the competition and protect yourself from unwanted letters from lawyers. In 2026, data protection is no longer a bureaucratic obstacle but a clear quality marker of serious photo service providers.
This article does not replace individual legal advice. It may contain affiliate links (marked with *); there are no extra costs for you.
◆ Newsletter
Stay in the loop.
Camera and photography news, honest gear tests and new articles — in your inbox. Infrequent but relevant. No spam, unsubscribe anytime.
