Readers are encouraged to submit their questions to

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

We will tap the expertise
of IAPP members to answer your questions.

A reader last month submitted the following question to Ask the Privacy Expert:

Q Do any global privacy laws cover the use of employee photographs for use such as security badges, organizational charts, organizational announcements, internal media or internal Web sites? Are employee photographs universally considered "sensitive personal data" or simply "personal data," given that one may be able to deduce national origin, race, gender, and even potentially disability from a photograph?

A In general, global (non-U.S.) privacy and data protection laws are often "omnibus" laws that apply broadly whenever a company collects, uses, stores, or discloses any information about an identified or identifiable individual, including employees (personal data). As a result, employee photographs will often be regulated as "personal data" under many such laws, and will attract data protection obligations to (i) Provide affected employees with a proper notice about the intended purposes of use and the like, (ii) Maintain reasonable security measures to protect the data, (iii) Update registrations with data protection authorities to reflect the use of the data, (iv) Ensure adequate protection for international transfers of the data, and (v) Address other requirements. A more difficult question is whether employee photographs would be "sensitive" personal data entitled to heightened protections (i.e., express consent requirements), particularly if the photographs reveal national origin, race, disabilities, etc.

We raised this question with several of our privacy practitioners in jurisdictions around the world, and have summarized their responses below. As is evident, the answers vary depending on the specifics of the local laws, as well as the intended purposes of use of the photographs and other factors. Naturally, with any good data protection or privacy question, the responses reveal that the other applicable legal requirements - beyond privacy and data protection - will bear on the question as the company works its way toward finding an appropriate regulatory solution to its planned activities with employee photographs.
- Brian Hengesbaugh,

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

, Baker & McKenzie (Chicago)

The Argentine Data Protection Law defines personal data as any information related to natural persons or legal entities. It could be argued therefore that personal data includes "photographs," and when such photographs disclose information about race or ethnic origin, or health or disability information, such data arguably may constitute "private data," which would be subject to heightened restrictions under the law. The company therefore may need to obtain consent from affected employees, and indeed may wish to consider taking steps to avoid capturing or using employee photographs that reveal such private data. The Argentine Civil Code provides protection against arbitrary interference with the private life of others or publishing images that harm others' customs or feelings. An employee could therefore seek redress under these statutory protections or the data protection law to the extent the employee considers that he or she is adversely affected by a photograph that is published to a wide audience through a company's Web site, intranet, newsletter or in a press release or announcement.
 - Marcelo Slonimsky,

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

, Baker & McKenzie (Buenos Aires)

In Belgium, an employee photograph would constitute personal data. To the extent the photograph reveals race or ethnic origin, health or disabilities, or the like, such a photograph would likely be considered "indirectly sensitive" personal data. In other words, employee photographs may not rise to the level of "sensitive" personal data as long as the purpose of processing is not related to the potentially sensitive character of the data. For instance, if the purpose for processing the photographs is ethnic screening, those photographs would be considered sensitive personal data, and will require express consent or may be entirely prohibited. In contrast, the processing of such photographs will not be considered as processing of sensitive data if they are processed for necessary work-related identification purposes.
-Daniel Fesler,

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

, Baker & McKenzie (Brussels)

Under the French Data Privacy Law, "personal data" is defined to include any information relating to an identified or identifiable natural person (data subject). Such definition is broad enough to cover individual photographs and images that allow directly or indirectly the identification of a natural person. As early as 1994, the French Data Protection Authority (the CNIL) indicated that images captured by a video camera in a monitoring system should be regarded as personal data. In 2005, the CNIL again confirmed that: (i) Individual images are protected by the fundamental rights to privacy and article 9 of the French Civil Code and (ii) They constitute also personal data as they allow the identification of a natural person. The CNIL also noted that photographs may not necessarily constitute "sensitive" personal data. However, as mentioned by others, if the photographs are used by the company for the purpose of identifying an individual's race or ethnic origin, or the like, it would be possible to argue that such photographs do indeed constitute "sensitive" personal data that attract express consent requirements if not entire prohibitions on processing.
-Denise Lebeau-Marianna,

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

, Baker & McKenzie (Paris)

In Germany, employee photographs generally constitute "personal data" that falls within the scope of the German Data Protection Act. Such photographs also generally will constitute "sensitive" personal data where the race or health (i.e., disabilities) of a person can be discerned, and therefore such processing may attract an express consent requirement. In addition, to the extent the photographs will be published internally to a wide audience (i.e., through organizational charts, company announcements, or internal Web sites) such publication is likely to also fall under the German Act on Artistic Works. This act generally requires the consent of the person prior to publishing his or her photograph.
- Christoph Rittweger,

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

, Baker & McKenzie (Munich)

The Italian data protection authority recently issued guidelines on the processing of employee personal data, and expressly mentioned photographs as one form of "personal data" that a company would process about its employees. In general, a company only will be able to use and disclose such photographs internally without consent where the company can justify such processing as necessary for the performance of obligations resulting from the employment contract. If the photographs are to be published externally to customers or third parties, consent generally will be required. When photographs disclose race, ethnic origin, or health or disabilities, they qualify as "sensitive" personal data, and will attract an express consent requirement in any case.
-Giovanni Parrillo,

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

, Baker & McKenzie (Rome)

In Spain, employee photographs are considered personal data because they are related to identified employees. The Spanish Data Protection Agency has yet to address the issue of whether photographs are sensitive personal data. In general, an argument can be made that photographs should not be considered "sensitive" personal data (even if they reveal race, ethnic origin, and the like) so long as the photographs are not used for the purpose of identifying or processing such "sensitive" personal data, but rather for customer human resources and organizational security purposes. If the employee photographs are used beyond what is necessary for the employment relationship, or if the posting of the employee photographs can be regarded as an international transfer of data, then the employees' consent may be required.
- Norman Heckh,

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

, Baker & McKenzie (Madrid)

United Kingdom
In the United Kingdom, the courts have determined that photographs and images of people are capable of being personal data (Durant v Financial Services). In particular, where the name and image of a person are linked - or are capable of being linked - then the person can be identified and the image should be regarded as personal data under the UK Data Protection Act (1988). The Information Commissioner's Office (ICO) has taken a pragmatic approach on the issue of whether photographs are "sensitive" personal data by saying that while an image might indeed constitute sensitive personal data, the depiction of someone's skin color is not a clear indication of ethnicity and should not, by itself, be regarded as sensitive personal data. However, if an employer has other data about an employee, which coupled with the photo of the employee could confirm the sensitive information depicted by the image then, in theory, both sets of data should be treated as sensitive personal data. In practice, though, (and until the courts provide a clear ruling on this point), employers who do not treat photos as sensitive personal data can take some comfort from the ICO's practical view.
- Christina Demetriades,

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

, Baker & McKenzie (London)

This response represents the personal opinion of our experts (and not that of their employer), and cannot be considered to be legal advice. If you need legal advice on the issues raised by this question, we recommend that you seek legal guidance from an attorney familiar with these laws.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»