My blog posts in the marketing part of my blog as well as my publications in other media show how much I deal with the topic of the European General Data Protection Regulation (GDPR). Even if the new legal basis – by 2020 also for Swiss citizens – currently only has an impact for citizens of EEA countries, I have nevertheless made myself fit and would like to comment on what GDPR means for me as a photographer and changed very specifically in practice.

GDPR gives affected persons extensive rights regarding their data:

Accessibility and Data Portability– You can request a copy of the data someone collects about you. The data format must be “usual” resp. ok to transfer to another provider.

Right to be accurate and up-to-date– You can request that information about you is correct and updated.

Right to erase– If the storage of the data is not necessary to fulfil legal requirements, you can request their deletion.

Right to limit processing– You can (at any time) restrict or prohibit the processing of your data.

Right to file a complaint– You have the option to file a complaint in your country – currently only EU and EEA countries.

Right to revoke a consent – You have the right to withdraw a granted release. The difficulty must not be higher than it was to issue the original permission.

It is essential that I know the origin of all information, know where and how these are stored and for which purposes I use them. For this, it is necessary to check all processes in connection with data worthy of protection and to make any necessary adjustments. I have asked myself the following questions:

  • Which personal data is collected and processed?
  • What is the purpose of this data processing?
  • Are the rights of the persons according to GDPR fulfilled?
  • How does my Data Breach concept look?
  • Am I adequately informed as Data Protection Officer?

But, which data is regulated by the new rights?

Apart from a few exceptions (for example, public photos with no focus on a particular person), all data that makes a person identifiable has to be considered as deserving protection. Meaning for example name, birthday, email address, home address but also every image including a face etc. The following topics are relevant for me in the context of GDPR and must be taken into account accordingly:

1. Consent

Already today, people who are recognisable in a photograph – apart from a few exceptions – have to be asked for permission by their rights. What is new, is that the consent must also be obtained for the processing of the other data worthy of protection in the context of data protection. If no explicit permission is given, no personal data may be processed.

My measures:

  1. Formulate general offer notes as a supplement to each offer
  2. Supplement to the terms and conditions
  3. Addition of model and visa releases
  4. Change of cookie warning to a cookie approval
  5. Ensure IP anonymisation in web analytics and tag management tool

2. GDPR compliant privacy policy

A current privacy policy must be publicly available. In particular, it must meet the following requirements:

  • Which data is processed
  • For what purpose are collected data processed
  • How and through which systems data is processed
  • Which parties have access to the collected information
  • How to protect data from unauthorised access
  • How long the data remains stored
  • Who is the responsible data protection officer
  • Which company is behind the website (“Responsible”)

My measures:

  1. Documentation of all data processing processes
  2. Revise and unify the privacy policies of all sites
  3. Technical adjustments to the website and the tools for my digital marketing and their automation

3. Right to withdraw a consent

According to GDPR, the difficulty of revoking an approval must not be more difficult than giving it once.

My measures:

  • Addition of model and visa release documents (Consents)
  • Introduction of a penalty in case of damage by the revocation of rights of use

4. “Privacy by Design” (Information Security)

Data security (protection against unauthorised access) must be integrated and taken into account in all data processing processes. Also, privacy degrading options may not be tied to an offer (“Prohibition on linking”), if not necessary.

My measures:

None, since I have already considered and ensured this in earlier considerations.

5. “Privacy by Default”

The default settings must always allow the highest possible data protection. Only an active/explicit change by the data subject may “worsen” data protection.

My measures:

  1. Examination of all forms and documents as well as possible adjustment of these

6. further measures

I also decided to implement the following measures:

  • Concept creation in case of a request for deletion or transfer of personal data
  • Concept creation for the regular removal of unneeded data

Also

I reserve the right to determine further measures at any time as soon as I receive additional information on the new legal basis. Since there is no case-law, many areas of the new regulation first need to be shown how they are interpreted in the context of photography.

I am personally available at any time for questions regarding the right to be heard in case of automatic decisions, which is a Switzerland specific law.

At the moment I am also testing a future use of an electronic system for the management of consents. Whether and when I will use something like that, I can not answer at the current time. At the moment, I’m convinced that the measures taken guarantee far more extensive protection of my customer data than probably 99% of my competitors offer.