You might not have imagined when you first set up a company and started marketing its products and services through a website, that your online ‘meet the team’ page – of all possible things – could possibly land you in legal bother.
Yet, the fact that this part of a business’s website so often displays photographs of all of the firm’s key staff, each accompanied by a description of their job role, may indeed give you cause for concern as to whether yours could be impacted by the European Union (EU)’s General Data Protection Regulation (GDPR).
It’s easy to forget that even images are personal data
The GDPR’s terms state that an image of a person, such as a still photograph, can be considered to be personal data if it is possible to identify the individual directly from the image or when the image is referred to alongside other available information. An example of the latter could be the presence of the staff member’s name and/or position next to the image.
If any of the above terms apply for a particular image, the processing of the image will be governed by the GDPR.
Could your team images also count as ‘special category personal data’?
A factor that potentially further complicates the relationship between online employee images and the GDPR is the regulation outlining ‘special categories’ of personal data. Special category personal data is data that is especially sensitive, which means that greater protection is required.
Included under the banner of special category personal data is information about a person’s health, race, religion, ethnic origin, sexual orientation, sex life, political beliefs, trade union membership, genetics or biometrics, where the latter is used for ID purposes.
All of this has clear relevance to the subject of staff photos in a website’s ‘meet the team’ section, given that such images can easily indicate such details. An individual being shown wearing a headscarf, turban or crucifix, for example, would point to their religious belief.
Information about the person’s health may also be revealed in such an image, should the physical effects of a particular illness, injury or disability be visible.
Make sure you have the consent to process
Although this aspect of the GDPR has not yet been tested through court action, if there are any images of staff on your company website that either name or otherwise identify these individuals, it is likely that they constitute special category personal data.
This would necessitate you obtaining permission from your employee prior to using their image. Furthermore, the GDPR requires that such consent is provided in writing in advance, in addition to being “freely given, specific, informed and unambiguous”.
According to the Information Commissioner’s Office (ICO), consent for GDPR purposes does not constitute proper consent if it is merely incorporated as a pre-existing clause into an employment contract or staff handbook. So, if you do wish to use a particular image of an employee on your company website, appropriate and separate consent must be obtained prior to the image’s use.
You must also accept any decision by the employee not to grant such consent, and they are allowed to withdraw their consent for you to use their image at any time.
For all of the necessary services and assistance when you come to set up a company and the months and years following, you can depend on London Registrars. Simply call 020 7608 0011 today for an in-depth discussion about your firm’s requirements, including how we can help you to ensure the highest standards of governance and compliance.
July 2019