GDPR for (tango) event photographers

This blog does not provide legal advice and does not create an attorney-client relationship.
If you need legal advice, please contact an attorney directly.

Introduction

GDPR (General Data Protection Regulation), the new set of rules concerning the processing on control of personal data of EU subjects, will come into action on the 25th of May, 2018. A lot of photographers in my niche, that of tango photography, have expressed their worries on its repercussions on their activity. Are we still allowed to take pictures of people dancing on milongas, marathons, tango festivals? This article expresses my view on the matter, after numerous discussions with other photographers and GDPR professionals.

Tango photography and the law

Multiple laws touch upon the activity of taking pictures of people dancing in public/private events. And these laws can differ per country. These are the most important ones:

  1. First of all there is ‘copyright law‘. The owner of the copyright in the photograph is the photographer, except if some other agreement has been specified in a contract (e.g. between the photographer and the organiser).
  2. Then there is the ‘portrait right’ or ‘personality right‘ of the subjects. This means that, normally, the photographer needs (written, verbal or implied) consent of each individual before publishing a photo where they are recognisable.There are exceptions to this portrait right (in some countries): news gathering/fair use; public figures; group photos; public places. However, laws regarding photographs of identifiable people are different per country, even within the EU! E.g. Spain, Greece and Switzerland require consent before even taking a picture, let alone publishing.Tango photography operates mostly in the “group photos/public places” zone. In a lot of countries, this is allowed. Where tango photography is specific, is that we often take abrazo pictures or 2 people dancing, with 1 or both persons clearly recognisable, so not ‘group pictures’.
  3. and now there is the General Data Protection Regulation for privacy rights. GDPR touches upon the right of the subjects to opt-in (consent) to data collection, the right to consult and be deleted/forgotten, the right to know with who the information is shared, and the right to be informed upon data breaches.

The new rules for photographers

1. Taking pictures

Official/Authorized/Guerilla:

  • first of all, if you are an individual taking pictures with your smartphone for personal use, this falls outside of the GDPR domain. However, national legislation DOES apply. For instance in Greece: “Taking a photo or video of someone or drawing them in a painting constitutes an illegal act by itself according to Article 57 of the Greek Civil Code (57 ΑΚ, 57 Αστικός Κώδικας) even without any publication of the resulting photo, video or drawing.” Whether the Greek police makes it a big priority to capture perpetrators, is another question. But don’t go taking selfies with the Greek military.
  • if an organiser invited and/or paid you to come take pictures, you are an ‘official‘ photographer. The whole question of consent of the subjects will be handled by the organiser (during registration and/or clear indication at the venue itself). You should have a contract with the organiser that covers questions like copyright transfer, who can publish what, who pays for what. You typically should have a badge/lanyard that proves you are an official photographer.
  • If you go to an event with a camera and would like to take pictures, you should ask the organiser for permission. If he/she agrees, you are then an ‘authorized‘ photographer. It is possible that the organiser will also give you a badge/lanyard to prove this.This can be formalized with a simple email or an sms.
    • Hi [organiser], can I take pictures at the [eventname] on Friday? I am [myname] and my email is [myemail@domain.com].”
    • Sure. Don’t forget: people with a red badge means: no photos, please. Can you send your pics to me before you publish [organiser@domain.com]?
  • if you go to an event and start taking pictures without asking anyone, and you will publish them publicly or even sell them afterwards, you are a ‘guerilla‘ photographer. Depending on the laws of the country you are in, and the policies of the organiser, you might be allowed to do that. However, know that there are countries where this is downright illegal, or that the organiser might have told his staff that any guerilla photographers should be be asked to stop or leave. The issue here is less GDPR (you are taking photos for yourself, not for an organisation) , but more personality rights.

Opt-out marker

  • the organiser will have communicated on the website/by email/with a poster outside the venue what photography policies are valid. This includes:
    • telling the participants that their photo might be taken by official/authorized/any photographer;
    • telling the participants how to opt-out;
    • telling photographers how to apply for permission to photograph (if required).
    • The organisers might come up with a simple system that allows people to opt-out from being photographed. This could be a badge, a hat, a bracelet. You, as a photographer, should inform yourself which system is used, and respect it. The alternative is what is happening already today: people come up to the photographers and ask not to have their photo taken. The normal answer to this: “sure, no worries, I will keep it in mind“.

2. Processing pictures

  • Most of your original/raw photos will never be published, but might include subjects (people) that do not want those photos to get out in the open, for whatever reason (esthetic, professional, relational…). How will you protect this information? Where are the photos stored and backup’ed? Are they on an external disk that could be lost/stolen?
  • If you are an official or authorized photographer, you are a ‘data processor’ for the ‘data controller’, the event organiser. The GDPR rules apply to you. GDPR will require you to take reasonable precautions to protect the data, to have agreements with all the 3rd parties that handle your photos: Google Drive, Dropbox, Backblaze, Amazon AWS, … If your backup provider is outside the EU, use client-side encryption to make sur no-one can read the contents.In my case: I save my originals on a local NAS, I send (encrypted) backups to BackBlaze, I put my exports on Dropbox to send them to organisers.
  • when you export the photos you deem worthy, you should include EXIF/IPTC metatags in each photo that specify where and when they were taken, by who (photographer), for who (organiser) and how to contact the copyright holders for access and/or removal.

3. Publishing pictures

  • check with the organiser who can publish what and where. Options are:
    • the event page,
    • the event’s FB page,
    • the organiser’s personal profile,
    • the event web site (not FB),
    • the photographer’s site (not FB), …
    • It’s possible the organiser will want to see the photos before publishing.
  • always include the information on how to contact you for access/removal. Put it in IPTC tags so they stay with the picture.
  • people have the right to ask for deletion of photos that they are in. Always respect these requests.
  • check that all your 3rd party data processors are GDPR compliant.
  • when you publish pictures on Flickr, 500px, Facebook or Google, this means that you accept their terms and conditions.

4. Selling pictures

  • This encompasses the selling of individual photos in high resolution, without watermark and with transfer of copyright
  • If people are clearly visible in the photo, you will need model releases of each person.
  • Exceptions: maestros will typically have in their contract with the organisers that photos taken of them can be used for promotion and are not subject to separate releases.

TangoToIstanbul 2015

2018-03-29: first draft
2018-04-03: included remarks from CM
2018-04-04: published