The publication of employee photos or videos by employers is widespread practice, for example on company websites, social networks, brochures, or even for training videos. From a legal perspective, this regularly constitutes the processing of personal data within the meaning of Article 4 No. 1 GDPR. Accordingly, a suitable legal basis is required for permissible publication.
Legal basis for publication
As a rule, the publication of employee photographs requires the consent of the individual concerned, pursuant to Art. 6 para. 1 lit. a GDPR in conjunction with Section 26 para. 2 BDSG (German Federal Data Protection Act). While Section 23 para. 1 KUG (German Copyright Act) contains certain exceptions, such as for images from contemporary history, pictures of gatherings, or when individuals appear merely as incidental figures alongside a landscape or other location, these exceptions generally do not apply in typical situations involving the targeted depiction of employees. Publication without their consent is therefore inadmissible in these cases.
Requirements for effective consent
The requirements for valid consent are strict. According to Section 26 Paragraph 2 Sentence 1 of the German Federal Data Protection Act (BDSG), it must be ensured, in particular, that the employee's consent is given voluntarily. A decision is considered voluntary only if the employee is given a genuine choice and faces no disadvantages if they refuse consent. Consent should be obtained in writing or electronically (Section 26 Paragraph 2 Sentence 3 BDSG) and must meet the following minimum requirements:
- Voluntariness – In the explanatory text regarding the consent, the employer should explicitly clarify that no employment law or other disadvantages will arise from the use of the consent.
- Transparency – The employee concerned must be fully informed about the planned use (Art. 13 GDPR).
- Purpose limitation – It must be specifically stated for what purpose and in which places (e.g. company website, social media, print media) the recordings are to be published.
- Right of withdrawal – The employee must be informed that he or she can withdraw his or her consent at any time with effect for the future (Art. 7 para. 3 GDPR).
Specific case scenarios from practice
- Publication for advertising purposes (e.g., company website, brochures) – Publication for marketing or representational purposes regularly requires particularly careful consent. This consent must explicitly specify the concrete purpose of use. Consent cannot be given generally but must be obtained individually.
- Use on social networks (e.g., Instagram, LinkedIn) – When publishing on third-party platforms, the reach of those platforms, storage by third parties, and potential further distribution must be pointed out. The consent must also explicitly cover this use.
- Use in training videos or internal presentations – Even internal use constitutes the processing of personal data. Here, too, consent must specify the concrete use and the group of recipients.
- Termination of employment – With the employee's departure, the legal requirement for data protection-related publication generally ends. Any revocation of consent by the employee must be implemented immediately, unless the employer has an overriding legitimate interest in continued employment for a limited period. Legally sound handling is only possible with clearly defined consent procedures.
Recommendations for employers
Employers should review existing processes for creating, storing, and publishing images and adapt them to data protection requirements, in particular:
- the use of consent forms that meet all legal requirements,
- Raising awareness among individual departments (e.g., marketing, HR) regarding data protection risks,
- the establishment of an internal process for obtaining consent or revocations and for deleting published content,
- the corresponding documentation of the consents.
We are happy to assist you with any questions regarding the legally compliant design of consent declarations, the internal implementation of data protection requirements, or the evaluation of specific publication projects.