GDPR titbits series: Events, photos & marketing

Events, photos and GDPR

It’s been a while since the last post; After the enforcement deadline of GDPR and all the additional work that brought with it, I took a much needed break. Nothing lasts forever though so here we are again. In this post we’ll be exploring a scenario were an organisation is either organising or attending an event during which photos will be taken and how those photos can or cannot be used by the organisation.



Your company is attending a popular industry event. It’s great marketing, you get to expose your brand, meet new and existing clients, and as a bonus snap some great photos of people milling around your booth to update your social media profiles.

Did I hear photos? Did someone say GDPR? Or was it my paranoia whispering the word ‘consent’ in my ear?

We’ve all been there before and thought nothing much about it, until those 20mil euros became a real, tangible threat. So what now? No more photos? or should we hire actors and models with whom we have signed contracts to visit our booth so that we can snap a picture worthy of sharing?

None of that drama. Photos can still be taken, however there some steps that need to be taken before to ensure that the usage of those photos is compliant with the law.

Consider the following questions: Who will you have at your booth? and what is your relationship with them. The answer could include employees, suppliers, and random event delegates which many include guests, clients and more. These can be segmented into 3 categories; employees, 3rd party contractors, other.  Each of these categories is to be treated differently.


3rd party contractors

Include a clause within the contract between your organisation and theirs making clear this possibility and the right of usage by your company and placing the onus on the 3rd party contractor to take care of the legal grounds from their end in relation to any employees they might have.

Make sure that a privacy notice is also provided as an appendix or exhibit within said contract.

Your employees

Is attending and manning the booth part of their job duties? Then as an employer you can rely on the fulfilment of a contractual obligation, if such intent is included in the employment contract and accompanied by a privacy notice stating exactly how, where and in what circumstances such photos can be used.

Is attending an optional perk? Draw up an acknowledgement and consent form, stating that attendance of the event is optional and that by attending the employee is acknowledging that they are aware that photos may be taken and used as per the privacy notice.


This is an interesting one and requires evaluating which events as a company you’ll be participating in.

  • Are the organisers presenting delegates, prior to ticket purchase, with a privacy notice stating that photos and video footage will be taken at the event, how it will be used and all the other elements required within such a notice?
  • Are the organisers advising delegates if exhibitors or other conference participants can shoot photos or video and use them for marketing purposes or does the consent gathered at ticket purchase cover use of the material only by them?
  • Are the organisers setting any limits (purpose limitation and data retention periods) on exhibitors, i.e. your company/organisation and the use of such material?

Depending on the answers to the above questions you will be able to determine if you can use any photos you take during the event in which delegates/attendees of the event may feature in.

Following that you can evaluate whether it is still beneficial for your company to exhibit or get in touch with the organisers so that they can rectify the situation.



Your company is organising the event which will also be hosting exhibitors. Once again who is your audience? Who will be at the venue and may be caught in pictures and videos.  The answer could include, delegates, exhibitors, 3rd party contractors, employees and speakers. Once again each of these is a different case.



Delegates need to be made aware that photos and videos will be taken during the event before purchasing any tickets. They need to be made aware of how those photos will be used. If such rights are being given to exhibitors they need to be made aware of this too.

In particular, you need to be aware that your organisation is the one with the relationship with the delegates and should any of them request one of their rights under GDPR, they will be contacting you as the main Controller.

How to handle this with the Exhibitors themselves will be covered in the next few paragraphs. Before that I however wanted to stress another point.

“Delegates need to be made aware that photos and videos will be taken during the event before purchasing any tickets.“ The check box at registration should not be optional. Attending the event needs to be contingent on the delegates acceptance.

Photos and videos are not the same as sharing attendees contact details with the suppliers, which as an activity it is operationally feasible to control. Nowadays any Tom, Dick and Harry from anywhere can simply whip out their phone and proclaim themselves a photographer. Controlling this from an operational perspective is akin to impossible which is why acceptance for photos and video footage needs to be mandatory.



Will you as the event organiser, allow exhibitors to use photos they take at the event. I highly suggest that you do.

If you don’t, you are risking either having less exhibitors or being embroiled in some breach of GDPR compliance because one of the exhibitors present decided to take and use photos anyway. If as the organiser you’ll be banning it, be prepared to have a way to monitor and enforce it. Operationally speaking, it’s not all that feasible and it’s not worth it.  Yes you could indemnify yourself through a contract, but if push comes to shove you’ll still be under the scrutiny of the supervisory authority and need to waste time providing documentation and paperwork.

So how do you cover yourself if you are allowing exhibitors to take and use photos.

Make sure the delegates are aware.

Define the retention, use and purpose limitation in the exhibitor contract.

Collect details of their DPO or whomever is in charge to deal with data subjects from their end and keep a register.

Ensure you have a clause that states that such contacts may be shared publicly with data subjects to facilitate the exercise of their rights.


3rd party contractors

Same as for scenario 1. Cover this in the contract between your organisation and theirs.

These guys may also be taking photos to further promote themselves as such it would be wise to additionally take the same steps as you would for Exhibitors as well.



Refer to the Employee section in scenario 1. The same logic applies.



Treat these as 3rd party contractors, with an additional catch.

As an organiser you will be using the details and photos of these speakers to further promote the event you’re organising. The use, purpose, retention of this data you have on the speakers themselves needs to be taken into consideration as well from a GDPR perspective, so make sure the proper details are included within your speaker contracts.


Comments? Questions? Further Insights? Let us know below!


Would you like be notified when new posts come out? Drop us a note via the contact us section and we’ll add you to our mailing list.