Can I post photos from a company event on Instagram?

It depends. For atmosphere shots and group photos at an event, you may be able to rely on legitimate interest, provided you inform participants in advance. For close-ups or portraits of individuals, you need explicit consent.

Do I need consent for employee photos on the company website?

Yes. Employee consent must be 'freely given,' which is difficult in an employment relationship due to the power imbalance. Make sure employees can genuinely refuse without negative consequences.

What if someone asks to have a photo removed afterwards?

If the processing is based on consent, the data subject can always withdraw it. You must then remove the photo. With legitimate interest, the data subject can object, and you must weigh whether your interest outweighs theirs.

Do different rules apply to photos of children?

Yes, stricter rules apply to children. You need consent from a parent or guardian, and supervisory authorities are particularly strict about violations involving children's data.

Photos on Instagram and Social Media - What Does the GDPR Say?

Can you post photos of employees, customers, or events on Instagram or other social media? This article explains when it is and is not allowed under the GDPR, with practical examples and enforcement cases.

A photo is personal data

It may sound surprising, but as soon as a person is recognisable in a photo, that photo is personal data under the GDPR. It does not matter whether it is a professional portrait or a quick snapshot on your phone. Recognisable = personal data = GDPR applies.

This applies to:

Photos of employees on your company website or LinkedIn page
Photos of customers or visitors on Instagram, Facebook, or TikTok
Photos of participants at events, trainings, or workshops
Photos of people in your newsletter or marketing material

You post a photo of the team outing, an atmosphere shot from your open day, or an Instagram post of a satisfied customer. But is that just allowed?

When it is allowed: the two main legal bases

The most obvious legal basis. You ask the person in the photo for consent before posting. Sounds simple, but there are caveats:

Consent must be specific: “I consent to this photo being posted on the Instagram account of company X”
Consent must be freely given: with employees this is tricky due to the employment relationship; they must genuinely be able to refuse without consequences
Consent is withdrawable: if someone later says “I want that photo removed,” you must delete it
Oral consent is valid, but written consent is provable and strongly recommended

2. Legitimate interest (Article 6(1)(f))

In some cases, you can post photos based on legitimate interest, without explicit consent. This typically applies to:

Group photos at a public event where participants could reasonably expect to be photographed
Atmosphere shots where individuals are not the focus
News coverage of a public event

However, you must always conduct a balancing test. Your interest (promoting your event) must outweigh the privacy interest of the photographed persons. And you must inform participants in advance that photos will be taken.

The difference: group photo vs. portrait

This distinction is crucial in practice:

Group photo at a public event. You organise a networking drinks and take an overview shot of the room. Individual persons are not the focus. You have communicated in advance that photos will be taken. Legitimate interest can be a valid legal basis here.

Portrait of a specific person. You take a close-up of a visitor at your stand and post it on Instagram with the caption “our customers are enthusiastic!” Here the person is the focus. You need explicit consent.

The rule of thumb: the more recognisable and central the person in the image, the stronger the requirement for consent.

Enforcement: this is not a theoretical risk

Supervisory authorities have already taken action against careless use of photos:

Greek telecom company - EUR 150,000 (HDPA, 2020). The Greek authority fined a telecom company that posted staff photos on its website without valid consent. Employees indicated they had not agreed, or that consent was not freely given due to management pressure.

Spanish fitness centre - EUR 10,000 (AEPD, 2022). A fitness centre posted photos of members on Instagram without consent. When a member requested removal, it took weeks for the centre to respond.

Practical do’s and don’ts

What you SHOULD do

Inform in advance that photos will be taken, e.g., with a sign at the event entrance
Ask for explicit consent for portrait photos and close-ups
Record consent, preferably in writing or via a digital form
Respond promptly when someone requests removal of a photo
Be extra careful with photos of children - always obtain consent from a parent or guardian

What you should NOT do

Post photos without any legal basis - neither consent nor legitimate interest
Assume that presence automatically means consent for close-ups on social media
Use employee photos after they leave without checking whether consent still applies
Ignore removal requests or respond too late
Tag photos with names without consent; this links the photo to an identifiable profile

What should you arrange now?

Inventory which photos of people you have on social media and your website
Check whether you have a valid legal basis for each photo
Create a photo policy covering when you photograph, how you request consent, and how you handle removal requests
Train your staff responsible for social media
Document your processing of photos in your processing register

auto_awesome Do you know what data you process?

GDPRWise automatically maps which personal data you collect and share, including images on your website and social media. So you know exactly where you stand.

Start free scan

Photos of People on Instagram and Social Media: What Does the GDPR Say?