Compliance with the requirements of one regime does not yet guarantee compliance with the others.
For that reason, any use of an employee’s image — from a photo in an email signature to publication on social media — requires a comprehensive analysis and consideration of all applicable regulations. Only such an approach makes it possible to act lawfully, minimise risks and build relationships based on respect for employees’ rights.
Key takeaways
- Use of an employee’s image requires parallel consideration of the GDPR provisions, the Copyright and Related Rights Act, and labour law regulations, in particular those concerning the voluntariness of consent in the employer–employee relationship.
- Copyright consent to the dissemination of an image and consent to the processing of personal data within the meaning of the GDPR are two separate legal constructs and should be assessed independently of one another.
- Any employee consent should be informed, voluntary and specific, in particular specifying the purpose, scope, publication channels and period of use of the image. General or blanket consents may be deemed insufficient.
- Withdrawal of consent has effect only for the future; however, in the case of publication on social media, effectively removing an image from online circulation is often extremely difficult, and sometimes impossible.
- Proper management of the process of using employees’ images helps reduce the risk of disputes, civil claims and supervisory action by the President of the Polish Data Protection Authority.
Use of an employee’s image under the GDPR and copyright law
An employer wishing to use an employee’s image must act simultaneously under two legal regimes — Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (GDPR) and the Copyright and Related Rights Act. In order to lawfully disseminate an image, the employee must give consent, because dissemination of an image requires authorisation from the person depicted. Compliance with the requirements of one legal order does not relieve the employer of the obligations arising under the other; therefore, it is necessary to separately document the legal basis for the processing of personal data and the authorisation under copyright law.
An employee’s image as personal data within the meaning of the GDPR
Under the GDPR, personal data means any information enabling the identification of a natural person. In practice, an image almost always meets this condition, as it makes it possible to identify a specific person. The processing of an image, including its collection, recording, storage or publication, therefore requires a legal basis and compliance with the obligations arising under the GDPR.
The most commonly used legal bases are consent and the data controller’s legitimate interest. In the employment environment, particular attention should be paid to the voluntariness of consent, which may be challenged in an employer–employee relationship. Therefore, in practice, legitimate interest is often chosen, provided that a legitimate interest assessment (LIA) is carried out to determine whether the employer’s interest outweighs the employee’s rights and freedoms. This assessment requires demonstrating that the use of the image is objectively necessary and that the purpose cannot be achieved in a manner that is less intrusive to privacy.
The GDPR also imposes an information obligation. The employee must know who is processing their data and for what purpose, on what basis, for how long, and what rights they have, including whether they have the right of access, objection and erasure.
Dissemination of an image under copyright law
Copyright law introduces a separate set of rules regarding the public dissemination of an image. Such dissemination is understood as creating the possibility for an unlimited number of recipients to become acquainted with the image. Publication on a company website, in social media or in promotional materials always constitutes dissemination. As a rule, this requires the consent of the person depicted.
The Act on Copyright and Related Rights provides for three exceptions. The first concerns the recording of the image of a widely known person in connection with the performance of public functions by that person. The second covers cases where the image constitutes only a detail of a larger whole, such as a gathering, landscape or mass event. The third applies where the person has received agreed remuneration for posing. Outside these exceptions, the absence of consent means that dissemination is unlawful.
Rules for granting consent to the dissemination of an image
Consent to the dissemination of an image must be informed and unequivocal. The employee should know exactly where and in what context their image will be published, for how long it will remain available, and whether it will be combined with other elements that may affect how it is perceived. Consent may restrict publication to a specific medium, period of time, or particular situation. The absence of an objection at the time the photograph is taken does not mean consent to its subsequent use. The burden of proving that consent was properly obtained rests with the employer.
Under the GDPR, in addition to consent, a legal basis may be legitimate interest, provided that a legitimate interest assessment is successfully carried out. In practice, this means that the employer must assess whether publication is truly necessary to achieve legitimate objectives, such as promotion or building the company’s image, and whether there are less intrusive means available.
The relationship between copyright consent and consent under the GDPR
In practice, employers very often confuse copyright consent required under the Copyright and Related Rights Act with consent to the processing of personal data within the meaning of the GDPR. Although both relate to the same interest — the image — they serve completely different legal functions.
Copyright consent refers solely to the dissemination of the image, that is, making it publicly available. In the absence of such consent, as a rule it is not possible to publish an employee’s photograph on a website, in social media, or in promotional materials (the exceptions to this rule are strictly defined and were discussed earlier).
By contrast, consent to the processing of personal data, of which an image is one, within the meaning of the GDPR, is a separate construct. It is one of the possible legal bases for the processing of personal data, but not the only one. The controller may also rely on other grounds, such as legitimate interest. Importantly, having copyright consent does not automatically mean that the GDPR requirements have been met. Likewise, even if the processing of personal data is based on the legitimate interest ground, this does not exempt the controller from obtaining copyright consent where public dissemination of the image is planned.
Therefore, proper practice requires that employers always distinguish between copyright consent and consent under the GDPR and treat them as independent from one another. The documentation should clearly indicate which consent relates to copyright law and which relates to the processing of personal data, as well as specify their purpose, scope, and duration. Only then can full compliance with the law be said to exist.
Processing of image within the meaning of labour law
Although the Labour Code does not contain detailed provisions concerning likeness, it should be remembered that it constitutes an element of an employee’s personal data. Pursuant to Article 22¹ of the Labour Code, an employer may request only strictly specified information from an employee. Likeness, as data falling outside this catalogue, may be processed only on a separate legal basis – in practice, most often on the basis of the employee’s explicit consent. Such consent must be voluntary and informed, and its absence may not affect either the establishment or the continuation of the employment relationship. Making employment conditional on giving consent would constitute a breach of the principle of equal treatment and the protection of the employee’s personal rights. Therefore, the lawful use of likeness in employment relations requires not only an analysis of the provisions of the GDPR or copyright law, but also respect for the special guarantees arising from labour law, which are intended to protect the employee as the weaker party in the employment relationship.
Protection of likeness also takes place under the provisions of the Civil Code
An employee’s likeness constitutes a personal right protected also under the provisions of the Civil Code, irrespective of the regulations arising from the GDPR and the Act on Copyright and Related Rights. This means that even obtaining consent for the dissemination of likeness does not exempt one from the obligation to respect the employee’s personal rights, in particular their dignity, privacy, and right to the protection of private life.
In the event of an infringement of personal rights, an employee may pursue claims provided for under the provisions of the Civil Code, in particular request that the infringement be ceased, that its effects be removed, that monetary compensation be awarded, or that an appropriate amount be paid to a social purpose. Civil law protection constitutes a separate mechanism for protecting employee rights related to the use of their likeness, independent of the GDPR and copyright regulations.
Likeness in internal systems
Practical DPO course
will confirm your high level of competence
The legal basis for data processing in this case is most often the employer’s legitimate interest. That interest consists in facilitating employee identification, improving internal communication and increasing the security of information flow. However, in order to rely on it, it is necessary to carry out a legitimate interest assessment, i.e. demonstrate that the employer’s interest is more significant than any possible objection by the employee.
The situation changes where the image is made available to persons outside the organisation, for example in email signatures sent to clients or contractors. In such a case, we are dealing with dissemination, which requires copyright consent. The employer should therefore distinguish between these two scenarios and ensure different legal bases depending on whether the image remains within the internal environment or is made public externally.
Recording events and conferences
Recording conferences, training sessions or company events has become a common practice. The very fact of recording means processing of participants’ personal data, including their image. If the recording is purely internal in nature, it is sufficient to comply with the information obligation and provide participants with a real possibility of avoiding recording – for example by switching off the camera during online events or by designating camera-free zones in the case of in-person events.
The situation is different where the employer plans to publish the recording on a website or in social media. In such a case, it is necessary to obtain copyright consent and, in addition, to ensure a legal basis for processing under the GDPR. Event regulations may provide for consent to recording and publication, but for it to be effective, it must be attributable to a specific person – therefore, the participant registration process should be properly documented.
Publication of image in social media
Social media constitute a particular area of risk in relation to employees’ image. Publication through these channels is always dissemination, and therefore requires copyright consent. At the same time, this involves processing of personal data, which must be based on the provisions of the GDPR.
Under the GDPR, an employer may attempt to rely on legitimate interest, but in that case it must carry out an exceptionally rigorous legitimate interest assessment. It should be assessed whether the publication of an employee’s image is truly necessary to achieve the purpose, which may be promotion or employer branding, and whether that purpose could not be achieved in another way that is less intrusive to the employee’s privacy.
Due to the uncontrolled reach and the difficulty of removing content from the internet, in practice it is recommended to use clear, detailed consents that precisely define the publication channel, its context and duration. Such consent should be given separately for each medium and may not be blanket in nature.
Withdrawal of consent and related consequences
Both consent to the dissemination of one’s image under copyright law and consent to the processing of personal data within the meaning of the GDPR may be withdrawn at any time. Withdrawal takes effect for the future, which means that earlier publications made lawfully do not become unlawful. However, from the moment of withdrawal, the employer must cease any further use of the image and remove it from places where it remains accessible.
In practice, the greatest difficulties arise in relation to publications on social media. The nature of these platforms means that once content is published, it begins to “take on a life of its own” – it may be shared, copied or saved by users, and even indexed by search engines. While deleting a post from the employer’s official profile is technically possible, there is no guarantee that the material has not already been reproduced elsewhere and is still circulating online. In practice, this means that completely withdrawing an image from internet circulation can be extremely difficult, and sometimes even impossible.
For this reason, it is advisable for consents for the publication of an image to be as specific as possible – covering a specific period (e.g. until the end of a given campaign or project) and a clearly defined context (e.g. internal materials or for the purposes of a specific marketing campaign). Such limitations reduce the risk that the employee’s image will circulate on the Internet in an uncontrolled manner, and they also make it easier for the employer to comply with the obligation to remove the content in the event of withdrawal of consent.
Summary
Each case of using an employee’s image requires a comprehensive analysis taking into account three legal regimes: the GDPR, copyright law and the Labour Code. The employer should distinguish copyright consents from the consents required under the GDPR, document their granting and scope, conduct a legitimate interest assessment when relying on legitimate interest, and implement procedures enabling the effective removal of the image after consent has been withdrawn.
Particular caution should be exercised in the case of publications on social media and recordings of company events, where the risk of privacy infringement is greatest. An employee’s image is not merely an ordinary element of communication – it constitutes a personal right and personal data, the protection of which is the duty of every employer. A responsible approach to managing employees’ images also helps minimise the risk of disputes and claims that may arise from the infringement of their rights.
FAQ – most frequently asked questions
May an employer publish an employee’s photo without their consent?
As a rule, no – the dissemination of an image requires the permission of the person depicted in it. Exceptions apply only to persons commonly known in connection with the performance of public functions, situations in which the image constitutes a detail of a larger whole, and cases in which the person received an agreed payment for posing.
What is the difference between consent under the GDPR and consent to the dissemination of an image?
Consent within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons concerns the processing of personal data and is one of several possible legal bases. By contrast, consent to the dissemination of an image arises from copyright law and relates solely to making the image publicly available to recipients.
Can an employee withdraw the consent they have given?
Yes, consent may be withdrawn at any time and takes effect only for the future. This means that publications made previously remain lawful, but from the moment of withdrawal the employer must cease any further dissemination and remove the image from available channels.
Does consent to publish a photo on the intranet also permit it to be posted on the company website?
No – a person’s consent always relates to a specific context and publication channel. If an employee has consented only to the use of their image in internal systems, any external publication requires separate authorisation.
May an employer disseminate an employee’s image on the basis of a legitimate interest?
Under the GDPR, processing an image on the basis of a legitimate interest is possible, but it requires a legitimate interest assessment (LIA). However, this does not relieve the employer of the obligation to obtain authorisation under copyright law, because dissemination of an image requires authorisation regardless of the legal basis for data processing.
What should valid consent for the use of an image look like?
Consent should be informed, freely given and unambiguous, and it should specify the purpose, publication channel, period of validity and context of use of the image. Blanket formulations such as “I consent to any use of my image” are ineffective and may be challenged.
What about an employee’s participation in a photo session organised by the employer?
If the employee received agreed remuneration for posing, authorisation for dissemination of the image is not, as a rule, required unless the parties have agreed otherwise. In practice, however, it is recommended to conclude a written agreement specifying the scope of permitted use in order to avoid interpretative disputes.
What consequences may an employer face for unlawful dissemination of an image?
Unauthorised use or dissemination of an employee’s image may give rise to civil liability for infringement of personal rights, including claims for injunctive relief, removal of the consequences of the infringement, or monetary compensation. If the image makes the employee identifiable and constitutes personal data, the employer may also incur liability under the GDPR, including exposure to supervisory action by the President of the Polish Data Protection Authority.
