1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

    Any content, information, or advice found on social media platforms and the wider Internet, including forums such as AP, should NOT be acted upon unless checked against a reliable, authoritative source, and re-checked, particularly where personal health is at stake. Seek professional advice/confirmation before acting on such at all times.

GDPR impact on photography, street photography, travel photography, etc.

Discussion in 'Talking Pictures' started by EightBitTony, Apr 27, 2018.

  1. daft_biker

    daft_biker Action Man!

    Isn't it a professional photographer problem though?
  2. EightBitTony

    EightBitTony Well-Known Member

  3. daft_biker

    daft_biker Action Man!

  4. PeteRob

    PeteRob Well-Known Member

    Yes, but if I remember correctly (it was a month ago) if someone holds personal data and uses that for business purposes there has to be some form of consent, the data must be secured and there must be some kind of description of the data i.e. it must be known what is held and to what use it is put. Images count as biometric data so add an image to a name and an address in other than a private context (e.g personal friend) and that's the kind of record that counts as personal data. Part-timers who do weddings or events probably need to do some simple things.
  5. EightBitTony

    EightBitTony Well-Known Member

    "The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities."

    If you process data for purely personal or household activities, then you're fine. If you take photographs, for free, of a school event, and you collect the names and addresses of the people to send the photos to, then I personally believe the GDPR would apply. Whether anyone would ever get caught out by it, is another question, but I still think it applies.

    Individuals count as organisations as soon as they process data for non-personal/household reasons.

    The DPA was no different, it just didn't use the word organisation as openly, and it still had the same exclusion.

    Does GDPR apply to every single Amateur photographer? No. Is it relevant to some of them? Yes.
  6. David Loxley

    David Loxley Well-Known Member

    Big Brother is certainly getting his grubby little fingers into our underwear.
    This is a concerning debate.
    In the best tradition of gravy-train politicians should we not consider what photographers,
    especially amateur, are doing in France, Germany, Italy, Spain et al.
    Many. other businesses, seem to carry on as normal and ignore the dictat.
    Whitehall, quite naturally, forbid any such infringements.
    And I thought that "Out means Out!"
    How naive of me.

  7. EightBitTony

    EightBitTony Well-Known Member

    How odd. The GDPR is there to protect people from having their data mishandled. It's the exact opposite of Big Brother. It's also a primarily UK led initiative, being adopted by the EU. It's an extension of the existing DPA, which already helps protect EU citizens.
  8. daft_biker

    daft_biker Action Man!

    Part-timers? You mean folk doing jobs on the side without the appropriate insurance or declaring taxable income?

    As I'm not an organisation I'm not going to worry about data protection. One thing the GDPR has done is highlight how little many people know about the DPA.......and TBH I'd probably be in the same boat unless I'd worked in IT and taken an interest in it.

    Data protection has always mean only keeping data for as long as it is relevant, only using it for it's intended purpose and it only applies to organisations but is widely abused by organisations trying to bend the rules to make money. Same rules now but they should be a little harder to bend hopefully.
    Catriona likes this.
  9. PeteRob

    PeteRob Well-Known Member

    No. I meant people who genuinely run a side-line activity as a business (fully book-kept, insured and tax paid) who happen to keep personal data (customer lists, billing information) probably should have appropriate paperwork and a system of data protection. It isn't clear. But you are right that there was probably the same requirements under the DPA which I had training on when it was introduced and had mostly forgotten.
  10. Trannifan

    Trannifan Well-Known Member

    And when, as a self-employed person (not as a photographer), the tax office requires me to keep personal data - billing info etc - and to keep this info for, say, 10 years? Admittedly, this is the situation in Germany and may not be the same in the UK.
    Yes, I have a photo website and no, I don't collect personal data on it. I get info on how many visits the site has had, but not on who visited.To be on the safe side though I've deleted all links to other sites.
    What info I've seen about this GDPR is generally in IT-gobbledegook, a 'language' I neither speak nor understand.

  11. David Loxley

    David Loxley Well-Known Member

    I do not disagree, Tony, but there are extended issues not yet discussed here.
    Generally it was accepted that anything 'in the public domain' could be photographed with impunity provided always that there were no obvious intrusions, e.g. naked woman looking out of a second story window; military installations; other Government establishments. Things which are obviously 'off limits'. Reading the posts here I am driven to the conclusion that a person in a public place is 'off limits' (how does one 'fuzz-out' a face on film?). How many of us are aware that a Local Authority, which records the Electoral Roll, can sell that detail to other organisations and make it publically available, as a restricted list, in a library,
    How do we address visitors from abroad who click and snap then post on all-and-sundry web sites?
    Many times the British Police have put out public requests for anyone who was at the scene of an incident and may have taken photographs to offer tem for evidence, how will that be addressed? Bearing in mind that many corporations use the Data Protection Act to refuse the provision of personal data to 'official' requests. Will 'The Police' be given blanket absolution? What of the recordings made by external C.C.T.V. surveillance cameras, how do they fit in with this scheme? Will they be allowed exclusion? If it becomes one law for the Police and the surveillance companies and a restrictive one for the 'others' then we find ourselves living in a world approaching that of Russia, P.R. China even N. Korea. Not a pleasant concept; BUT it has to be considered.
    Legislation, always a 'one-size-fits-all' sledgehammer, does not, nor has it ever, prevented criminal activity, it merely renders the innocent activity of people criminal acts.
    That is the problem.

    Last edited: May 26, 2018
  12. Andrew Flannigan

    Andrew Flannigan Well-Known Member

    For those who really enjoy wading through political and legal treacle the actual document is here: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN There are specific exemptions for freedom of expression in Article 85 while Item 19 of the basic regulations specifically removes law enforcement and associated actions from the GDPR and places them under the various other existing directives.
  13. EightBitTony

    EightBitTony Well-Known Member

    Yes, but I was talking only about personal data. Consent forms, model forms, contracts, email lists, etc. that photographers of all kinds may end up having to 'process' and so they fall under the GDPR. I wasn't talking about photographs.
  14. David Loxley

    David Loxley Well-Known Member

    That still leaves the question.. Who is to be held accountable for addressing the requirements of the GDPR? It has to be, in British Law, an 'identifiable person' (i.e. the poor devil who may be hauled up before 'the Beak'). Hypothetical:- Does publication of the Telephone Directory fall within the remit of GDPR ? or the 'simplified' Electoral Roll, available for public inspection in Public Libraries,
    All Government organisations hold much data about 'citizens', all of it is regarded as propriety but the Freedom of Information Act allows one to request Specific data held, for a fee of course. But access to some data is refused. Consider your own medical records held by a G.P. on request yo will be shown such data, but not all of it. The medical and clinical people regard that information as propriety to themselves and not available to the individual.
    I am sure that there are some who read these posts will be able to add to such concerns.
    Ref. #27: Big Brother did indeed collect masses of personal information and used it to control the population, bureaucratically, with fear, of retribution, and regulation.
    Invasion of personal data is a tort and actionable as such, The EU seems to make it criminal - a very different scenario, especially under Corpus Juris.
    If we are to believe much of the information published by 'the media' then it seems that Government Organisations and Quangos are the ones which have more data stolen or 'lost than any commercial concern.

    Sorry, I am rabbiting on.
    If I start saying " I can remember when..."
    Prime the captive bolt...........

  15. Roger Hicks

    Roger Hicks Well-Known Member

    Surely "Consent forms, model forms, contracts, email lists, etc." are a problem only if you use them other than in a business relationship with the person whose data you hold. Otherwise we'd all have to throw away everyone's business cards, tear up our address books, throw away all contracts, etc.

    The European companies I've had dealings with on this seem a lot more relaxed about it than the paranoid British: their reading is, "As long as this is between us, with no release of data to third parties, there's no problem."


  16. EightBitTony

    EightBitTony Well-Known Member

    You're referring to only one aspect of GDPR - direct marketing.

    GDPR also talks about how all personal data is protected, and it applies Europe wide. If you hold personal data, such as a consent form, you must protect it, because it's used in a business relationship.

    If you hold information in a personal capacity, such as an address book, it's not covered.
  17. Roger Hicks

    Roger Hicks Well-Known Member

    Dear Tony,

    But what does "protect" mean in this context?

    There are plenty of business addresses in my address book, and as I say, where does this leave business cards?


  18. Andrew Flannigan

    Andrew Flannigan Well-Known Member

    You are quite wrong.

    There are only limited circumstances in which full access to a patient’s health records may be denied. The main example is where the release of health records is likely to cause serious harm to the physical or mental health of the subject or another individual. However this is the only basis on which access may be denied and even that is far from absolute. For example if the third party is a health professional who has compiled or contributed to the health records or who has been involved in the care of the patient they have no veto over the patient's access. [source "Patient Health Records and Confidentiality" Briefing Paper from the House of Commons Library 25th May 2018]
    EightBitTony likes this.
  19. EightBitTony

    EightBitTony Well-Known Member

    You don't need to protect information about businesses (under GDPR), only personal information about identifiable individuals.

    Anyone is free to read the GDPR regulations, which aren't that hard to understand, and then they don't need to a) guess or b) interrogate me.

  20. EightBitTony

    EightBitTony Well-Known Member

    I quoted the whole thing, because frankly, it's mostly rubbish.

    Public bodies have even greater requirements in terms of GDPR than corporations, and are obliged to treat 'unstructured data' as personal data if it contains personal data, where-as non-public bodies don't. You are entitled under GDPR to have access to any personal data a company or public body holds on you.


    Here's the refusal clause,

    Can we refuse to comply with a request?
    You can refuse to comply with a subject access request if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

    If you consider that a request is manifestly unfounded or excessive you can:

    • request a "reasonable fee" to deal with the request; or
    • refuse to deal with the request.
    In either case you need to justify your decision.

    You should base the reasonable fee on the administrative costs of complying with the request. If you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.​
    Andrew Flannigan likes this.

Share This Page