top of page


There are many thoughts about GDPR that do not really differ so much from its predecessor the Copyright Act and the Personal Data Act. GDPR has tried to pinpoint the law more, which in a way makes it more complicated. There are many ifs and ways and ways to "bypass" the law. The main purpose of GDPR is to control large companies like Facebook, google and similar not to use our personal data.


When YOU are in the picture? So you have usually signed a contract with me or in an oral agreement you chose to put yourself in front of my camera. Oral agreements also apply (although they are more difficult to prove) and the fact that you yourself act and pose on the pictures is a kind of concession. Must-Photo owns the right to the pictures just as an artist owns his work in the form of a painting, statue, design, trademark or whatever they may be. In the main, of course, the purpose of the photo is the aim

to share and distribute their photographic works in different media and never to offend or hurt anyone.


When it comes to selling pictures (where you can be identified), a written permission is required where you certify that it is OK.

All of my new contracts (2018-06) now contain that section.


The law governs the processing of the images

GDPR is broadly similar to current personal data types. According to Thomas, much is the same. It is still about information that can be associated with a now living person, such as name, address, social security number and IP number but also clothing, hair color and tattoos.

- Anything that can be connected to someone, who helps to identify a person - it's a personal task, says Thomas.

Pictures are also personal information, if there are people in the pictures that can be identified.

The law then controls the actual processing of the data, which includes all actions taken with the personal data, from registration - in the photographer's case when the button is pressed - until the data is deleted, such as when images are deleted from a memory card or hard drive. All that handling requires permission, that is the starting point of GDPR.

For you as a photographer, there are, above all, three legal bases for this: consent, agreement or balance of interests.

Consent, agreement or balance of interests

Consent means that you ask the person you are photographing to get a permit. According to the GDPR, the consent should then be provided "by means of a unambiguous confirmatory document which involves a voluntary, specific, informed and unambiguous consent of the data subject that he approves the processing of personal data concerning him or her".

The law does not require any form in which you do it, that is: you do not have to do it in writing, but it is of course difficult to prove an oral agreement.

- People tend to forget, and possibly redo things. And for that reason, writing is best. But it is also good if you can clarify with a recording, Thomas explains.

An agreement is established, for example, when a private person orders a photograph of you, because she or he wants to be portrayed. So when someone buys a service from you, and where you then agree on how the pictures should then be used.

The third legal basis, the balancing of interests, may become relevant when there is neither consent nor agreement.

- Then one weighs one's own interest in doing this treatment against the one whose personal data applies. Thus, if for some reason it may be more important that you get to process these images than to preserve the personal integrity of those who appear in the images.


Are there any photographers who need to heed the law, and get permission?

- GDPR does not apply to private individuals, in what they do in their private business. That is the clear dividing line. Then it may still be that some things fall outside the private.

Social media is a clear example of that, Thomas says.

- If you think of Facebook, where you may have a closed group consisting of you and your three siblings, as well as mom and dad. Then you can probably say that pictures that end up there are within the private sphere. But say you have 200-300 friends and publish pictures to them, or if you do it publicly: then you are likely to fall outside the private sphere.

In other words: In those cases, a private person should also take into account the GDPR.

But wait now - does this mean that all photo enthusiasts have to run around town and gather the consent of everyone they photograph? No, be calm. There are several exceptions to the law, and also an easy way to get around everything.

Exception: Artistic or journalistic

Although the GDPR is an EU law that applies to all member states, there is scope for national restrictions on the law. Among other things, laws regarding freedom of expression and information are exempt. In Sweden, this means that all treatment covered by the Freedom of Pressure Regulation (TL) and the Statement of Freedom of Expression (YGL) fall outside the GDPR. But also the processing of personal data that occurs without connection to TF and YGL is excluded if your purpose is journalistic, artistic, literary or academic creation.


Journalism, does that mean publishing a newspaper or conducting any other form of media activity?

- It doesn't have to be professional. It can also be some form of opinion formation, that you want to show a misunderstanding and do it in such a way that it comes to the public's knowledge, in a journalistic way.


Can a blog be interpreted as a journalistic product?

- It could do that if it has a journalistic content and a journalistic purpose. Then you have to look at the individual case. If someone writes "my neighbor is not wise in his head, he plays music for days on end", then maybe it is not journalistic but the material needs a wider appropriation.


Is the business required to have a proof of publication, to be called journalistic?

- No.

But there is a lot of talk about issuance certificates, linked to GDPR. Why?

- Yes, it is a way to bypass GDPR in a simple way. That is, to avoid the discussion with the Data Inspectorate, which is the GDPR reviewing authority. You obtain a certificate of release from the "Swedish Press, Radio and Television Authority", cost a couple of thousand SEK and are fairly easy to obtain.


Can a private person also get a certificate of release?

- Yes, if you have any kind of website or database.

Do you agree? Let's summarize it again: If your photography can be considered journalistic or artistic, you do not need to support your business on any of the legal grounds: consent, agreement or balance of interests. This applies whether you are a professional or an amateur. And if your images cannot be considered as part of any of the exceptions, such as the artistic one, you can still feel safe with the help of a publishing certificate - because then you pass under the "GDPR radar". But then you need to have a web page or database, in order to get proof of release.


Many hobby photographers like to shoot in the city, known as street photography. Can it be considered as an artistic or journalistic category?

- I would probably say that. Because I don't know where else to put it.

Thus, a street photographer can continue to photograph in public places, and as long as those images are subsequently processed according to artistic purposes or covered by TF or YGL, they can be disseminated in, for example, social media.

Older images are also covered by the new law

For the professional photographer, GDPR will essentially mean a lot more to think about, such as how to handle personal data in customer records and archives.

The new law applies not only to the images you take from May 25, 2018, but also to all previous images that you have in your archive - if the images now represent living and identifiable persons.

But, again, the images are the result of an artistic creation or have a journalistic purpose, GDPR does not apply to your archive images. But if the same images were to be used in, for example, commercial contexts, then GDPR may apply and you must sign an agreement or obtain a consent.

Consent required for personnel images

A common situation for many professional photographers may be that a company hires you to take pictures of the staff. In these cases, both the company and you as a photographer need the consent of the respective employee, in order for the images to be handled. Thus, two different consents are required, but in practice it may be easiest if the company is responsible for collecting even those that cover your image management.

- The consent must be voluntary. Then, of course, the question is how the employee experiences the situation when an employer says: "now you should be photographed, would you like to be kind and agree that we photograph you and post the picture on the website". But if there is a real alternative, that one can really opt out, then it is voluntary.

It is not uncommon for a company and a photographer to have an agreement through an agreement, as a client and supplier. But even if there is such an agreement, as a photographer you still have to get the consent of the company's staff when they are being photographed. For it is the respective employee who owns the right to their personal data, not the company.


Should an agreement also state how long the photographer can save the pictures?

- Yes, it is good if the agreement states. We recommend our members (within the Swedish Photographers' Association) to save the images for five years, as an offer to their clients. It could of course be an even longer storage period, really for the entire duration of copyright - that is, 70 years after the death of the author.


Does GDPR have the right to keep the pictures after the expiry of the agreement?

- No, basically not.

Personal data assistant - not responsible

What is further stated in the regulation is that the GDPR distinguishes between the personal data controller and personal data assistant, which means that the latter acts on behalf of the person responsible. This means that the assistant has no own responsibility outside the assignment itself.

Such a situation can be when a private person takes pictures during an event, on behalf of, for example, a company or association. As long as the photographer (the assistant) does not take any initiative to use the images, but only delivers them to the client, the assistant does not have to be responsible for the continued handling of the images - and obtain consent for publications. That bit is managed by the person responsible for the personal data, and must also think about what applies in the context where minors are seen in the pictures. Then the responsible person must ensure that the child's guardian has given his consent, if the child does not himself understand the meaning of the consent. The rule of thumb is children under 15 years.

The "abuse rule" disappears

One change with the GDPR is that the so-called "abuse rule" disappears, which is now found in the Personal Data Act. This rule means that "unstructured" material, that is, text and image in a running text, may be used without the consent of those appearing in the text and on the pictures - provided the material does not violate the privacy of the persons. With GDPR, this type of text and image material must be treated in the same way as, for example, structured image databases, and must therefore have a legal basis for handling - such as agreement or consent.


According to GDPR, we have the right to obtain information that is collected about one's self. What does that mean?

- This means that the information you have as a photographer, if it is not in the private sphere, must be able to be released on request within a reasonable time.


Must a private person also be able to provide information?

- Provided that there are no pictures in the private sphere or that you cannot use the exceptions artistic or journalistic creation. Then you may have to leave.

The reason for this possibility is linked to what is called the "right to be forgotten". We have the right to obtain information relating to our personal data, and may in certain cases also require that it be deleted. This applies, inter alia, in cases where the information is no longer needed for the purposes for which it was collected, or if the processing is based on the individual's consent and the person withdraws the consent.

If you violate the GDPR, what happens?

- You can be fined up to EUR 20 million, or four percent of global sales. So it can be felt.

But Thomas also believes that GDPR is not primarily aimed at photographers and small business owners. Without the law, a lot has come about because of big players like Facebook and Google - those who handle a large amount of data and personal data.

- Facebook collects both name, image and GPS positioning as well as which ads you click on, which movies you watch and how long you watch them. This helps to profile media consumers, information that they share or sell to their business partners. And that's what it's all about.


It will be harder for them to do so?

- If nothing else, the GDPR will change their way of collecting information or how they share it. Or they just make a change in the terms of use. It remains to be seen. We have given them a lot of information over the years and that is the price for us to use their services, you should be clear about that.