GDPR for photographers: shooting people for a living

Your entire product is other people’s personal data. Three contracts fix ninety percent of it: the client agreement, the model/portfolio consent, and the event-shoot ground rules.

A professional photographer is a controller of every recognisable face shot — the consent logic is your trade’s legal spine. Client shoots: the contract covers processing for delivery; portfolio use is a separate consent — explicit, written, revocable (build revocation into your workflow: a client may pull their wedding from your Instagram years later, and Art. 7(3) says that request wins; price portfolio rights separately if they matter to you). Events: the organiser is your co-controller — put photography notice on tickets and signage (who shoots, for what, opt-out route), give the no-photo option teeth (wristbands work), and treat close-up portraits differently from crowd atmosphere: the crowd is context, the portrait needs the consent framework. Minors: parental consent, always, in writing — school and club shoots live by the school-photo rules. Your archive: galleries with faces are personal data at rest — retention policy, access control, EU-hosted or transfer-papered storage (transfers), and deletion honoured through backups. Street photography sits in the artistic-expression balance and varies nationally — publishable art in some countries, consent-first in others; know your national line before it becomes your brand. Selling images with recognisable people to stock: model releases are not paperwork theatre — they are your Art. 6 basis.

🗺️Country differences. Portrait/image-rights statutes and the artistic-expression balance differ per country — strictest for commercial use everywhere, loosest for editorial/art in some.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← For small businesses📞 Your data protection authority