Employees are valuable assets to employers, as are employees’ photographs. Companies often use pictures to identify their employees on entry cards or the intranet, and publish them in their marketing materials and on the Internet. Conditions of such use are often discussed due to some questions connected with the applicable privacy laws. With the aim of clarifying these issues, the Czech Office for the Protection of Personal Data expressed its views (Practical Issues Series No 3/2010) on a question regarding when and under what conditions employers can use photographs of their employees.
Many employers were unsure about how to handle employee photographs, because they contain or may contain biometric data and thus allow the direct identification of individuals. They can also show a person’s racial or ethnic origin and, in certain cases, even reveal his or her religious affiliation. In all these cases, a photograph can be a source of sensitive data within the meaning provided by the EU Directive, the processing of which is subject to specific rules.
The Office clearly stated that any use of information obtained from a photograph of an individual simply to distinguish a person from others, with no further processing of any kind, should not be considered to be the processing of sensitive personal data. The Office has thus removed longstanding uncertainty and diversity of interpretation, which it has often admitted in the past.
The rules for the use of photographs can be summarised as follows:
- If the employer wishes to use a photograph of an employee taken at a meeting, a social, or another event for illustrative or marketing purposes, it must first obtain the employee’s consent. This kind of use does not need to be notified to the Office for the Protection of Personal Data, as it does not constitute the processing of personal data under the Personal Data Protection Act.
- If the employer uses its employees’ photographs systematically to identify persons, with no intention of processing sensitive data, it can do so without the employees’ consent. It will not need the employee’s consent if it processes the data in order to comply with its statutory obligations, or if the use of personal data is required to protect the legally-given rights and interests of the employer itself or a third person. In all other cases, the employer must obtain the employee’s consent. Also, it must inform the Office of any use of its employees’ photographs that requires the employee’s previous consent.
- The strictest rules apply to the systematic processing of employees’ photographs with the aim of handling sensitive personal data. The employee’s explicit consent is then practically always required, along with notification of such an intention to the Office. Consent is unnecessary only in certain specific cases, for example if the processing of the data is necessary to preserve the individual’s life, to avert a serious danger, or for the purposes of criminal proceedings.
An interesting point in this guidance is that the Office distinguished the clearly manifested purpose of the processing from the potential use or misuse of collected data, and thus excluded the issue of sensitive data.
However, it is probably premature to draw a general rule that could be used not only when potentially sensitive data are handled, but also in cases when “ordinary” data are processed and the question is whether there is any purpose for the processing and whether it falls within the scope of privacy rules. Such clarification would typically help in dealing with systems that automatically process large quantities of data (for example, video records) that could contain accidentally collected personal data. We will inform you about any future development.