Skip to main content

Copyright and GDPR for photographers

Posted by: , Posted on: - Categories: Copyright

Patagonia landscapes in Argentina

I’m always amazed at how a moment can be captured so perfectly, displaying every emotion and eternalising them. It could be a wedding photographer, clicking the moment a father first sees his daughter in her wedding dress. Or a nature photographer, catching the ripples behind a swan skimming a lake in the early summer.

A photograph not only has meaning to those within the image, or those who it is shared with, but to the person who took it. We know that a lot of time, effort and emotional investment goes into the perfect photograph. That’s why all photographers should understand copyright and how it can help protect their work.

What is copyright?

Copyright is a property right which is intended to reward the making of, and investment in, creative works. It protects literary, dramatic, musical and artistic works, sound recordings, films, broadcasts and published editions. Photographs are generally protected by copyright as artistic works.

In the UK, copyright automatically comes into being when a qualifying work is created; there is no formal registration. The term of protection for most copyright material is the life of the creator, plus 70 years from the date of their death.

copyright all rights reserved graphic.

How can it help me?

Copyright grants the creator the right to authorise or prohibit copying, distribution to the public, rental/lending, public performance, adaptation, and communication to the public.

We know that a portfolio can involve a lot of emotional and intellectual investment, and you, the photographer, have ‘moral rights’ over your creative work.

Moral rights include:

  • the right to be attributed
  • the right to object to derogatory treatment
  • the right to object to false attribution
  • a right to privacy in certain commissioned photographs and films

You can find out more about moral rights, and the other rights granted by copyright, on our website.

Who owns the image?

The person who creates an image will generally be the first owner of the copyright unless there has been some agreement to the contrary. However, there are situations in which this may not be the case. If an image was created as part of your employment, the employer will generally own the copyright. Whether you’re a freelancer or employed by a company full-time, it’s always best to check the Terms & Conditions of your contract first.

‘Licensing’ means giving another person/organisation permission to use a work - such as an image - often in return for payment and/or on certain conditions for a specific period. You may allow a person/organisation to license the work on your behalf (e.g. through a collective management organisation or photo library), license the copyright directly, or transfer (‘assign’) the copyright to another person.

There are some circumstances where ownership of copyright is transferred automatically without any intervention by the first or new owner. Examples of this include inheritance and insolvency.

Find out more about the ownership of copyright works here.

GDPR General Data Protection Regulation Check Mark Box 3d

What about GDPR?

As a photographer, you probably want to share your work widely with the public to help grow your business and promote your greatest pieces. That’s why, besides from copyright, it is also important to understand GDPR.

We know that photographs not only have meaning to the photographer, but to the people in the image. And there may be times when a model in a photograph objects to their image being shared. In this scenario, under GDPR a photograph is classed as someone’s personal data. Here are the steps you can take to prevent your greatest work remaining secret:

Choose the lawful basis that most closely reflects the relationship with the individual and the purpose of publication:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interest

For more information see ICOs lawful basis interactive guidance tool.

If you decide consent is the right lawful basis, here is what’s new under GDPR...

Valid consent is freely given, with genuine choice and control. It must be targeted to your purpose and easy to understand. There must also be a clear signal from the individual they agree. There are no specific timescales for expiry of consent in GDPR and consent can be withdrawn at any time.

To obtain valid consent, make it clear and don’t be confusing. Keep it separate from other T&Cs and include individual consent for separate items. You can obtain consent by including an opt-in box either online or offline, or the individual must say ‘yes’ to a clear oral request for consent.

You need to keep evidence of consent including: who, when, what and how. Keep it under regular review, and refresh if your purpose changes.

For more information visit the Information Commisioner's Office website.

For a real-life example of how a photographer has benefitted from understanding copyright, read our case study with Satureyes Media. Rick Bronks, who heads up the company, discusses how he has developed his strategy and enforces his rights.

For detailed guidance on digital images, photographs and the internet, read our copyright notice.

Sharing and comments

Share this page


  1. Comment by Dave posted on

    Will all this be relevant on November 1 ?

  2. Comment by Dan posted on

    I look forward to watching the ICO pursue pretty much everyone that uses social media. There are plenty of influencers that make a profit from their images and have recognisable people in images.

    The difference between social media posts and street photography is one is artistic and the other is a business. I suspect GDPR doesn’t apply to both equally. And frankly, I have no plans to stop making art if it does.

  3. Comment by Simon Chapman posted on

    This blog post is not a good example to use, as in the normal scenario of using a model there will be an agreement in place that the model is willing to be photographed and that the photos will be published. In that instance the legal basis for using the images is contractual and does not rely on consent.

    But if the term “model” here refers to any person in a photo then the blog post also contradicts advice re GDPR which is on the ICO website, that a photograph is NOT personal data if it is not used to record, learn or decide something about the individuals, as in people who are visible in a general scene. And if an image is not personal data then GDPR does not apply.

    "The journalist is not processing the photograph to learn anything about any of the individuals whose images were captured, nor is it likely that the journalist would ever process the photograph for that purpose. Whilst processed by the photographer, the photograph would not be personal data as it is not used to record, learn or decide something about the individuals.”

    There are also exemptions from many of the requirements of GDPR for images taken for journalistic or artistic purposes, and the intention of the EU Directive is that such purposes should be interpreted broadly to facilitate the freedom of expression and information.

  4. Comment by Matt Cooke posted on

    Well said Tony sleep.

    The advice here, offered by the governments own communications team is both misleading and incorrect.

    A met police officer has a better understanding of this in practical real word terms than the government.

    Millions of people everyday make images on phones, and post to social media. How are you policing that under the GDPR explanation you give here?

  5. Comment by Ian E posted on

    Wow ... so a street, beach, crowd, in fact ANY PUBLIC PLACE is out of bounds for photography unless I gain consent from every individual in that area or it is empty? ...
    That's not going to happen purely on a logistical scale so how then does anyone take an image.
    Re the Naomi Campbell story surely that is news worthy and journalistic?

  6. Comment by Matt Cooke posted on

    You state: "If an image was created as part of your employment, the employer will generally own the copyright. Whether you’re a freelancer or employed by a company full-time, it’s always best to check the Terms & Conditions of your contract first." This is categorically incorrect.
    As a photographer the copyright of an image rests with me as its author. As a freelancer, I would never unknowingly and without adequate financial recompense assign copyright to a commissioner. I have been commissioned to bring my creative expertise to a specific job, to bring my way of seeing and interpreting of the world to support their article, brand or company.

    I agree completely with the change required here that Edmond has asked for. "As a freelance photographer, the copyright of the image is always yours, unless you have signed it away in a contract before working for that client." The key here is before. If asked to work with no actual contract in place, the photographers terms and conditions of supply take precedence, and the legal copyright ownership is the authors.

  7. Comment by Tom posted on

    Rebecca Trussell's article contains numerous errors and inaccuracies and will only serve to confuse and potentially lead to angry confrontations between the public and photographers going about their legitimate business. It should be removed from the site.

  8. Comment by Phil posted on

    This article is clearly misrepresenting how gdpr is supposed to work and should be taken down and rewritten by someone who clearly understands the issue and can express it succinctly.

  9. Comment by Jay Williams posted on

    There is a terrific amount of nonsense being written on here. There is NO right to privacy in a public place, none. If I'm taking a picture of a street for a newspaper piece about the housing shortage are the more hysterical voices on here saying seriously that I should speak to every person in view and get their written permission to use the picture? What fatuous rubbish.

  10. Comment by Tony Sleep posted on

    No, Pre-GDPR, advice from the ICO was that photographs themselves were not inherently 'private data', but any embedded metadata could be, if it contained identifying text. Even then, there were exceptions for journalism/reportage, which are un-mentioned here. DPA was not a problem.

    If this blog's view is correct, GDPR has killed culturally invaluable photography stone dead. There is now no such thing as a public space with no right to privacy, when any image of a recognisable person who could be identified is deemed private. If active consent of the subject is needed, it is no longer possible to candidly document how we live, or history. Most social documentary and street photography is expunged as unauthorised private data. The likes of Don McCullin have wasted their lives; much of the past 150years photographic record of how we live is unlawful.

    In 2017 I published a book of my work, photographed in the late 1970's and early 1980's. The subject matter was sensitive. At the time I avoided taking photos of individuals who didn't consent, not because law required it but because it would have been exploitative and unfair. However this was informal, a conversation, an understanding. I can prove nothing now, 40 years later. Yet according to this reading of GDPR, those individuals (or their heirs?) potentially have statutory rights under GDPR: the right to erasure, the right to restrict processing, the right to object, the right to be informed and the right to rectification of inaccurate personal data.

    Nobody can ever safely publish anything, if that's correct. Any image may be open to challenge and a legal right to removal. It is of course mostly impossible to obtain consents, let alone contractual releases, in most public contexts.

    According to this blog the only public photography now possible is that which the subject approves, in advance, in signed duplicate - and of course most will require licence to use as a quid pro quo 'valuable consideration' necessary to create a valid contract. In summary, GDPR makes it impossible to make any candid public image without disrupting the very thing you want to record, and/or immediately losing copyright control.

    If this view of photography is correct, GDPR clashes with Article 10 of the European Convention on Human Rights '1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.'

    The UK has more CCTV cameras than anywhere else, many operated by civic authority including government. The legal basis for this mass surveillance of public areas is no different: there is no privacy in public places. The vast majority of the surveilled and recorded never gave any consent, nor often knew they were being photographed by a system whose entire purpose is identification. Of course, the context is different: the state can do what it wants, and can shape the law to accommodate itself. But a state that holds its citizens to laws that it exempts from itself has clearly gone off the rails. I and literal millions of photographers will disregard a law that is incapable of common sense, if the only choice is no photographs.

  11. Comment by Ian Boichat posted on

    Staggered to see such incorrect information about GDPR in relation to photographs on a government website, even the ICO (Information Commnisioners Office) who police GDPR infringements have stated that photographs are not covered by this as stated above. Whether with the increasing use of facial recognition software that will change in the future remains to be seen but under the current Act that was passed photography isn't even mentioned.

  12. Comment by Kirsty Edwards posted on


    Thank you everyone for reading and providing their comments on the blog.

    We accept some of the wording may have been ambiguous and as a result we have removed a sentence that has caused confusion between copyright and GDPR. GDPR is not a matter of IP law but something that is often raised with us during our outreach activities. The purpose of this blog was to be a light touch and to inform creators of the different elements they should consider and understand. We apologise for any confusion caused.

    “Under GDPR a photograph is classed as someone’s personal data…” - in the context and scenario it is given in the blog, this is correct. From the image you would be able to identify a natural living person and in that scenario we are providing advice on things to consider in relationship to GDPR. However, beyond this, a photograph might not always be considered personal data. For example, if it was a photograph of someone who can’t clearly be identified.

    Many Thanks,

    IPO Communications Team

    • Replies to Kirsty Edwards>

      Comment by Monty Rakusen posted on

      So how does this relate to street photography?

  13. Comment by George Chin LLB, LLM posted on

    The purpose of the GDPR provides for and ensures the fair lawful and transparent information about people (i.e. personal data) and their fundamental right to privacy.

    What is personal data?
    It is any information that relate to a natural living person/individual who can be identified directly from the information or in combination with other information e.g. telephone numbers, bank account numbers, IP addresses, cookie identifiers, GPS location data, etc. The criteria is if the individual can be identified from the information, it can be construed as personal data. Information on deceased persons or companies are not personal data.

    The data subject is the individual who is the subject of the personal data and consent must be given by the individual - orally or in writing - for the lawful processing of his/her personal data.

    Ergo photographs are personal data if the individual can be identified and the individual's 'consent' is the legal basis applicable under the GDPR if a photographer takes a photograph of an individual and processes the data. ('Legitimate interest' is another legal basis under which photographs of individuals can be taken e.g. for law enforcement purposes).

    Processing is defined in the GDPR as the obtaining, recording or holding of data - manually or computerised - and the organising, filing, adapting, altering, retrieving, disclosure and blocking, consultation or use, destroying or erasure of personal data.

    Consent can be implied such as when a celebrity walks the red carpet - his/her consent is implied to have been given to be photographed and the data processed.

    The famous case of Naomi Campbell (pre-GDPR) was a landmark case in privacy which established that an individual's medical information is sensitive personal data (under GDPR it is a protected characteristic) i.e. she was attending Narcotics Anonymous where the building was clearly identifiable in the photographs, and the Mirror was in breach of her privacy.

    Therefore if the photographer has no legal basis i.e. 'consent', to take the photograph, the processing of the data is illegal and the individual has statutory rights under GDPR such as the right to erasure, the right to restrict processing, the right to object, the right to be informed and the right to rectification of inaccurate personal data.

    • Replies to George Chin LLB, LLM>

      Comment by Jamie Fry posted on

      Thank you, maybe the rest need to read and take heed.

    • Replies to George Chin LLB, LLM>

      Comment by Jamie Fry posted on

      • Replies to Jamie Fry>

        Comment by Simon posted on

        "The famous case of Naomi Campbell (pre-GDPR) was a landmark case in privacy which established that an individual's medical information is sensitive personal data (under GDPR it is a protected characteristic) i.e. she was attending Narcotics Anonymous where the building was clearly identifiable in the photographs, and the Mirror was in breach of her privacy.

        Therefore if the photographer has no legal basis i.e. 'consent', to take the photograph..."

        Your second statement of course doesn't follow from the first. The Naomi Campbell case involved private and sensitive medical information about an individual, and hardly surprising if letting the world know about that was not a breach of privacy. A person standing in a public space doing nothing in particular is quite a different matter - there is no breach of privacy or disclosure of personal information and the Naomi Campbell case is largely irrelevant. There is no reasonable expectation of privacy from simply standing in the street, and the fact of that person's presence is not and should not be protected by the Human Rights Act or by GDPR unless there is something exceptionally unusual, sensitive and private about that person's presence in that location at that time.

        It's this worrying grasp of both common sense and the hazy grasp of the law which makes this article so misleading and worrying.

  14. Comment by Jeff posted on

    I find it astonishing that the IPO blog was so factual incorrect!!! Please take this down actually read the law & re post it !

  15. Comment by Jamie posted on

    Photographs of people are considered personal data. You must have a legitimate reason for having them. You must seek consent if using their image in marketing. Use consent forms. If using a picture containing people and you are unlikely to be able to gain consent you must remove it if asked to do so if they find out. Not a lawyer.

    • Replies to Jamie>

      Comment by Monty Rakusen posted on

      This is simply untrue

  16. Comment by Paul Pickard posted on

    This article achieves only to confuse. Please take it down and do some research. Thank you

    Paul Pickard

  17. Comment by Pete Jenkins posted on

    This article/blog seems alarming inaccurate about some fundamental issues

    If one were to read it as it is currently written, this individual writer's interpretation of GDPR seems to have rewritten copyright law.

  18. Comment by Edmond Terakopian posted on

    Alongside the already questioned issue of the author confusions of a photograph and data (this has tremendous implications, so think it prudent to check and adjust the piece), I would ask a rewording of some part of this paragraph too please, as it can be a little misleading:
    “If an image was created as part of your employment, the employer will generally own the copyright. Whether you’re a freelancer or employed by a company full-time, it’s always best to check the Terms & Conditions of your contract first.”
    I would change the last part to: As a freelance photographer, the copyright of the image is yours, unless you have signed it away in a contract before working for that client.

    • Replies to Edmond Terakopian>

      Comment by :) posted on

      I think you’re confusing elements of self-employed and being employed on a freelance basis. It makes perfect sense as it is. If you are full time employed by, or freelancing for a company, generally speaking they will own the copyright unless something is agreed to the contrary.

      For example, many people working in the film and television industry are employed on a freelance basis. Your example suggests that many of the crew, from cinematographer to make-up artist would have a claim to the final ‘picture’.

      • Replies to :)>

        Comment by Edmond Terakopian posted on

        Quite rightly, there is a difference, but no confusion on my part. The content created belongs to the author. In a staff contract, the copyright is transferred to the employer in exchange for a salary, car, holiday pay, sick pay and other perks. When employed as a freelancer on a shift, the copyright again belongs to the author, unless it’s signed away. Often in broadcasting, this is the norm and usually along with better pay, equipment is supplied by the broadcaster. In newspapers, it’s only over recent years that employers are bullying freelance photographers into signing away their copyright, in exchange for nothing but a shift rate (which hasn’t changed in decades). Regardless, copyright belongs to the author unless it’s signed away.

  19. Comment by Ariane posted on

    I often see photographers taking pictures of my me and my children at the park or events and I feel there should be legislation to arrest them as I feel my rights to privacy and image are violated. They should be cautioned by the Police. Just last week I was with my youngest son at the park and a woman walking alone with a dog started taking pictures of my son without asking me permission.

    • Replies to Ariane>

      Comment by Tony posted on

      Ariane you have no right to privacy in a public place. anyone can take pictures of anyone of any age. No laws exist to stop this.

      • Replies to Tony>

        Comment by Ariane posted on

        Thank you for clarifying this for me.

  20. Comment by Mark posted on

    “Under GDPR a photograph is classed as someone’s personal data”

    Is this an official change of policy by the IPO or an invention of the Comms Dept?

    Previous advice from the IPO has always avoided referring to photographs as data unless they contain identifying material (such as name badges, traceable numbered bibs for sport etc).

    If this blog were regarded as the IPO's official position, it massively changes the way that photographers can operate legally.

  21. Comment by Monty Rakusen posted on

    Under GDPR a photograph of someone is not personal data it’s a photograph not data. Data about that person is.

  22. Comment by Nick posted on

    “Under GDPR a photograph is classed as someone’s personal data”

    Is this still the case with an unidentified person? Say a street photograph where physical characteristics like hair colour, height etc cannot be attributed to an named individual. How can you store data of someone with no name, address, date of birth etc?

    • Replies to Nick>

      Comment by Monty Rakusen posted on

      You are right a photograph is not personal data just as a drawing or a painting is not. The author of this article should correct this.

    • Replies to Nick>

      Comment by Kevin Hayes posted on

      The author of this piece should definitely clarify this- do GDPR rules only apply when a "person commissions a photograph of themselves for private purposes"?

      • Replies to Kevin Hayes>

        Comment by Ian posted on

        A photograph, picture, painting, drawing or even a cave drawing is considered data under GDPR. Anything that can identify a natural living person is PII, even in a public place. This has always been the case, even preGDPR. If you can identify someone then it is personal. Identification can come from a defining characteristic (e.g. The only person with pink hair on the photo) or with a mix of other data (e.g. A group photo where no names or anything is really identifiable but there's a blub that says the third person from the left is John Doe).

        The right to rectification and the right to reject are absolute rights. You must have valid consent (LI and contract being most common) to take a photo of someone. An example of LI would be being a wedding photographer and taking photos of everyone in the event - you're being paid to do it (contract) but you do not need consent as it would be legitimate to take a photo during the event. However if someone were to object to their photo being taken, you'd have to follow their wishes.

        Furthermore if you're going to use those photos in your marketing, you need consent from every person who is in the photo before you market it. An exception there would be if you're a photographer at a fun run and it's well documented that photos will be taken and used in marketing.

        It's a very complicated position that requires consideration. The best form of consent is arguably contractual as it is a very firm legal basis.