21 March 2026
GDPR compliant event photography: a practical guide for UK organisers
How to handle event photography under GDPR without facial recognition. Practical guide for UK conference and event organisers.
You want to share event photos with attendees. You also don't want to end up on the wrong side of GDPR. These two things are not as hard to reconcile as they might seem.
What GDPR actually says about event photos
Photos of identifiable people count as personal data under GDPR. That alone isn't a problem: most event photography falls under "legitimate interest," meaning the organiser has a reasonable business reason to document and promote their event.
Where it gets complicated is facial recognition. The moment you scan someone's face to match them to a photo, you're processing biometric data. That's a special category under Article 9 of GDPR, and it requires explicit consent from every person being scanned. Not a notice, not a checkbox buried in the terms. Explicit, informed, freely given consent.
In practice, this means:
- You need a lawful basis for taking and sharing photos (legitimate interest usually covers this)
- If you use facial recognition, you need separate explicit consent for the biometric processing
- Attendees can object and request their photos be deleted
- You need a privacy notice that explains how the photos are used
The consent headache
Getting proper biometric consent at a 500-person conference is a logistical nightmare. You need to ask every attendee individually before the event starts. Anyone who doesn't consent can't be scanned, but might still appear in group photos. And if someone withdraws consent after the event, you need to find and delete their facial data.
Most event organisers don't have the infrastructure to manage this properly. And honestly, most attendees find the whole "we need to scan your face" conversation uncomfortable.
How Pictag.IO handles this differently
Pictag.IO uses visual markers on badges instead of facial recognition. This is the comparison that matters:
| Facial recognition | Pictag.IO markers | |
|---|---|---|
| Data type | Biometric (special category) | Visual marker (not personal data) |
| Consent needed | Explicit consent per person | Standard photography notice |
| GDPR Article 9 | Applies | Does not apply |
| Opting out | Complex, data may already be processed | Remove the marker from your badge |
| Data stored | Face templates | No biometric data at all |
Because no biometric data is collected, Article 9 doesn't come into play. You're back to standard event photography rules.
What you should actually do
- Mention photography in your event terms. A line saying photos will be taken and shared is enough for legitimate interest
- Use badge markers instead of facial recognition. Skip the biometric consent problem entirely
- Give people an opt out. With Pictag.IO, that's as simple as peeling the marker off their badge
- Set retention periods. Pictag.IO deletes photos automatically after 30 days
- Put a privacy notice on your event page explaining how photos are handled
None of this is particularly hard. The hardest part of GDPR-compliant event photography is actually the facial recognition bit, and you can just... not do that.