Collecting guest photos in the EU without the GDPR headache
When you collect photos, videos and voice messages from event guests, you are processing personal data. A photograph of someone's face is personal data under the GDPR. So is a voice recording. So, technically, is a video of someone dancing at a table. For events held in the EU -- or events anywhere where guests are based in the EU -- that brings real legal obligations, whether you are a professional planner running corporate events or simply someone throwing a birthday party.
Most event hosts do not think about this. The photo album software gets set up, the QR code goes on the tables, and nobody stops to ask who consented to what, where the data actually lives, or what happens when a guest later asks for their photos to be deleted. The obligation does not disappear because nobody raised it. A guest who objects to their image being stored on US servers has a legitimate legal complaint -- even if you had no idea it was happening.
The good news is that Gathmo was built with this in mind from the start. EU data storage, consent captured before the first upload, and straightforward deletion tools are all on by default, on every plan -- not enterprise-only features, not add-ons you have to activate. This guide explains each of the three main obligations and exactly what you as the event host need to do to meet them.
What you will need
- A Gathmo account (any plan)
- An event in the EU, or guests based in the EU
Understand how consent is captured
Gathmo shows guests a clear consent notice on the capture page, right where it matters: before their first upload. It explains what is being collected and links the privacy policy, and the guest's consent is recorded the moment they choose to share -- nothing is collected before that. This works for every event by default; there is nothing for you to configure.
Confirm EU data storage
Gathmo stores event media on EU-based infrastructure by default, for every plan. You do not need to configure a region or request a special account type, and you do not need to explain to guests why their wedding photos are sitting in a far-away jurisdiction. Details of where and how data is processed are in the privacy policy, which is linked from every capture page.
Know your retention period
Retention follows your plan: 30 days on the free plan, and from six months up to two years on paid plans. Know which window applies to your event and tell guests how long media will be kept -- a line on the QR sign or invitation is enough. And do not keep media longer than you genuinely need: downloading your archive and deleting the event early is a basic GDPR principle, and it reduces your exposure if guests later ask what happened to their data.
Handle erasure requests
Under Article 17 of the GDPR, any guest has the right to request deletion of their personal data within a reasonable timeframe -- typically one month. In Gathmo, go to the event dashboard, find the relevant upload, and delete it; the file is removed from storage. For bulk erasure requests -- for example, if a guest uploaded many photos and wants all of them removed -- contact Gathmo support.
Disclose anything beyond the album
The capture page links Gathmo's privacy policy automatically, so the basics -- what is collected, where it is stored, how to request erasure -- are covered for you. What Gathmo cannot know about is everything you plan to do with the media afterwards. If a photographer will also be shooting, if you plan to print an album, or if some photos may end up on social media, tell guests up front -- a sentence on the QR sign or the invitation is enough. Surprising guests later is how goodwill (and compliance) evaporates.
Quick recap
- Consent is captured on the capture page before the first upload (default)
- Media stored on EU infrastructure -- the default for every plan
- Retention window known (30 days free, six months to two years paid) and communicated
- Erasure process understood: dashboard delete, or contact support for bulk
- Extra processing (photographer, prints, social media) disclosed to guests up front
Frequently asked
Yes -- EU data storage, consent captured before the first upload, and deletion tools are all active by default on every Gathmo account. You do not need to configure them specially. The one thing you should know before each event is your retention window: 30 days on the free plan, six months to two years on paid plans.
If you are processing personal data in a professional capacity -- as an event planner, photographer, or corporate organiser -- you likely need a DPA in place with Gathmo as your processor. Gathmo offers a standard GDPR-compliant DPA on request; contact support to get one set up before your event goes live.
Find the upload in your event dashboard and delete it -- the file is removed from Gathmo's storage. If the guest uploaded multiple items and wants all of them deleted, contact Gathmo support for a bulk removal. Erasure requests should be actioned within one calendar month under the GDPR.
Yes. Guests are not required to provide a name, email address, or any other identifying information to upload to a Gathmo event. Consent is recorded when the guest uploads, but it is not attached to a named individual. This means the media you collect may be less attributable to specific people, which can actually simplify your data obligations.
Three things make event photo collection GDPR-compliant: consent captured before the first upload, personal data stored on EU-based infrastructure, and a clear process for deleting data on request. Every guest must be informed of what is collected and why before they contribute anything. Photographs, voice recordings and video clips all count as personal data under the GDPR. Erasure requests must be actioned within one calendar month. Gathmo handles all three requirements by default on every plan.
Not automatically, but it creates a legal obligation. Under GDPR Chapter V, transferring personal data -- which includes photos and voice recordings of EU residents -- to a country outside the EEA requires a valid legal basis, typically Standard Contractual Clauses (SCCs). US-based platforms can be compliant if SCCs are in place in their Data Processing Agreement. The burden is on the event host as data controller to verify this before use, not assume it. Using an EU-hosted platform like Gathmo removes this obligation entirely -- data stays in the EEA from the first upload to deletion.
A Data Processing Agreement (DPA) is a contract between a data controller (you, the event host) and a data processor (the event photo platform) that sets out what data is processed, how it is protected, and what happens when the engagement ends. Under GDPR Art. 28, a DPA is mandatory whenever a controller uses a processor to handle personal data. For a private personal event under the household exemption, a DPA is not legally required. For corporate events, branded events, or any event run by a business entity, a DPA with your event photo platform is a legal requirement. Gathmo provides a GDPR Art. 28 DPA on request for all plans.
GuideHow to collect photos from your event guests (the easy way)
A printed QR code on the table collects more photos than any link in a group chat -- here is why, and how to set one up in two minutes.
Comparisonvoxu.fm vs Gathmo: which QR wedding guestbook is right for you?
voxu.fm is a focused QR wedding guestbook; Gathmo captures the whole event -- photos, video, voices and a live wall -- from one code. An honest, EU-hosted head-to-head.
Comparisonknipsmig alternative: Gathmo vs knipsmig, compared honestly
knipsmig is a clean, well-priced QR photo and video collector. Gathmo adds an audio and video guestbook, a live wall and named EU hosting. An honest side-by-side.