GDPR and Event Photos: What Every Host Needs to Know in 2026

If you're collecting photos and videos from guests at your wedding, party, or company event, you're handling other people's personal data — and in the EU that means GDPR applies. The good news: for an ordinary private event, the rules are far more reasonable than the acronym suggests. Here's what actually matters, in plain language, with the relevant articles cited so you can check them yourself.

1. Is an event photo even "personal data"? (Usually yes)

A photo that identifies a person is personal data. But here's the nuance that trips people up: a photograph is not automatically "special category" (biometric) data. Under Recital 51 of the GDPR, an image only becomes biometric data when it's run through "a specific technical means allowing the unique identification" of someone — i.e. facial recognition. So a normal shared photo album is ordinary personal data; an app that face‑matches guests to group their photos is processing biometric data and faces a much stricter regime (Art. 9), normally requiring explicit consent. (GDPR Recital 51; Art. 9(1))

Takeaway: a simple QR photo album is low‑risk. Face‑recognition photo finders are not — if you use one, get explicit opt‑in.

2. What's your legal basis? Consent vs. "legitimate interest"

To process guests' photos you need a lawful basis under Art. 6. Two are realistic for a host:

• Legitimate interest (Art. 6(1)(f)) — you can generally rely on this for ordinary photos at an event you're hosting, provided your interest isn't overridden by guests' rights. The law specifically flags extra care "where the data subject is a child."

• Consent (Art. 6(1)(a)) — the safer basis, and the required one where the balance tips against legitimate interest or where special‑category data (face recognition) is involved. Consent must be "specific, informed and freely given." (GDPR Art. 6(1))

Takeaway: for a private wedding or party, legitimate interest usually covers a guest photo album. Lean on clear consent when children are prominent, when you'll publish photos publicly, or whenever you're unsure.

3. The "it's just my private party" exemption — and its limit

GDPR has a "purely personal or household activity" exemption (Art. 2(2)(c), Recital 18). A private individual collecting photos at their own birthday or wedding, shared only with guests, generally falls outside GDPR's full reach. But the exemption is narrow: the moment photos are published publicly or systematically cover people beyond your household, it no longer applies — the CJEU made this clear in Ryneš (C‑212/13, 2014). And it never applies to a business running an event. (Art. 2(2)(c); Recital 18; CJEU C‑212/13)

Takeaway: a private, invite‑only album = low obligation. A public gallery, or any company event, = full GDPR.

4. Tell your guests (the one thing hosts forget)

Under Art. 13, when you collect data directly from people you must tell them — at the time — who's collecting it, why, and on what legal basis (and, if you're relying on legitimate interest, what that interest is). For an event, this is as simple as a line on your QR sign and on the upload screen: "Photos you upload are collected by [host] to create a shared event album; hosted in the EU; you can ask for any photo of you to be removed." (GDPR Art. 13(1))

5. Guests can ask for their photos to be deleted — within one month

The right to erasure (Art. 17) lets a guest ask you to delete their data (for example, after they withdraw consent). You must act without undue delay, and within one month of the request (Art. 12(3)), extendable by two further months only for genuinely complex cases, with notice. So whatever tool you use should make deleting a specific photo easy. (GDPR Art. 17(1); Art. 12(3))

Takeaway: pick a platform where you (or the guest) can remove a photo quickly — a one‑month legal clock is real.

6. Children's photos need extra care

For online services, Art. 8 sets a consent age that varies by country — Germany keeps it at 16, Austria at 14. At a kids' party, the practical answer is simple: get the parents' agreement before collecting and especially before sharing photos of their children, keep the album private, and delete on request immediately. (GDPR Art. 8(1); BDSG (DE); § 4(4) DSG (AT))

7. Where your photos are stored matters: EU vs. US

This is where tool choice becomes a compliance decision. Sending EU residents' photos to a US‑hosted service is an international transfer governed by Chapter V. After Schrems II (C‑311/18) struck down Privacy Shield, transfers leaned on Standard Contractual Clauses; the EU‑US Data Privacy Framework then restored an adequacy route in 2023 — though it remains subject to legal challenge. The cleanest way to avoid the entire question is to keep the data in the EU. (GDPR Chapter V; CJEU C‑311/18; Commission Implementing Decision (EU) 2023/1795)

Most event‑photo apps are US‑hosted. A few — including Gathmo (EU/Frankfurt) and EventPics (Cloudflare R2 EU) — host in the EU, which sidesteps the transfer analysis for EU events. (research‑foundation/02 — eu‑residency tab, captured 2026‑06‑08)

8. Keep only what you need, only as long as you need it

Art. 5 requires data minimisation and storage limitation — collect what's necessary and don't keep it forever. In practice: set an album expiry, and delete the collection when the event's purpose is served. A platform that auto‑expires albums (rather than silently archiving them) makes this automatic. (GDPR Art. 5(1)(c),(e))

9. For businesses: you need a DPA with your tool

If you're running a company event, the platform is processing employee/guest data on your behalf — that's a controller–processor relationship, and Art. 28 requires a written Data Processing Agreement covering the scope of processing, security, sub‑processors, assistance with data‑subject rights, and deletion at the end of the service. Ask any vendor for their DPA before you sign; a serious B2B tool will have one ready. In Germany, employee‑data processing also engages BDSG § 26.

What this looks like in real event scenarios

For a private wedding, the lowest-risk setup is usually simple: keep the album invite-only, show a short notice next to the QR code, avoid face recognition unless guests actively opt in, and let people ask for removal. The couple should not need a legal workflow for every candid photo, but they should avoid turning a private album into a public gallery without thinking through consent.

For a kids' birthday party, the same basics apply, with a higher standard of care. Parents should know where photos are going, who can see the album, and how long it stays online. A private QR album is very different from posting every child's face on a public social network. If a parent asks you not to include their child, remove the photo and move on.

For a company offsite or conference, treat the process like a small data-processing project. Decide who the controller is, confirm the platform's DPA, place a clear upload notice on the QR sign, avoid unnecessary face recognition, and use a defined retention window. If employees are involved in Germany, HR should also be aware of the BDSG § 26 angle.

For a public or ticketed event, assume GDPR applies in full. You may also need venue signage, staff instructions, and a moderation workflow so uploaded images do not expose people who did not expect to be featured. The more public the event, the less you should rely on "everyone knows photos happen at events" as your privacy plan.

A simple notice you can put next to the QR code

You do not need legalese on a table card. You need clarity. A practical notice can be short:

For a corporate event, add the company name and link to the full privacy notice. For a wedding or private party, the contact can be the host. For children's events, mention that parents can request removal for their child. The point is that the guest understands the basic exchange before uploading: who collects the media, why, where it lives, and how to object.