Skip to main content
Event Photo Consent: A GDPR Guide for Organisers
Organiser's Playbook

22 October 2025 · 7 min read · 1,768 words

By Micael, Founder of TIME&SPACE

Home/Blog/Organiser's Playbook/Event Photo Consent: A GDPR Guide for Organisers

Event Photo Consent: A GDPR Guide for Organisers

Micael, Founder of TIME&SPACE
Micael

TIME&SPACE · Organiser's Playbook

A practical GDPR guide to event photo consent: what the law requires, how to word your notices, and how to handle opt-outs at the door.

Event Photo Consent: What Organisers Actually Need to Do

Every event produces photos. Most organisers think consent is a waiver signed at the door. The truth is more specific. Under European law, event photo consent is a real legal obligation with real documentation requirements, and getting it wrong has real consequences. This guide covers exactly what to do.

Why Event Photo Consent Matters

Event guests laughing together at an evening gathering

Under GDPR, event photography involving face recognition requires explicit informed consent because facial data is classified as biometric data under Article 9. This guide explains exactly what that means for event organisers in the EU, what consent mechanisms are required, and how to stay compliant without killing the guest experience.

A photo of a guest is personal data. Under the General Data Protection Regulation, personal data includes any information that can identify a living person. A face in a photograph qualifies. You can read the official overview on gdpr.eu.

That means every event organiser in the European Union processes personal data the moment a photographer presses the shutter. The law requires you to have a legal basis for that processing. It also requires you to inform guests, offer them choices, and delete the data when it is no longer needed.

If you use face recognition to help guests find their photos, the stakes rise. Face data is classed as biometric data under Article 9 of the GDPR. Biometric processing needs explicit consent, not just a general event notice.

The Two Layers of Consent You Need

Event photo consent has two layers. Most organisers only think about the first.

Layer one: general photography at the event. This covers the photographer walking around taking pictures. The legal basis here is usually legitimate interest, with a visible notice at the entrance. Guests who do not want to be photographed can ask the photographer to skip them.

Layer two: face recognition and biometric matching. If you are using a system that scans faces to help guests find themselves in photos, you need explicit consent from each person whose face is processed. A notice at the door is not enough. The guest has to actively agree, usually on a screen or through a link they open themselves.

TIME&SPACE handles the second layer inside the guest experience. Every guest who scans the QR code is shown a plain-language consent screen before any biometric processing happens. If they decline, no face data is ever created for them.

What Your Entrance Notice Should Say

A good photo consent notice does four things in plain language. It names the organiser. It states that photography is happening. It explains what the photos will be used for. It tells guests how to opt out.

Here is a template you can adapt:

Photography is taking place at this event, organised by [Your Name or Company]. Photos may be used to deliver memories to guests, share on our social media, and promote future events. If you do not want to appear in photos, please let the photographer know or speak to a member of staff. For more information on how we handle your personal data, see [link to privacy policy].

Print this on an A4 sign at every entrance. Place it where people actually read, at eye level, near the check-in queue. Do not hide it in a welcome booklet nobody opens.

For events in Portugal, you can check the formal requirements with the CNPD, the Portuguese Data Protection Authority.

Handling Opt-Outs Without Ruining the Experience

The single biggest fear organisers have about photo consent is that opt-outs will create friction. In practice, the number of guests who refuse photography at a live event is below three percent. Most of those are professionals with public-facing roles or minors whose parents prefer privacy.

The trick is to make opting out painless. Give your photographers a quiet verbal cue they can use. A hand raised, a shake of the head, a coloured wristband for guests who want to be left alone. Do not make the guest fill out a form. Do not make them explain.

For face recognition, the opt-out is even simpler. If a guest does not want their photos found through a selfie match, they just do not scan the QR code. No face data is ever processed. The photos still exist for general event documentation, but that guest is not indexed.

Event registration desk with a privacy notice on display: clear documentation of consent is a GDPR requirement for event organisers

The Documentation Trail You Need to Keep

GDPR is not about intention. It is about proof. You need to be able to show, if asked, that you actually did the things you said you would do. For event photos, that trail includes five items.

First, a written record of your legal basis for photography. Keep a one-page document that explains which events are covered by legitimate interest and which are covered by explicit consent.

Second, photos of the entrance signs you put up at the event. Date them. File them in a folder with the event name.

Third, a record of any guest who asked not to be photographed. You do not need their name. Just the date and the request, kept in the same folder.

Fourth, the consent logs from any biometric processing. TIME&SPACE stores these automatically with a timestamp and a guest identifier. If you use another system, check that it does the same.

Fifth, a retention schedule that shows when photos and related data will be deleted. For most events, ninety days is reasonable for the guest gallery, and thirty days is the right number for face data.

How TIME&SPACE Handles This for You

Photo delivery platforms vary in how seriously they take consent. Some collect face data without telling guests clearly what is happening. Others push the legal burden onto the organiser without providing any tooling.

TIME&SPACE bakes the consent flow into the guest experience. When a guest scans the QR code at your event, they see a short consent screen before they take their selfie. It names the processing, explains the retention window, and links to a full privacy notice. The guest taps agree or walks away. If they agree, their face vector is stored for thirty days and then deleted automatically. If they walk away, nothing is stored at all.

The whole system is built on the principle that privacy is the default. You can read more about how photo delivery works at events and see the practical setup flow for organisers.

A Five-Minute Consent Audit for Your Next Event

Before your next event, spend five minutes running through this list.

Do you have entrance signs written in the language your guests speak? Is your privacy policy linked somewhere guests can actually find it? Does your ticketing page mention photography? If you use face recognition, does the guest see a plain consent screen before any processing? Do you know where your photos and face data are stored, and when they will be deleted?

If you answered yes to all five, you are in good shape. If not, fix the gaps before guests arrive. Consent is not a legal theatre exercise. Guests notice when organisers take their data seriously, and they trust those organisers more.

TIME&SPACE

Built for event organisers. Setup takes under ten minutes.

Start Delivering Photos

The Bottom Line

Event photo consent is not a paperwork burden. It is a piece of hospitality. When you tell guests clearly what is happening with their photos, they relax. When you give them a real choice about face recognition, they feel respected. When you delete data on time, you sleep better.

The law is on the side of events that do this well. The organisers who treat consent as an afterthought are the ones who get into trouble. See our full pricing and plans for organisers to learn how TIME&SPACE handles consent for you, so you can focus on running the event.

For a deeper technical understanding of the face recognition pipeline behind consent-first photo delivery, read how face recognition finds your event photos.

Frequently Asked Questions

Q: Do I need a signed consent form for event photography in the EU? You need a legal basis, not necessarily a signed form. Legitimate interest can cover general event photography when you display a clear notice at the entrance and give guests a way to opt out. However, if you use face recognition or any biometric matching, GDPR Article 9 requires explicit consent, which must be an active affirmative action from the guest, such as tapping agree on a screen before any face data is processed.

Q: What is the difference between legitimate interest and explicit consent for event photos? Legitimate interest is a legal basis that allows you to photograph an event without asking every guest individually, provided you display a clear notice and give guests a real opt-out option. Explicit consent requires the guest to take a specific affirmative step, such as ticking a box or tapping a button, before processing begins. Face recognition cannot rely on legitimate interest because biometric data receives special protection under GDPR Article 9.

Q: How long should I keep event photos under GDPR? There is no single mandatory retention period, but ninety days is a common reasonable window for guest photo galleries. Face recognition data, classified as biometric data, should be deleted sooner. TIME&SPACE deletes face descriptors automatically after thirty days. Your retention schedule should be documented in writing before the event and honoured in practice.

Q: What happens if a guest at my event refuses to be photographed? Honour the request without requiring an explanation. Brief your photography team in advance with a simple signalling method, such as a gesture or a coloured wristband. Log the request with a date and a note, but do not record the guest's name. Delete any photos of that person taken before the request was made. The right to object is a core GDPR right and must be respected immediately.

Q: Does GDPR apply to events held outside the European Union? GDPR applies to any organisation that processes data about EU residents, regardless of where the event takes place. If EU citizens attend your event abroad, you must comply with GDPR. The same applies if you are an EU-based organiser running an event in a non-EU country. When in doubt, GDPR compliance is recognised internationally as the baseline standard for data protection at events.

TIME&SPACE

Built for event organisers. Setup takes under ten minutes.

Start Delivering Photos
Micael, Founder of TIME&SPACE
Micael

Founder, TIME&SPACE

ShareLinkedInX / Twitter

TIME&SPACE · Event Organisers

Get the event photo delivery checklist

Setup guide, QR placement tips, GDPR checklist. One email. No spam.

TIME&SPACE

Automate photo delivery
at your next event

Guests find their photos via face recognition. Photographers upload once. Every attendee walks away with their own gallery, automatically.

See Plans & PricingHow It Works