The legal basis for processing personal images is the specific legal ground that makes operations performed on photos and video recordings lawful when the image makes it possible to identify a natural person directly or indirectly. In GDPR compliance practice, this means identifying which legal basis under Article 6(1) of Regulation (EU) 2016/679 the controller relies on for recording, storing, reviewing, analyzing, sharing, publishing, or anonymizing visual material.
Legal Basis for Processing Personal Images - Definition
Under the GDPR, an image is not defined as a separate category of data, but as a rule it constitutes personal data if it enables a person to be identified. This follows from Article 4(1) GDPR, as well as case law and the practice of supervisory authorities. In the context of photos and video recordings, the legal basis cannot be selected broadly for the entire process. It should be assessed separately for each individual operation, for example for the recording itself, further analysis of the footage, publication, and the use of anonymization tools such as face blurring or license plate blurring.
In compliance practice, two legal bases under Article 6(1) GDPR are analyzed most often: the data subject’s consent under point (a), and the legitimate interests pursued by the controller or a third party under point (f). In some cases, a legal obligation under point (c), the performance of a task carried out in the public interest or in the exercise of official authority under point (e), and less often the performance of a contract under point (b), may also apply. The chosen legal basis must be verifiable, documented, and consistent with the accountability principle under Article 5(2) GDPR.
How to Understand Image Processing in Photo and Video Anonymization
In the area of visual content anonymization, the key distinction is between the processing of personal data and the point at which data ceases to be personal data. As long as a face or another identifier remains visible or can be reconstructed, operations performed on the material are still subject to the GDPR.
Face blurring or license plate blurring is itself a form of personal data processing. It includes at least reading the image, detecting objects, assigning coordinates, modifying pixels, and saving the output. If the system uses a machine learning or deep learning model for face detection, the processing also includes automated image analysis. Such an AI model may have been trained earlier on datasets so that it could later be used to detect areas that need to be blurred. However, that is a separate stage from using a ready-made model in the controller’s production environment.
In the case of Gallio PRO, it is important to distinguish the actual functional scope. The software automatically detects and blurs only faces and license plates. It does not anonymize full body silhouettes. It does not operate in real time and does not anonymize a live video stream. It does not automatically detect logos, tattoos, name badges, documents, or content displayed on screens. Such elements can be blurred manually in the editor. The assessment of the legal basis must therefore reflect the actual scope of processing.
Article 6 GDPR in the Context of Video Recordings - When Consent Applies and When Legitimate Interest Applies
In practice, most issues related to video recordings concern the relationship between consent and legitimate interest. These two legal bases are not interchangeable. The controller should choose the one that genuinely matches the purpose and the relationship with the recorded person.
Consent under Article 6(1)(a) GDPR is appropriate where the person has a real choice, can refuse without negative consequences, and can withdraw consent. In practice, this often applies to controlled photo shoots, promotional materials, case studies, and the publication of a client’s or employee’s image outside what is necessary for work organization. If the material is intended for public use, consent may also be required under Article 81 of the Polish Copyright and Related Rights Act, independently of the Article 6 GDPR analysis.
Legitimate interest under Article 6(1)(f) GDPR is more often used for CCTV, security, property protection, claims handling, incident audits, documenting events, or anonymizing footage before further disclosure. This legal basis requires a balancing test. The controller should demonstrate three elements: the existence of a legitimate purpose, the necessity of the processing, and the absence of overriding rights and freedoms of the data subject.
Legal Basis under Article 6(1) GDPR | Typical Video Context | Compliance Notes
|
|---|---|---|
point (a) - consent | publication of a person’s image, promotional materials, interviews, controlled recordings | must be freely given, specific, informed, and unambiguous |
point (c) - legal obligation | recordings required by sector-specific regulations | requires identification of a specific legal provision |
point (e) - public interest / official authority | tasks carried out by public authorities | as a rule, requires a basis in EU or national law |
point (f) - legitimate interest | security, monitoring, evidence of incidents, anonymization before publication | requires a balancing test and transparency information under Articles 13 or 14 GDPR |
Legal Basis for Publication and Anonymization of Visual Material
A distinction should be made between the legal basis for recording an image and the legal basis for publishing it. The fact that a controller lawfully recorded footage based on legitimate interest does not automatically mean there is a right to publicly disseminate the full image. In many cases, publication will require a separate assessment under both the GDPR and copyright law.
Anonymization is often used as a measure to reduce legal risk. If a face is effectively blurred in an irreversible way and the material no longer makes it possible to identify the person using means reasonably likely to be used, the output may cease to constitute personal data. The assessment of whether anonymization is effective should take into account not only the blur itself, but also the context of the frame, voice, clothing, location, metadata, and the possibility of linking the material with other information.
Key Compliance Assessment Parameters for Image Anonymization
In practice, for DPOs and security teams, merely stating that content has been anonymized is not enough. Measurable process criteria are needed. Technical parameters should be documented because they affect the assessment of whether the material still contains personal data after processing.
- face and license plate detection effectiveness - most commonly described using the precision and recall of the detection model
- percentage of missed objects - false negative rate; from a privacy perspective, this is a critical parameter
- percentage of incorrect detections - false positive rate; this affects material quality, but usually has less impact on legal risk
- durability of the modification - whether the blurring effect is permanently embedded in the output material and whether it can be reversed
- scope of accompanying data - EXIF metadata, timestamps, location data, audio track
- retention of the source material - how long the non-anonymized version is stored
When assessing legitimate interest, a simple framework can help: residual risk = likelihood of identification x impact on the person’s rights. This is not a normative formula under the GDPR, but a practical way to document decision-making. The higher the residual risk after blurring, the weaker the argument that the output has ceased to be personal data.
Normative and Interpretative References
The legal basis for processing personal images should be analyzed on the basis of primary legal sources and recognized guidance. In the area of photos and video, both EU and national regulations are relevant.
- GDPR - Regulation (EU) 2016/679, in particular Article 4(1), Article 5, Article 6, Article 13, Article 14, Article 25, and Article 32
- EDPB Guidelines 3/2019 on processing personal data through video devices, version adopted on 29 January 2020
- Charter of Fundamental Rights of the European Union - Articles 7 and 8
- Polish Copyright and Related Rights Act of 4 February 1994 - Article 81 on dissemination of a person’s image
- Polish Civil Code - Articles 23 and 24 on personal rights
There are interpretative differences regarding license plates. In Poland, administrative court case law has indicated that a registration number does not always constitute personal data on its own. On the other hand, the approach of the Polish data protection authority, the EDPB, and parts of EU case law is more cautious and assumes a contextual assessment, especially where the number can be linked to the owner or user of the vehicle using available means. For that reason, in compliance practice and in the publication of visual material, license plate blurring is often adopted as a risk-minimization measure.
Practical Takeaways for Controllers and DPOs
A person’s image in a photo or video recording does not have one universal legal basis. Each stage of processing requires a separate legal assessment. It is particularly important to distinguish between recording, analysis, publication, and anonymization.
In practice, this means that the controller should:
- identify the purpose of each stage of processing visual material
- assign the appropriate legal basis under Article 6(1) GDPR to each purpose
- carry out a balancing test when relying on legitimate interest
- assess whether publication additionally requires consent for dissemination of a person’s image
- use face blurring and license plate blurring where a full identifiable image is not necessary
- document retention periods, security measures, and the scope of data retained after processing