It has become a common custom for companies of all types, especially those that offer specialized services, to upload images of their employees to their websites along with their professional profile data and the position they occupy in the organizational chart. A practice that, despite being widespread, goes against privacy regulations if the organization does not have the express permission of the workers to show their photography, the Spanish Data Protection Agency (AEPD) has settled in a recent resolution.
For this reason, the organization has fined a law firm based in Barcelona, Madrid and Andorra 5,000 euros. It published in the “Team” section of its website an image of each of its workers, one of whom reported this action to the AEPD a month after leaving the company. After a year of process, the privacy regulator has ended up proving him right and sanctioning his former law firm.
The law firm alleged that the former employee had given his tacit consent to the publication. He based this argument on facts such as that the claimant was informed by email that the photo session was going to take place, he posed for the photo, he was given the opportunity to “review” them later to choose the one he liked the most and also He posted one of them on his LinkedIn profile.
The law firm also adds that it was the former employee himself who provided the data about his professional career that was later included in the section about him in the “Team” section that he later reported.
The AEPD, however, has rejected this argument. The regulator establishes that the conditions for the publication of the image of the workers must include “informed, free, specific, and unequivocally given consent” for the use of their photograph for this purpose. A “tacit or presumed” permission, derived from the worker’s participation in the photo shoot or the fact that he did not expressly oppose the publication when informed by email, is not enough to show his image, the Agency decides.
The regulator reminds that the data controller must be able to demonstrate that the interested party has validly given consent. It highlights that, in this case, the legal firm has not been able to provide any evidence that its former employee did so, despite the fact that he participated in all the activities that led to the publication of his image on the website and did not expressly oppose this during the process.
In this sense, he points out that the email to inform the employees of the taking of the photographs only stated that “tomorrow we will take photos of the new employees who wish to do so”, suggesting that they visit the office’s “Team” page “to see the style.” that we use and choose the one that best suits you.” Which cannot be considered an acceptance of the publication.
“A freely given consent means that the interested party must have a real option not to grant it. Consequently, consent cannot be considered freely given when the subject cannot deny granting it without suffering some type of negative consequence, an issue that must be proven by the person responsible for the treatment,” the regulator states in the resolution.
In addition to the 5,000 euro fine, the AEPD has given the law firm three months to obtain specific and informed consent from the rest of the workers whose image appears on its website. A recommendation that could be extended to all companies that treat the image of their employees in this way. The resolution states that the privacy regulation does not present “a specific way to record consent,” so it is the responsibility of each organization to collect it “in such a way that it can prove that the interested party has validly given the aforementioned consent.”
The Spanish privacy regulator has been inflexible in the processes that affect the use of the image for purposes for which they have not given their express consent. Another of the most notorious processes in this sense was closed in 2023, when the Agency fined a plastics factory in Alicante 20,000 euros for using the photograph of an employee in a facial recognition signing system without having the express consent to it.
#Data #Protection #begins #fine #companies #uploading #photos #workers #profiles #permission
