← Back to blog

21 March 2026

GDPR Compliant Event Photography: A Complete Guide for UK Organisers

How to handle event photography under GDPR without facial recognition. Practical guide for UK conference and event organisers.

GDPRevent photographyUK eventscompliance

Event photography under GDPR can feel like a minefield. You want to capture great moments and share them with attendees, but you also need to respect privacy regulations.

This guide covers everything UK event organisers need to know.

The GDPR Challenge

Under GDPR, photographs of identifiable individuals are personal data. When you add facial recognition into the mix, you're processing biometric data — a special category that requires explicit consent.

This means:

  • You need a lawful basis for taking and sharing photos
  • If using facial recognition, you need explicit consent for biometric processing
  • Attendees have the right to object and request deletion
  • You must have a privacy notice explaining how photos are used

Most event photography falls under legitimate interest — the organiser has a reasonable interest in documenting and promoting their event. This covers:

  • Taking photos at the event
  • Sharing photos on the event website
  • Using photos for marketing (with appropriate notice)

However, facial recognition crosses into biometric data territory, which requires explicit consent under Article 9 of GDPR. This is where most event photo-sharing platforms run into trouble.

The SpotMe Approach

SpotMe avoids the biometric data issue entirely by using visual markers (PicTags) instead of facial recognition:

AspectFacial RecognitionSpotMe PicTags
Data typeBiometric (special category)Visual marker (not personal data)
Consent requiredExplicit consentStandard event photography notice
GDPR Article 9AppliesDoes not apply
Right to objectComplex (data already processed)Simple (just don't wear the badge)
Data retentionFace templates storedNo biometric data stored

Practical Steps for Organisers

  1. Include photography in your event terms — mention that photos will be taken and shared
  2. Use PicTags instead of facial recognition — avoid biometric data entirely
  3. Provide an opt-out — attendees who don't want to be matched simply remove the PicTag from their badge
  4. Set data retention periods — SpotMe automatically deletes photos 30 days after the event
  5. Have a privacy notice — explain how photos are used on your event page

The Bottom Line

You can absolutely share event photos with attendees under GDPR. The key is avoiding unnecessary biometric data processing. PicTags give you the same result — every attendee finds their photos — without the privacy complications.

Want GDPR-compliant photo matching for your next UK event? Try SpotMe — no facial recognition, no biometric data.

Ready to try SpotMe?

Set up event photo matching in minutes. No facial recognition.

Get Started Free