Personal data and image processing regulations

The use of images containing personal information is regulated by the European General Data Protection Regulation (GDPR), where it is subject to Article 5(1) and Article 6(1).  As lawful processing and publishing of personal data might introduce bureaucratic overhead and legal problems, PiktID offers a simple solution to keep you unaffected from all regulations. Further, we enable you to establish trust to your customers and clients by caring about their privacy. 

Briefly summarized, the GDPR regulates the use of personal data as follows:

  • personal data, no matter in which form, shall be processed lawfully and transparently
  • personal data shall only be collected and used for legitimate purposes, or if the data subject has given consent to the usage of its data
  • personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes
  • personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing

A complete list of the GDPR articles can be found below as well as on the GDPR website.


Article 5(1) defines the principles related to the processing of personal data as follows:

  1. Personal data shall be:
    1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
    2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
    3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
    4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
    5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
    6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Article 6(1) further defines the lawfulness of data processing as follows: 

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:
    1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
    2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
    3. processing is necessary for compliance with a legal obligation to which the controller is subject;
    4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
    5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This point shall not apply to processing carried out by public authorities in the performance of their tasks.

Additionally, Article 17 defines the right to erasure or right to be forgotten as follows:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
  3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  4. the personal data have been unlawfully processed;
  5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).