Photographers: destroying client photos and portraits
A photographer or photo studio processes images of people, and thereby personal data. A portrait, a wedding shoot, a school photo or a corporate headshot shows a recognisable person, which alongside image rights also touches the GDPR. Keep those files forever and you hold personal data without a purpose. This guide shows how long you keep client photos, when consent is needed and how to destroy old files and carriers confidentially.
The quick answer: a photo of a recognisable person is personal data. The administration you keep for seven years for the tax retention obligation, the photo files themselves you keep as long as there is a purpose such as delivery or reordering. Portfolio and publication require consent. What may go you erase carefully and the old carriers you have destroyed confidentially with a certificate.
Image rights and the GDPR side by side
Around photos of people, two things play out at once. Image rights concern whether and how an image may be used and published. The GDPR concerns the photo as personal data, because a recognisable person in shot falls under it. The two overlap, but are not the same. For keeping and destroying, the GDPR is mainly leading: you do not keep the photo longer than necessary and clear it out carefully afterwards.
For you as a photographer this means you set a purpose and a period per assignment. As long as you need the photo for delivery, a reorder or an agreed retention period, there is a ground. If that lapses, the file should be cleared out, unless the client has given consent to keep it longer.
Retention periods by part
The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the delivery of the assignment.
| Part | Starting point | Period |
|---|---|---|
| Administration and invoicing | Tax retention obligation | 7 years |
| Photo files for delivery and reordering | As long as there is a purpose | agreed period |
| Portfolio and publication use | With consent | as long as consent applies |
| School photography (minors) | Extra careful | clear out after delivery |
| RAW files and working copies | No independent purpose | clear out after delivery |
| Old memory cards and disks | Wipe or destroy | on disposal |
Use this as a guideline, not a final legal ruling. Set the agreed retention period in your terms, so the client knows how long you keep the photos. The tax side is in the 7-year tax retention obligation.
Consent for portfolio and publication
Putting a photo from an assignment in your portfolio, on social media or delivering it to a third party is a purpose of its own that goes beyond the assignment itself. For that you need consent from the people portrayed. With minors, such as in school photography, that is extra sensitive and you ask consent from the parents. Without that consent you keep the photos only for the assignment and clear them out afterwards.
Record consent and limit it to what has been agreed. If a client later withdraws consent, you remove the photos from your portfolio and publications and clear out the files. That way the use of someone's portrait always stays tied to a valid ground.
School photography and minors
School photography deserves extra attention, because it involves images of children and in large numbers. After you have delivered the photos to the school or the parents, the purpose to keep the files usually lapses. Stick to the arrangements with the school and clear out the files and any prints afterwards, unless there is a concrete ground to keep them longer. That way you avoid managing a large database of children's photos without a purpose.
How to handle it in 6 steps
- Set per assignment the purpose and retention period of the files.
- Record consent for portfolio, publication or delivery to third parties.
- Clear out RAW and working copies as soon as the assignment is delivered.
- Erase photo files after the agreed period or on withdrawal of consent.
- Collect prints and old carriers in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Paper prints, contact sheets and old data carriers with photos you have destroyed confidentially, because they show recognisable people. Memory cards, external disks and backups with assignments often contain years of portraits. Deleting a file is not enough, because the data stays on the carrier. Those carriers travel sealed and are destroyed, so no second copy of someone's portrait is left floating around.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Old prints and carriers to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Keeping photos forever. A photo of a recognisable person is personal data with a retention period.
- Publishing without consent. Portfolio and social media require consent from the people portrayed.
- Keeping children's photos too long. In school photography you clear out after delivery.
- Disposing of memory cards unwiped. The portraits are still on them until they are destroyed.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
Is a photo of a recognisable person personal data?
Yes. A photo in which someone is recognisably shown is personal data under the GDPR. Alongside image rights, this means you do not keep the photo longer than necessary and destroy it carefully once the purpose has been served.
How long does a photographer keep client photos?
The administration falls under the seven-year tax retention obligation. The photo files themselves you keep as long as there is a purpose, such as delivery or reordering, and clear out afterwards, unless the client gives consent to keep them longer.
May I keep photos from an assignment in my portfolio?
Only with consent. Portfolio and publication are a purpose of their own that requires consent from the people portrayed, especially minors such as in school photography. Without consent you clear out the files after delivery.
How do I destroy old photo files and carriers?
Erase digital files carefully and have old memory cards, disks and backups destroyed confidentially with a certificate. Paper prints travel sealed for destruction.
Conclusion
A photographer works with portraits, and a portrait of a recognisable person is personal data. Keep the administration seven years, keep photo files as long as there is a purpose and clear them out afterwards, and use photos for portfolio or publication only with consent. Old prints and carriers you have destroyed confidentially with a certificate as proof. That way you respect both image rights and the privacy of the people in your photos.
Read also: driving schools: destroying pupil data, translation agencies: destroying confidential documents, mediators: destroying divorce and conflict files and the GDPR retention periods cheatsheet.
Have photo files or carriers collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.
Also relevant: PR agencies: destroying media contact data and Publishers: destroying subscriber and author data.