According to the General Data Protection Regulation (also known as GDPR), images of identifiable individuals are classified as personal data. This means that the image itself, even if it does not contain any names or other descriptions, is personal data that must be processed and handled accordingly.
With Mediaflow's GDPR module, you manage images containing personal data in three steps:
-
Specify the legal basis.
-
Tag the individuals whose personal data is in the file.
-
Attach consent to the file. (This step is not needed if you have specified a legal basis other than consent.)
1. Specify the legal basis for processing personal data
The first thing you must do is determine if a file contains any form of personal data and, if so, specify the legal basis for storing that personal data. You can do this in two ways:
-
Select one or more files, right-click, and choose the Personal Data (GDPR).
-
Select one or more files and click on the Persons tab in the right panel.
If the file contains personal data, you can choose from five different legal bases:
-
Consent required
This means that there is no other legal basis for processing/storing personal data, so you need the person's consent to do so for one or more specific purposes. -
External agreement exists/Stock photo
This can be used for images and files containing personal data that have been purchased via an agreement that guarantees consent (e.g., from a photographer or photo agency). -
Necessary for fulfilling agreements/obligations
This means you must store this image to fulfil your mission according to an agreement. -
Legitimate interest
This option only applies if your interests outweigh those of the data subject and if processing personal data is necessary for the current purpose. Authorities cannot use legitimate interest as a legal basis. -
Public interest
This means you are allowed to process personal data if it is done in your official capacity or if you perform tasks in the public interest. This legal basis is mainly used by authorities.
If the file does not contain personal data, it can still be useful to indicate this so you know what applies and how the file may be used. There are three reasons why an image or file might not be affected by GDPR:
-
The file does not contain identifiable persons
These are images or files that do not contain anything that can be classified as personal data, such as nature photos, illustrations, logos, etc. -
Historical image
When a person is deceased, their data is not considered personal, so GDPR does not apply. However, there may be exceptions if images can be linked in some way to living persons. -
Artistic/Journalistic image
Images used solely for artistic and journalistic purposes are exempt from GDPR.
⚠️ Choice of Legal Basis
Mediaflow provides smart features for your GDPR management but does not offer legal advice. Your organisation must determine which legal basis to use when handling personal data in Mediaflow.
2. Tag identifiable individuals
Once you have determined that a file contains an identifiable person and set a legal basis, you need to tag the person in the file. You do this by right-clicking on the image and selecting Show/tag persons or by clicking Tag person in the right panel.e
If you have enabled Mediaflow's facial recognition, faces detected by the system will be marked with a box. If it is an individual you have previously added to your index of persons, you can search for the person's name in the search box. To tag a new person, click Add new person.
If you choose to add a new person, you will see the New person dialogue. Fill in the person's name and other relevant information, such as phone number, email address, and whether the person is a minor. You can also add custom information fields. When you click save, the person is added to your index of persons, and the person's name appears under the face box.
In cases where the system has not recognised a face, or if you have chosen to turn off face detection, you will have to manually indicate where in the image there are people. You do this by clicking the Add button to the right of the image. Mark a face by clicking and dragging a square, then release to place the box. If you're not satisfied with the result, click the cross at the top right to redo it.
When you have tagged a person in Mediaflow, the system's face-matching feature will alert you if the person appears in more images. This will also be visible in the personal register and the right panel. By clicking on the person in the index of persons, you can view all images the person appears in and set the same consent for all files that the person appears in.
3. Consents
The third step is to attach a consent form to the file. Click New consent. Fill in the name and type of agreement. If you have old agreements that are still valid, you can upload them as a PDF file to the attached files dialogue. For traceability, you then specify an agreement date and a validity period.
With Mediaflow's GDPR module, you can also obtain consent digitally. Choose the Type of agreement, then select the agreement template you want to use for the request. A consent request is then sent by a text message or email to the person whose personal data you have specified. The recipient will be able to sign the agreement via Swedish BankID or with a verification code. You set how the recipient will sign and how your agreements will appear in the GDPR settings.
The recipient receives a message on their mobile phone or email with a link to click on. The approval process then occurs in three steps:
-
The link contains your consent agreement for the person to read.
-
The person can check that the personal data is correct and that the image depicts the correct person.
-
The person must then certify that they have read the agreement text and that the personal data is accurate.
Once you have sent a digital consent request, you will see it under the specific file in Mediaflow. When the recipient signs the agreement, the status is automatically updated.
ℹ️ How long is a consent link valid?
The digital consent link is valid for two weeks. All consents for a person are stored in the personal register, where you can easily delete them and resend them if needed.
Send consent requests in advance
You can also send a digital consent request before uploading files to Mediaflow. For example, if you want the agreement to be signed before photographing or filming a person. You do this by adding a new person to your index of persons and selecting Add and New consent. When you upload the files to Mediaflow, you can easily search for the person's name and attach the correct agreement to your files.
❇️ Track usage of files
We recommend using Mediaflow's file usage reporting feature for files containing personal data. This way, you can easily see where you have used a file if you need to remove it due to an expired or withdrawn consent.
Managing personal data in video files
To manage personal data in video files, follow the same steps as for images, with the exeption that facial recognition only works on images, not video files. Instead, you can tag a person without marking a face. After selecting a legal basis, click Manage in the right panel:
Click Add and choose Without marking face:
You can then search for a person in your index of persons or add a new person in the same way as you do with images.