Mabooth
The BoothPricingFAQContact
/
Book Now
Corporate6 min read

GDPR and a photo booth at the company party

A photo booth at the staff party is a crowd-pleaser — but sooner or later someone in HR or events asks how this squares with GDPR. Short answer: a photo booth is entirely fine, you just need to think a few things through in advance. Here is a practical walk-through in plain language.

Why it matters

A photo of an identifiable person is personal data. That applies to booth photos just as much as the group shot in the annual report. If you also collect email addresses to send out the digital gallery, those are personal data too. So GDPR applies — but that does not make it complicated.

The point of getting this right is not to tick off a rule; it is that your staff feel comfortable. Nobody should have to wonder where their photo ends up. Once you have thought it through beforehand, the booth is simply the fun addition it is meant to be.

Legal basis: usually legitimate interest

For internal event photos, most employers rely on legitimate interest as their legal basis. The company has a reasonable interest in documenting and enjoying its own staff party, and guests choose to step into the booth themselves. That makes legitimate interest a natural basis for this particular situation.

Consent sounds simple but is actually a weaker basis here — it has to be entirely free, and in an employer–employee relationship it is hard to show that consent truly is. Whatever the basis, the key is transparency: tell people the booth is there and how the photos will be used.

A practical checklist before the party

Most of this is common sense put in writing. Run through the list before the event and you are set.

  • Inform people in advance — mention in the invitation or on the night that a photo booth is there and how the photos are used
  • Put up a small sign by the booth: that photos are taken, who is responsible and where the gallery goes
  • Keep participation voluntary — a photo booth is opt-in by nature; nobody is photographed who does not step in themselves
  • Share the gallery link internally, for example via the intranet or an email to those who attended
  • Do not post identifiable employees externally (LinkedIn, website) without asking them first
  • Set a retention period — how long the gallery stays up — and delete the photos afterwards
  • Clarify the roles: you as the company are the data controller, the booth vendor is the data processor

Who is responsible for what

You as the company decide why and how the photos are processed — which makes you the data controller. A vendor who handles the photos on your behalf, for example storing the gallery, is the data processor. That split should be reflected in the contract, and a data processing agreement is normally needed for the processor.

In practice this means you stay in control. You decide how long the photos are kept and when they are deleted, and the vendor follows what you decide.

How Mabooth keeps it simple

Photos are delivered via a private gallery link — not published anywhere, only available to whoever you share the link with. You stay in control: if you want the gallery taken down, we delete it on request.

We act as your data processor, which means we handle the photos according to your instructions and do not use them for anything else. That makes it easy for you to hold up your end — you decide, we follow.

An important caveat

This is general guidance, not legal advice. The rules and their interpretation can change, and every organisation is different. Check with your own data protection officer or legal counsel before you settle your routines — especially if you have a large staff or feel unsure about the legal basis.

FAQ

Usually not. For internal event photos most employers rely on legitimate interest rather than consent — partly because consent in an employment relationship is hard to show as truly free. What matters is that you clearly inform people that the booth is there and how the photos are used.

You should set a retention period in advance and delete the photos once the purpose is met. With us, photos are delivered via a private gallery link and we delete the gallery on your request. You stay in control the whole way.

Sharing the gallery internally is one thing; publishing identifiable employees externally is another. Always ask the people shown in a photo before you post it on LinkedIn or your website — it is both courteous and safest from a data protection point of view.

You as the company are the data controller because you decide why and how the photos are processed. A vendor storing the gallery for you is the data processor and follows your instructions. A data processing agreement is normally needed for the processor.

A photo booth your company party can trust

Want a photo booth that respects your guests and your data protection policy? Tell us about your event and we will show you how we keep you in control — and get back to you within 24 hours.