October 17, 2019

October 16, 2019

Subscribe to Latest Legal News and Analysis

October 15, 2019

Subscribe to Latest Legal News and Analysis

October 14, 2019

Subscribe to Latest Legal News and Analysis

GDPR’s Impact on Use of Employee Images in Marketing Campaigns – How to Protect Yourself!

The practise of employers using their employees’ images and names within marketing materials (from graduate recruitment materials and internal-only promotions, to nationally distributed campaigns) has become a riskier strategy in light of the consent requirements under the General Data Protection Regulation (GDPR), which recently came fully into force across the EU.  Even where employers have obtained an employee’s consent to process personal data for the purposes of these types of campaign, the inclusion – in Article 7(3) of the GDPR – of an express and absolute right for a data subject to withdraw his or her consent “at any time” presents a commercial risk. 

When one considers the right to withdraw consent in the context of CRM databases and processing for the purposes of direct marketing to that consumer, the withdrawal of a single consent is of limited concern. However, in the context of a marketing campaign, which may feature or even be centred around that individual employee (as the ‘face of the business’), and where significant funds may have been invested in the production and dissemination of promotional materials, the withdrawal of consent potentially has much wider, and more costly, implications.

To take a common example: a business might decide to use the image and words of an employee in its marketing literature for a series of nationwide graduate recruitment events.  The employee may have agreed to be interviewed and photographed, and to appear in brochures, leaflets, posters and various other online and offline advertisements. The business may have invested substantial amounts in the creation and production of the relevant ads featuring that employee (and therefore containing the employee’s personal data).  This is because the definition of “personal data” under the GDPR is very wide and can certainly include a person’s image. If the employee then withdraws their consent, the company must, unless another legal basis for using the data applies, cease processing the employee’s personal data. Thankfully, the right to withdraw consent does not operate retrospectively, i.e. any processing that has already been carried out at the time of withdrawal will not be rendered unlawful. However, in a scenario where an employee exercises their right to withdraw consent before those materials are distributed, the employer has materials it cannot use without unlawfully processing that individual’s data.

The period of risk may not always be limited to the lead times for printing and distribution of the materials in question. For example, consider where posters already published need to be refreshed, there is probably a duty on the employer to use a different image if consent to continued processing has been withdrawn since initial publication. The courts would likely allow for a run-down period during which the images could continue to be used (e.g. online) before having to be swapped out or taken down. The length of that period would depend on all the surrounding circumstances, and there is as yet no guidance from the courts or regulators as to how to approach this calculation. In any event, it is not difficult to envisage a scenario where an employer could suffer significant financial loss as a result of a withdrawal of consent.

Capturing consent to such advertising uses of employee images is problematic in an employment context because, to be lawful under GDPR, consent must be “freely given, specific, informed and unambiguous”. Employers are therefore best to seek consent in a separate contract from the employment contract and to make clear that the employee gives their consent completely without conditions or fear of repercussions if they do not consent to the use of their image for company marketing campaigns. Ideally, the employee would be given an ex-gracia payment to ensure that a valid contract with consideration is formed. If the employee subsequently withdraws their consent, theoretically the company has a contractual remedy in damages against the employee but, in practice, it is highly unattractive to take such action against one’s employees (or ex employees).

Since the GDPR is new, the law in this area is uncertain. For example, the company could argue that it does not require the employee’s consent if it is using the image for the purposes of fulfilling the contract with the employee, or has a “legitimate interest” to use the image. This argument is further complicated if any of the images constitutes special category/sensitive personal data e.g. racial or ethnic origin or health data (such as a disability), because in these circumstances explicit consent is likely required.

Even with the possible legal arguments for continuing to use an image after consent has been withdrawn, when planning any campaigns to which an employee’s image is key, employers should bear in mind the risk that employees may withdraw their consent. Companies are advised to take the practical step of putting in place a separate legally binding contract with the employees to help mitigate the risk of holding expensive promotional material that cannot be used.

This area of the law should be monitored for developments.

© Copyright 2019 Squire Patton Boggs (US) LLP


About this Author

Carlton Daniel, intellectual property and technology lawyer, London, Squire Patton Boggs

Carlton Daniel is a partner in our Intellectual Property & Technology team based in our London office. His practice incorporates the full range of specialist advice in the advertising, marketing and media sectors, and he handles both contentious and non-contentious matters. His practice ranges from advising on intellectual property rights (including trade marks, designs, copyright and confidential information) to commercial contracts, licensing, brand endorsement, sponsorship, product placement, privacy, defamation, confidentiality, data compliance and advertising...

+44 20 7655 1026
Francesca Fellowes, Squire Patton Boggs, intellectual property attorney, multi-jurisdictional project lawyer, commercial business regulatory legal counsel

Francesca Fellowes is a senior associate our Data Privacy & Cybersecurity team based in our Leeds office. She has a wealth of experience in advising on a wide spectrum of data privacy issues, including managing large-scale projects involving multiple data flows and advising on commercial arrangements involving complex issues of data ownership and use.

She is particularly experienced in managing cross-jurisdictional data privacy compliance projects for multinational clients, which deal with the compliance required throughout the client’s group, relating for example, to global HR databases, FCPA investigations and whistleblowing hotlines.

Francesca provides clients with a full-range of data privacy advice services, including advice on how to comply with the new EU General Data Protection Regulation, GDPR compliance audits, handling complaints from the Information Commissioner, responding to contentious data subject access requests, drafting Model Clauses, privacy policies and data sharing agreements and advising on monitoring and surveillance issues. She advises clients in a wide range of industries, including financial services, pensions, retail and manufacturing, sport and leisure, direct marketing, credit reference and debt recovery agencies.

Francesca provides regular contributions to both internal and external publications, dealing with topical data privacy issues. Recent titles include “UK Data Protection Bill Published”, “European Commission Finds Privacy Shield ‘Adequate’ But Uncertainty Remains” and “Brexit – What Next for Data Privacy in the UK?”


  • Acting for a major investment management company in relation to a dispute regarding the ownership of the copyright in all of their client-facing materials.

  • Acting for National Oilwell Varco Inc., worldwide leader in the design, manufacture and sale of equipment and components used in oil and gas drilling and production operations and the provision of oilfield services, in relation to the prosecution of a company for possession of counterfeit parts.

  • Advising a global medical devices manufacturer in relation to the data protection aspects of a product recall.

  • Advising a local authority in relation to a dispute with its exiting service provider regarding the ownership of the intellectual property in a number of software applications.

  • Drafting a bespoke Manufacturing Agreement for a chemicals manufacturer.

  • Reviewing and reporting on Standard Terms and Conditions of Purchase for a global provider of wireless coverage solutions. Advising Cummins Inc., a global engineering and power solutions provider headed-up in the US, on data protection compliance in relation to the consolidation of the servers of 12 of their European offices onto servers in the US and UK. Managing the legal compliance for their in-house counsel.