GDPR’s Impact on Use of Employee Images in Marketing Campaigns – How to Protect Yourself!
The practise of employers using their employees’ images and names within marketing materials (from graduate recruitment materials and internal-only promotions, to nationally distributed campaigns) has become a riskier strategy in light of the consent requirements under the General Data Protection Regulation (GDPR), which recently came fully into force across the EU. Even where employers have obtained an employee’s consent to process personal data for the purposes of these types of campaign, the inclusion – in Article 7(3) of the GDPR – of an express and absolute right for a data subject to withdraw his or her consent “at any time” presents a commercial risk.
When one considers the right to withdraw consent in the context of CRM databases and processing for the purposes of direct marketing to that consumer, the withdrawal of a single consent is of limited concern. However, in the context of a marketing campaign, which may feature or even be centred around that individual employee (as the ‘face of the business’), and where significant funds may have been invested in the production and dissemination of promotional materials, the withdrawal of consent potentially has much wider, and more costly, implications.
To take a common example: a business might decide to use the image and words of an employee in its marketing literature for a series of nationwide graduate recruitment events. The employee may have agreed to be interviewed and photographed, and to appear in brochures, leaflets, posters and various other online and offline advertisements. The business may have invested substantial amounts in the creation and production of the relevant ads featuring that employee (and therefore containing the employee’s personal data). This is because the definition of “personal data” under the GDPR is very wide and can certainly include a person’s image. If the employee then withdraws their consent, the company must, unless another legal basis for using the data applies, cease processing the employee’s personal data. Thankfully, the right to withdraw consent does not operate retrospectively, i.e. any processing that has already been carried out at the time of withdrawal will not be rendered unlawful. However, in a scenario where an employee exercises their right to withdraw consent before those materials are distributed, the employer has materials it cannot use without unlawfully processing that individual’s data.
The period of risk may not always be limited to the lead times for printing and distribution of the materials in question. For example, consider where posters already published need to be refreshed, there is probably a duty on the employer to use a different image if consent to continued processing has been withdrawn since initial publication. The courts would likely allow for a run-down period during which the images could continue to be used (e.g. online) before having to be swapped out or taken down. The length of that period would depend on all the surrounding circumstances, and there is as yet no guidance from the courts or regulators as to how to approach this calculation. In any event, it is not difficult to envisage a scenario where an employer could suffer significant financial loss as a result of a withdrawal of consent.
Capturing consent to such advertising uses of employee images is problematic in an employment context because, to be lawful under GDPR, consent must be “freely given, specific, informed and unambiguous”. Employers are therefore best to seek consent in a separate contract from the employment contract and to make clear that the employee gives their consent completely without conditions or fear of repercussions if they do not consent to the use of their image for company marketing campaigns. Ideally, the employee would be given an ex-gracia payment to ensure that a valid contract with consideration is formed. If the employee subsequently withdraws their consent, theoretically the company has a contractual remedy in damages against the employee but, in practice, it is highly unattractive to take such action against one’s employees (or ex employees).
Since the GDPR is new, the law in this area is uncertain. For example, the company could argue that it does not require the employee’s consent if it is using the image for the purposes of fulfilling the contract with the employee, or has a “legitimate interest” to use the image. This argument is further complicated if any of the images constitutes special category/sensitive personal data e.g. racial or ethnic origin or health data (such as a disability), because in these circumstances explicit consent is likely required.
Even with the possible legal arguments for continuing to use an image after consent has been withdrawn, when planning any campaigns to which an employee’s image is key, employers should bear in mind the risk that employees may withdraw their consent. Companies are advised to take the practical step of putting in place a separate legally binding contract with the employees to help mitigate the risk of holding expensive promotional material that cannot be used.
This area of the law should be monitored for developments.