The publication of images: a grey line between privacy and data protection


Authors: Vittoria Mazzotta, Francesca Tugnoli, Eleonora Margherita Auletta



The philosopher Herbert Marshall McLuhan[1] once stated: ‘Photography, photo-graphy [sic], means writing with light. Photography, cinema, confer a kind of immortality, a pre-eminence on images and not on real life’. At that time, the European Data Protection Regulation No. 2016/679 (‘GDPR’) had not yet come into force and thus its Article7 (concerning the conditions for consent) was not applicable. Consequently, after the entry into force of the GDPR the possibility of a data subject to revoke[2] the consent previously given to a Data Controller (hereinafter ‘Controller’) regarding the publication of one’s image, has led to the character of ‘immortality‘ being lost.


Legal bases for publishing images: Consent and, in limited circumstances, legitimate interest

The processing of images is mainly based on the consent of the data subject and for very specific cases, it may be based on the legitimate interest of the Data Controller[3]. Furthermore, consent to the publication of images is strongly interconnected with another Italian legal institution: the authorization for the economic exploitation of images. Both institutions, as will be shown below, have different functions and implications.


The publication of images has become part of people’s daily life. Social networks have exponentially fueled the sharing of private lives with the public due to the overflow of photos and videos depicting different moments of everyday life. Consequently, the European legislator has sought to limit the continuous dissemination of extremely sensitive content. In doing so, it has required the prior consent of the person concerned, (i.e., the data subject depicted in the image), if the publication of the photo or video is made by a third party who assumes the role of Data Controller[4].

Recourse to other legal bases for the processing of images of a data subject especially where such content is subsequently shared seems to be inadmissible as a general rule. Accordingly, if a data controller wants to publish images of its employees or customers or, more in general, of the participants in a corporate event, it will have to obtain the prior consent of the data subjects.   It is worth noting, however, that in cases where the collection and dissemination of images takes place between natural persons in the performance of activities of an exclusively personal or household activity, they fall outside the scope of the GDPR (see Article 2(2)(c) GDPR). The exception, however, lies in the cases discussed below.


Legitimate interest

The Controller may only residually process a data subject’s images on the basis of its legitimate interest, pursuant to Art. 6(1)(f) GDPR[5]. The conditions legitimizing this possibility are very strict; such processing based on legitimate interest may take place:

      • Where the persons concerned are employees;
      • If the publication of the employee’s image is for internal use purposes (e.g., publication of the employee’s photograph/image on the company’s intranet and/or e-mail account and/or social messenger) thus, eliminating the possibility of the image being published externally; and
      • After carrying out a balancing test of the interests at stake, the so-called ‘LIA‘ (Legitimate Interest Assessment) to demonstrate that the processing does not infringe the rights and freedoms of the data subjects. Accordingly, the LIA must balance, on the one hand, the interest of the Data Controller (for example, in the efficient management of resources at the organizational level) and, on the other hand, the rights and freedoms of the Data Subject (employee), who may not wish to have their image published.

Additionally, the processing of images may also be based on other legal grounds (e.g., the performance of a contract). In fact, when the use of the data subjects’ image rights constitutes the subject matter of the employment contract (e.g., in contracts with models and/or influencers), the legal basis for such processing is  Article 6(1)(b) GDPR (regarding the lawfulness of processing)[6].


Differences between privacy consent and authorization under copyright law for the publication of images: Practical consequences

On closer inspection, even if the Data Controller wishes to proceed with the publication of images collected in the above-mentioned contexts[7], it must not only consider the GDPR, but also several other regulatory provisions. These include, e.g.:

      • Article 10 of the Italian Civil Code[8] which aims to protect the reputation of the human being;
      • Article 7 of the GDPR, which gives the data subject[9] the power to authorize the publication of their image. This in turn provides the data subject with protection in terms of their personal data;
      • Article 96 of the Copyright Act[10], which deals with regulating the economic exploitation of images. It is understood as a right that can be granted to specific persons and their assignees in return for payment or free of charge.

These rights are interconnected and determine important consequences. First of all, it should be noted that if the Data Controller decides to base the processing on privacy related consent, they will also have to obtain separate authorization for the economic exploitation of the image under Article 96 of the Copyright Law. Indeed, the above-mentioned Article 96 confirms that, except in specific cases[11], the publication of a person’s image can only take place with their consent. This authorization is a more stringent concept than the privacy consent, because it involves the assignment of the commercial right of the image by the assignor to the assignee either free of charge or in return of payment. This implies that, where consent to the processing of data is revoked[12], the consent to the exploitation of the images (referred to in point 3 above) will also be affected due to the fundamental nature of the right to the protection of personal data, except in the case of compensation for damages or indemnity[13].

This claim for compensation is consequent to the fact that the withdrawal of consent to the exploitation of the images, which was previously granted by the assignee, could be qualified as a breach of contract capable to legitimize the Data Controller’s claim for compensation by reason of the suffered damage.

In the event that processing is based on a different legal basis than that of consent, several considerations can be made; e.g., in the performance of a contract, since, in such a case, there is no problem of withdrawal of consent. Consequently, although the other privacy rights under the GDPR will have to be guaranteed, there will be no such interconnection between the legal basis of the data processing and the consequent authorization for the economic exploitation of the image.

With reference to the quantification of the prejudice suffered, various elements may be taken into consideration for an evaluation and may be assessed on a case-by-case basis, by way of example:

      • the number of images for which consent has been given;
      • the modalities in which the images are spread out;
      • the initially permitted purposes of exploitation;
      • the period of time between the granting of consent and its revocation;
      • the profession of the person giving consent.

In order to prevent civil consequences, the Data Controller may implement technical measures that make it easier to limit or destroy the image of the data subject in order to limit their identification and, thus, stop the processing.

A further claim for both pecuniary and non-pecuniary compensation – could sometimes be made by the person concerned, or by their close relatives, in the event of abuse in the use of the image due to a violation of Article 10 of the Civil Code. Pursuant to that provision, if the image is displayed and/or published outside the permitted cases or with the purpose of harming the reputation of the person concerned, a claim for the cessation of the abuse as well as a possible claim for suffered damages may be initiated at request of their close relatives.



In conclusion, the processing of images may be based on legal grounds other than consent in some cases. In any case, the Data Controller must (except in specific and exceptional cases referred to in Article 96 of the Copyright Law) require the person concerned to sign an authorization whereby the latter assigns the rights to the economic exploitation of their image to them.

Unlike other legal bases, the withdrawal of privacy related consent also has civil law implications, since it could lead to a claim for damages by the Data Controller. This is in respect to the potential prejudice suffered as a consequence of the withdrawal of the consent given, since it could be qualified as a breach of contract.




[1] Herbert Marshall McLuhan was a Canadian sociologist, philosopher, literary critic and professor. Marshall McLuhan’s fame is linked to his innovative interpretation of the effects of communication on both society as a whole and the behavior of individuals. He was born on 21 July 1911, Edmonton, Canada and died in December 1980, Toronto, Canada.

[2] Article 7(3) of the GDPR states that ‘the data subject shall have the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the processing based on the consent before the withdrawal. The data subject shall be informed of this before giving consent. Consent shall be withdrawn as easily as it is given’.


[3] Please bear in mind that, in addition to the legal bases indicated, the processing of images may also be based on Article 6(1)(b)of the GDPR, which provides: ‘processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject’s request’. This is applicable for  example, in the cases of contracts with models/influencers/testimonials where the assignment of the use of the image rights of the data subjects constitutes to all intents and purposes of the objective of the contract. In the above-mentioned cases, the processing of the data subjects’ images is based on the performance of the employment contract. (

[4] The Data Controller, according to the definition given in Article 4 of the GDPR, is: ‘the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing for the protection of personal data [...]’. (

[5] Legitimate interest is included in the legal grounds for the processing of personal data. Indeed, Article 6(1)(f) of the GDPR provides as follows: ‘[…] processing is necessary for the purposes of pursuing the legitimate interests of the controller or a third party, provided that the interests or the fundamental rights and freedoms of the data subject which require the protection of personal data are not overridden, in particular where the data subject is a child.


[6] Article 6(1)(b) of the GDPR states: ‘[…] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.


[7] We recall, as mentioned above, that the owner must always request for authorization from the concerned person for the publication of their images. Article 97 of Copyright Law No. 633 of 22 April 1941, however, states that: ‘The consent of the person portrayed is not required when the reproduction of the image is justified by the notoriety or public office covered, by the necessity of justice or police, by scientific, didactic or cultural purposes, or when the reproduction is connected with facts, events, ceremonies of public interest or held in public. []

[8] In particular, Art. 10 of the Civil Code: ‘If the image of a person or of his parents, spouse or children has been exhibited or published outside the cases in which exhibition or publication is permitted by law, or with prejudice to the decorum or reputation of that person or of said relatives, the judicial authority, at the request of the person concerned, may order that the abuse cease, subject to compensation for damages’.


[9] The definition of data subject is given in Article 4 of the GDPR and must be understood as ‘[…] an identified or identifiable natural person (“data subject”)’.


[10] In particular, Section 96 of the above-mentioned Copyright Law provides that: ‘A portrait of a person may not be exhibited, reproduced or put on the market without that person’s consent, subject to the provisions of the following article. After the death of the person portrayed, the provisions of paragraphs 2, 3 and 4 of Art. 93 shall apply.’


[11] See footnote 6

[12] Unless there is no other legal basis for retaining the image, it must be deleted. Indeed, Article 17(1)(b) of the GDPR states that: ‘The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall be obliged to erase the personal data without undue delay, if one of the following grounds exists: […] (b) the data subject withdraws the consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) and if there is no other legal basis for the processing.


[13] The opposite is not the case, i.e., in the event that the authorization to exploit the images is revoked, which, being of a purely commercial/economic nature and not comparable to an absolute right, has no effect on the privacy consent that may have been given.