Written Procedures
Procedures for social media management and photography
It is good for companies to establish procedures for managing social media and photographing employees or events.
Many companies process personal data on social media
Social media is an important communication channel for many companies. For example, performing marketing and having complementary customer service. It is important to keep in mind that the company may have a personal data responsibility, even though the processing takes place in a social media platform. This means, among other things, that the company must clean its social media inbox and outbox regularly, in accordance with the rules on erasure.
Images and audio files may be personal data
When it is possible to identify a natural living person through data, it constitutes personal data within the meaning of the GDPR. For example, name, social security number and phone number. In addition, images and audio files may constitute personal data if it is possible to identify a person through the data. In such cases, the GDPR also applies to images and sound recordings.
Things to consider when using images
Images of physical living individuals constitute personal data under the GDPR. The same applies if the images include other data that can be used to identify a natural living person. For example, the registration number of a privately owned vehicle visible on the image. Companies that use and publish images containing the personal data must therefore ensure that it is done in accordance with all applicable rules.
What procedures for social media management and photography should include
Legal basis
Companies must always have a legal basis for processing personal data. Include the legal basis used in the processing of personal data in social media and in photography. Consent is usually used to support the processing of images and marketing, but legitimate interest may also be appropriate.
Proper collection of consent
If the legal basis is consent, it is good that the procedures include how the consent should be obtained in order to be valid. In addition, it is good to avoid verbal consents, as they are more difficult to prove.
Pictures in public or semi-public settings:
Include when people should be asked about image publishing, how it is possible to photograph without identifying people in the pictures, and how photography should be allowed to take place in the office. Please note that minors have an extra high level of protection and therefore it is important to specifically regulate such processing if relevant.
Storage of images
It is important to keep in mind that companies need to store images and other personal data securely. The procedures should therefore include, inter alia, where the storage takes place, the duration of the storage and who has the right to access the images in the storage site.
Review and approval prior to publication
It is not a good idea to publish personal data spontaneously, as there is a greater risk that the rules of the GDPR will not be complied with in such cases. Therefore, it is good to have requirements and procedures for review before publication takes place.
Partners
If the company engages an external party for the processing of personal data in social media or for photography on behalf of the company, it is important to enter into a written data processing agreement (DPA). In addition, the delivery of the image material needs to take place via secure communication channels in proportion to the sensitivity of the personal data.
How risks can be minimised
By implementing clear procedures and structures, the risks associated with the processing of personal data are reduced. The procedures should include who is responsible for the different accounts, what type of content is allowed, use of the platforms for private purposes and guidelines to avoid sensitive situations.
Withdrawal and erasure
Data subjects always have the right to withdraw their consent, therefore a procedure on this should be established or included. For example, who is responsible for erasing the material and personal data, if the data subject withdraws his or her consent.
Documentation
Companies must be able to demonstrate that they comply with the GDPR and therefore it is good to document the GDPR work, including social media management and photography.
Learn more
Procedures for erasure is another routine that may be appropriate to establish
Companies shall erase personal data on a regular basis in accordance with the rules of the GDPR. Erasure means that the company deletes or anonymizes personal data. This shall take place when they are no longer necessary for the purpose for which they were collected or if a data subject so requests. However, there are exceptions. For example, if the company has to process the personal data in order to comply with a legal obligation.