GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

Communication

Processing personal data on websites

It is common for companies to process personal data on websites. 

Can companies publish pictures of their employees on the website?

It depends. The fact that the employer publishes a picture of an employee can be perceived as a violation of the employee’s privacy. Therefore, it may be good for the employer to first analyze the need for the processing. In some industries, it is a standard and there is usually no strangeness in performing the processing. For example, the brokers in a brokerage firm. In addition, certain roles within a company may mean that it may be appropriate to publish an image and text about the person on the website. 

Personuppgifter som rör fällande domar i brottmål

Legal basis to support the processing on the publication of images of employees

Measures that companies need to take to comply with GDPR

Legitimate interest

Legitimate interest can be an appropriate legal basis to support the processing, if the professional group or role is one on which this can be expected. For example, people in contact with external relationships.

What is the definition of anonymised data?

Performance of a contract

If it is necessary for the employee to have a picture on the website in order to be able to perform their duties. Note that it is good to clarify this in the contract with the employee.

Sensitive personal data according to GDPR

Consent is not appropriate

Consent is usually an inappropriate legal basis to use when the power relationship between the parties is unequal, as it is between employers and employees. Therefore, consent should not be used to support the processing regarding the publication of images of employees. However, it may be useful to ask the employee, but it is important to have a different legal basis for the processing in such cases.

Subjektivt integritetskänsliga personuppgifter

If image or text constitutes sensitive personal data

In some cases, images and/or text may constitute sensitive personal data. It may be allowed to process, but the rules are then stricter.

Processing of personal data on websites for journalistic purposes

If the processing of personal data on the website is made for journalistic purposes, special rules apply. Then it may be allowed to process images, audio files, texts and similar in archives. 

The information on the website may be subject to a constitutional law on freedom of expression

If there is a constitutional law on freedom of expression that regulates the content of a website, the GDPR does not apply in those parts, as the constitutional laws are above the GDPR. For example, a media company is often protected by the fundamental law on freedom of expression. The same applies if a company has received a certificate of publication from the competent government authority. 

The privacy notice should be available and published on the website

Companies shall inform data subjects about the processing of their personal data. This is usually done in a privacy notice, which should be published on the website. In a privacy notice, companies must, among other things, inform about the purpose of the processing, how long the processing takes place and what rights the data subjects have, etc. in accordance with articles 13-14 of the GDPR. 

A common mistake many companies make on their websites

Many companies have a messaging feature on the site where visitors can easily submit questions or orders. For example, a contact form. In order to send the message, the website visitor usually needs to fill in their personal data, such as name and email address, in order for the company to be able to respond to the message. A common mistake is not to inform about the processing of personal data when the website visitor sends the message. The information on the processing should, where possible, be provided prior to the collection of the personal data. 

For example, the company may write the following text in the contact form, placing it before the “send button”, as well as linking to the privacy notice: “We process your personal data in accordance with our Privacy Notice. 

Do cookies constitute personal data?

Yes, cookies constitute personal data and thus the rules of GDPR apply when using cookies. 

What is the definition of anonymised data?

Active consent is required for non-necessary cookies

In order to use non-necessary cookies on the website, the consent of the website visitor is required. It must be active consent, which means, among other things, that the website visitor must tick the consent box. In other words, it should not be pre-ticked. However, it is allowed for companies to process necessary cookies without consent (a.k.a. essential cookies).

More about GDPR

Send personal data by e-mail

It is common for companies to use email as a means of communication. It is a processing of personal data if the e-mail address or message content contains personal data. In such cases, the GDPR applies. Please note that unencrypted emails are not considered sufficiently secure when processing privacy-sensitive personal data, such as sensitive personal data. For example, the employer should not send a pay slip containing information about sick leave via unencrypted email.

Want to learn more?

Read more
Scroll to Top