GDPR and Your Images: What EU Businesses Need to Know
If you process images containing personal data in the EU, GDPR applies. Here's how to stay compliant when editing and optimizing images.
A few weeks ago I got an email from Marco, who runs a small photography studio in Milan. He had been using an online image compressor for years to prep client photos for his website and portfolio. Then his lawyer friend asked him a question that stopped him cold: “Where do those images go when you upload them?”
Marco had no idea. He checked the tool’s terms of service and found that files were processed on servers in Virginia, USA. Under GDPR, that meant he was transferring personal data outside the EU without a clear legal basis. His lawyer told him the potential fine could reach up to 4% of annual revenue.
He wrote to me asking if ImgPrism could help. The short answer is yes, but let me explain the full picture because this affects way more businesses than you might think.
Images count as personal data under GDPR
This surprises a lot of people. The General Data Protection Regulation doesn’t just cover names, emails, and addresses. Any information that can identify a person is personal data. And a photo of someone’s face absolutely qualifies.
The European Court of Justice confirmed this back in 2019 in a case involving a Hungarian politician. The court ruled that publishing someone’s photo without consent can violate GDPR, even if their name isn’t attached. The image itself is enough to identify them.
Then there’s EXIF metadata. Most phones and cameras stamp each photo with GPS coordinates, timestamps, device serial numbers, and camera settings. I checked a photo from my own phone last week. It had 16 metadata fields, including latitude and longitude accurate to about 3 meters. That’s your home address, basically.
So when Marco uploads a client’s portrait to a random website, he’s potentially sharing that person’s face, location, and the date and time the photo was taken. All personal data. All protected under GDPR.
Article 4(1) of the regulation defines personal data broadly. If a piece of information can be linked to an identified or identifiable person, it’s covered. Photos with faces, photos with location data, photos of the interior of someone’s home. They all count.
The risk of uploading to third-party servers
Here is where things get uncomfortable for a lot of small businesses.
When you upload an image to a cloud-based editing tool, three things happen under GDPR:
Data transfer. The image leaves your device and travels to a server. If that server is outside the EU, you’ve just done a cross-border data transfer. Under Chapter V of GDPR, that requires either an adequacy decision, Standard Contractual Clauses, or another valid legal mechanism. The EU-US Data Privacy Framework exists now, but not every US service provider is certified.
Data processing agreement. If you’re using a third-party tool to process images containing personal data, GDPR Article 28 requires a written Data Processing Agreement between you and that service. When was the last time you signed a DPA with a free online image editor? Exactly.
Data retention. The tool receives your image. It processes it. But how long does the original stay on their server? What about backups? Do they use your images to train AI models? I checked seven popular free image tools last month. Only two clearly stated their retention period. The others said things like “files are deleted after processing” without defining what “after processing” means. An hour? A day? A month?
One tool I tested kept my uploaded image accessible via a direct URL for 72 hours after “deletion.” I only found out because I bookmarked the processing link and checked back later. That’s not exactly what I’d call secure.
Cloud processing vs local browser processing
Let’s put the two approaches side by side from a GDPR compliance perspective.
| Concern | Upload to US server | Local browser processing |
|---|---|---|
| Cross-border transfer | Yes, triggers Chapter V requirements | No transfer occurs |
| DPA needed | Yes, Article 28 | No third party processes data |
| Data retention risk | Depends on provider policy | None, data stays on your device |
| Audit trail | You must track what was sent where | Nothing to track |
| Breach notification | Provider must notify you within 72 hours | No breach possible since nothing was sent |
| Subprocessors | Provider may use cloud hosting, CDNs | No subprocessors involved |
The difference is stark. When you process images locally in your browser, the GDPR compliance question basically answers itself. No data leaves your device. No transfer. No DPA. No retention risk. No breach scenario.
This isn’t a loophole. It’s simply that the regulation’s requirements are triggered by processing personal data through third parties. If there’s no third party, most of those requirements don’t apply. You still need a lawful basis for having the images in the first place, which usually means consent or legitimate interest. But the tool itself stops being a compliance headache.
Practical steps for EU businesses
If your business handles images of people and you operate under GDPR, here’s what I’d recommend based on what I’ve learned helping Marco and others sort this out.
Use tools that process locally. This is the single biggest thing you can do. When images are processed entirely in your browser, you eliminate the transfer, retention, and DPA questions entirely. ImgPrism runs everything client-side using compiled code that executes in your browser tab. Your photos stay on your machine.
Check before you upload. If you must use a cloud tool for something browser tools can’t handle, check three things. Where are the servers? Do they have a DPA available? What’s their stated retention period? If any of those answers are missing or vague, find another tool.
Strip EXIF data from photos you share. Even if the image itself doesn’t show a face, the metadata might reveal location and timestamp. Most local processing tools, including ImgPrism image compressor, can remove metadata during processing.
Delete originals when you’re done. Keep your processed images. Delete the raw files with full EXIF data once you’ve exported the final version. Less data stored means less risk.
Get consent from the people in your photos. This is basic GDPR hygiene. If you’re using someone’s image on your website or in marketing materials, have written permission. A simple email or signed form works. Just keep a record.
Why ImgPrism works for GDPR compliance
I mentioned that Marco reached out to me. After our conversation, he switched his entire workflow to local processing. He uses ImgPrism for compressing client photos, resizing for web, and converting formats.
Here is why it works from a compliance standpoint. Because the tool never transmits personal data to a third party, the relationship between Marco and his tool never triggers the data processor provisions of Article 28. There is no processor to audit. No sub-processor chain to document. No international transfer mechanism to establish. The compliance footprint shrinks from “maintain contracts and audit logs for every tool you use” to “use a tool that never sees your data.”
For a small studio like Marco’s, that distinction is the difference between spending a weekend drafting DPAs and spending that weekend actually photographing weddings.
He told me last Tuesday that his lawyer friend reviewed the setup and called it “the simplest GDPR compliance decision he’s ever seen.” High praise from someone who bills by the hour.
Try it for yourself
Open the free image compressor and drop in a photo. If you handle images of identifiable people as part of your business, ask yourself one question. Would you rather explain to a regulator where your images went, or explain that they never went anywhere? Local processing makes the second answer possible.