If you’re running an event in the EU or UK, photographing your guests, and either displaying or storing those photos — you’re processing personal data under GDPR. Most event organizers know this in theory and ignore it in practice, betting that no one will complain. That bet usually pays off until it doesn’t.
This post is the practical version of the regulation. Not “what GDPR says” — there are plenty of legal articles for that — but “what an event organizer actually needs to do” before the event, during the event, and after it.
TL;DR
GDPR-compliant event photo collection comes down to five things: (1) tell guests in advance, with signage they can see; (2) make participation actually optional; (3) work with a processor that signs a DPA; (4) understand where the data is hosted; (5) have a removal flow for the inevitable post-event request. Each of these takes minutes to set up — none of them require a lawyer.
We are not your lawyers. Treat this as a practical primer; consult counsel for jurisdictional specifics, especially for high-profile events or sensitive sectors.
What GDPR actually treats as “personal data” at an event
The short answer: a photograph of an identifiable person is personal data. So is a list of who attended your event, the table assignments you handed out, and the email addresses your registration collected.
The longer answer matters because not all photo data is created equal:
- A wide-shot crowd photo from the back of the room is personal data, but the risk profile is low — individuals are technically identifiable but not the subject.
- A close-up photo of a guest clearly is personal data, full stop.
- A photo with metadata (timestamp, GPS, the table number a guest entered when uploading) is personal data and arguably more sensitive than the photo alone.
- A facial-recognition index of your event’s photos is a categorical jump into “biometric data,” which is special-category data under GDPR and requires explicit, granular consent. We don’t do this and recommend against vendors who do it without your explicit instruction.
For an event photo wall, the relevant scope is: photos guests upload of themselves and others, any custom fields they enter (table, role, etc.), and the metadata the platform stores.
The five things you actually need to do
1. Tell guests in advance, with signage they can see
The first thing GDPR asks is that guests know what’s happening before any processing begins. Signage is the most efficient way to do this.
What to put on the sign:
- What: “Photos taken or uploaded at this event will appear on the [Event Name] photo wall and a public gallery.”
- By whom: “Operated by [Your Org] using [Processor name, e.g., Fotowall].”
- For how long: “Photos will be retained for [X days/months] after the event.”
- What you can do: “Don’t want your photo on the wall? Email [contact] or [link to removal form]. We can also take you off the wall on the night — talk to a staff member.”
Where to put it:
- Entrance / registration: large, can’t-miss-it format.
- Cocktail-hour signage: smaller versions on the bar, the seating chart, the table cards.
- The wall itself: a small corner banner — “Photos by guests. Don’t want yours up? Talk to a staff member or visit [URL].”
This is the lightest-weight version of the “transparency principle” GDPR is built around. It also has the practical effect of reminding guests they’re being photographed, which usually changes behavior in a useful direction.
2. Make participation actually optional
GDPR’s lawful bases for processing are mostly contract, legitimate interest, or consent. For an opt-in QR-upload photo wall, consent is the cleanest basis — guests choose to scan and upload, and that act is the consent.
The thing to get right: opting out has to be a real option, not a notional one.
What this looks like in practice:
- No one is forced to participate in the photo wall to attend the event.
- There’s a way for guests to remove their photo during the event (talk to a staff member, who has access to the moderation web app).
- The post-event removal flow is visible on the gallery and on signage, not hidden in a privacy policy.
If you’re using Fotowall, the public photo-removal request page is the canonical removal flow. The link is on every gallery footer.
3. Work with a processor that signs a DPA
If you’re using a third-party platform to display and store the photos (like Fotowall, or any of the alternatives), that platform is a data processor under GDPR. You’re the controller. The regulation requires a data processing agreement (DPA) between the two of you.
A DPA is a short, standard document that specifies:
- What categories of data the processor handles
- How long they keep it
- Where the data is hosted (US? EU? Both?)
- What happens at the end of the relationship (delete or return)
- How sub-processors are managed
- Breach notification timing
Most reputable platforms have a standard DPA they’ll sign on request. At Fotowall, the standard DPA is available for free on every paid plan (Essential and above). For Enterprise customers we negotiate custom terms; for everyone else, the standard DPA is fine and most legal teams approve it without redlines.
What you should not do: skip the DPA because the platform feels “small” or “informal.” A DPA is a five-minute task and the absence of one is the single most common GDPR audit finding for event-tech buyers.
4. Understand where the data is hosted
GDPR has specific rules about transfers of personal data outside the EU/UK. The short version: if your event is in the EU and your processor hosts data in the US, you need to verify the processor uses a valid transfer mechanism (Standard Contractual Clauses, mostly) and ideally hosts EU data in the EU.
For Fotowall:
- Default hosting: Google Cloud
us-east1(Virginia, USA). - EU data residency: Available as an Enterprise-tier add-on. Data hosted in
europe-west1(Belgium). - Transfer mechanism: Standard Contractual Clauses on file via Google Cloud’s terms.
For most weddings, corporate town halls, and US-based galas, the default US hosting is fine. For an EU-headquartered enterprise event, the EU residency add-on is worth requesting.
If you’re picking a vendor purely on hosting location, Walls.io is EU-hosted by default (they’re based in Vienna). See our Walls.io comparison for the full picture.
5. Have a removal flow for the inevitable post-event request
The most common GDPR-related event support ticket isn’t a regulator inquiry. It’s a guest emailing six days later saying, “Could you take down the photo where I’m holding a drink? I’m interviewing for jobs and don’t want it on the gallery.”
That request will come. The question is whether you have a clean process to respond to it.
What we recommend:
- A public removal form linked from the gallery footer. Guest fills out the request, it routes to the event admins.
- A standard response SLA: confirm receipt within 48 hours, complete removal within 30 days. (GDPR Article 12 actually says “one month from receipt” for most requests, which is the deadline you’re committing to.)
- An audit trail: log when each removal was requested and completed. This becomes important if you ever face a regulator inquiry.
At Fotowall, the public removal flow is built in. We routinely process removal requests in 24-48 hours and maintain the audit log on the event admin’s behalf.
Special cases worth flagging
Children’s events
If your event includes attendees under 16 (or under 13 in some jurisdictions — the EU lets member states pick anywhere from 13 to 16), photo collection requires explicit parental consent in many jurisdictions. We strongly recommend talking to counsel before running a public photo wall at a school event, family-day corporate event, or any event with significant under-16 attendance.
Public figures and high-profile guests
If your gala features a celebrity, politician, or other public figure, expect heightened scrutiny on what gets posted. We recommend pre-approval moderation (every photo waits for an admin tap before appearing) and a dedicated moderator with explicit instructions on what’s in-scope and out-of-scope.
Sensitive contexts
Some event categories — medical conferences with patient attendees, support-group meetings, recovery-oriented events, military events — require categorically different handling. We don’t run public photo walls at these events; if you’re running one of these, a closed gallery accessible only to registered attendees is the right pattern, and Fotowall supports it on Premier and above.
A reasonable starting checklist
If you’re three weeks out from an event and want to know the minimum-viable-compliance version:
- Signage at entrance and on the wall stating what’s happening
- DPA signed with the photo wall vendor
- Hosting location documented (US? EU? Acceptable for your audience?)
- Moderation posture decided (pre-approval vs auto)
- Removal flow linked from gallery and given to a staff member to handle
- Retention period decided (how long after the event do photos stay up?)
That’s it. Six things. Most of them take five minutes each.
Where Fotowall fits
We’ve built the platform to make compliance the default, not the upsell:
- DPA available on every paid plan (Essential and up)
- US hosting by default with EU residency as an Enterprise add-on
- Public photo removal flow built into every gallery
- Per-event retention configurable on Premier and above
- Real-time moderation queue built in on every plan
- Optional admin approval before any photo appears on the wall
The full trust page is at fotowall.io/trust. If you have specific compliance questions for your event, we’ll do a 30-minute review call and walk through your particular setup.
GDPR is not a reason to skip running a great photo wall at your event. It’s a reason to pick the right vendor and run a half-hour of pre-event prep. The teams that do this well never think about GDPR again after the event runs.