Almost every event gets captured. You hire a photographer for next year's promo shots, someone edits an aftermovie, and meanwhile a hundred visitors have their phones in the air. The moment you share those images anywhere — your website, socials, a newsletter — two bodies of law come into play that people often mix up: portrait rights and the GDPR. They don't regulate the same thing, and you need both to do this properly.
Don't worry: you don't have to hand every visitor a form to sign. But a little thinking up front saves you hassle later, especially when someone asks you to remove a photo. Let's walk through it calmly.
A note for international readers. MijnEvent operates in the Netherlands, so the specifics below follow Dutch law. Portrait rights come from the Dutch Copyright Act (Auteurswet) and are a distinctly Dutch construct; the GDPR side applies across the entire EU. If you run events elsewhere in Europe, the GDPR rules translate directly, while your national equivalent of portrait/image rights may differ — check your local rules.
Two laws, two different questions
It helps to understand that portrait rights and the GDPR look at the same photo from different angles.
Portrait rights come from the Dutch Copyright Act and answer the question: may this image of a recognisable person be published? For photos not commissioned by the person portrayed — exactly what happens at an event — the main rule is that publishing is allowed, unless the person has a "reasonable interest" in objecting. That's set out in article 21 of the Auteurswet. What counts as a reasonable interest depends on the circumstances: a privacy interest counts, but so can a commercial (exploitation) interest — which is why using someone's face in an advert is treated far more strictly than a crowd shot.
The GDPR looks at it completely differently. A recognisable person in a photo is personal data, so taking, storing and publishing that photo is processing of personal data. For that you need a valid legal basis, you must inform people, and visitors have rights they can invoke. In the Netherlands the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority) supervises this.
In short: portrait rights decide whether someone can object to publication, the GDPR decides how you must handle the images as data. For an organiser who wants to get it right, the GDPR side is usually the bulk of the work.
What the GDPR asks of you
The Dutch DPA is clear about photos and video at events: at heart you need consent from the people in the shot to make and publish it. That consent doesn't always have to be a signature. According to the DPA, consent can also follow from behaviour — the classic example is a visitor walking through an entrance gate where it has been made unmistakably clear that filming and photography take place and that the images may be published.
That's the catch: this consent is only valid if you inform people clearly and completely up front. You must be able to demonstrate that you properly told visitors what you do with the images. In practice you arrange that with a few concrete things:
- Signs at the entrance and around the venue: "Photos and video are taken at this event and may be published on our website and social media." Short, visible, not tucked away.
- A clause in your terms and conditions or ticket terms pointing to the same thing.
- A privacy statement setting out which images you capture, what you use them for, how long you keep them and who to contact.
If you can't ask for consent — for instance a wide overview shot of the crowd where no one really stands out — you may sometimes rely on the legal basis of legitimate interest. But that's only allowed if you meet its conditions: you need a genuine interest, the processing must be necessary, and the visitor's interest must not outweigh yours. An atmospheric shot of a packed hall is a different matter from a highlighted close-up of one recognisable face in an advert.
Withdrawing consent: as easy as giving it
This is where things go wrong in practice. The GDPR requires that withdrawing consent must be just as easy as giving it. If someone says afterwards "take that photo of me down", you must blur them out or remove the photo and destroy the image. So arrange in advance:
- One clear point of contact (an email address in your privacy statement) where removal requests land.
- A way to quickly find a specific photo and take it offline — including on your socials.
It's the same logic we apply at MijnEvent around visitor data: don't collect more than you need, and make opting out simple. You can read more in What does your ticket platform do with all that visitor data?.
Two situations that need extra care
Children. For recognisable images of children under 16 you need consent from their parents or guardians. At a family festival or a school-linked event that's a real consideration. Be cautious here: a highlighted portrait of a child calls for consent arranged in advance, not a sign at the gate.
Special category data. A photo sometimes shows more than a face. A headscarf can point to a religious belief; someone's appearance can suggest race. These only become special category personal data if you deliberately use or infer those characteristics — an ordinary atmospheric photo doesn't automatically fall into that bucket. But if you publish images while deliberately playing on such characteristics, stricter rules apply and you generally need explicit consent.
Visitors filming for themselves
A fair question: does this apply to those hundred phones in the air too? No. When a visitor films something for themselves, friends or family and shares it, that usually falls under the GDPR's household exemption — you as the organiser aren't responsible for it. Portrait rights can still apply to such private recordings, but that's a matter between the visitors themselves. Your responsibility starts with the images you or your hired photographer make and publish on behalf of the event.
Still worth doing: put a line in your house rules that professional recording or publication for commercial purposes by third parties isn't automatically allowed, so you keep a grip on who runs off with footage of your event.
A short checklist for your next event
Tick off this list and you're in good shape:
- Inform in advance — clear signs at the entrance and around the venue that photos and video are taken and published.
- Write it down — a clause in your ticket or house rules plus a privacy statement with purpose, retention period and contact point.
- Go easy on close-ups — the more recognisable and prominent someone is, the sooner you need targeted consent. Especially for advertising.
- Arrange consent for children separately — parents/guardians for under-16s.
- Make removal easy — one point of contact, and the ability to quickly blur or delete, including on socials.
- Don't keep forever — agree a retention period and stick to it.
Visual material is one of your strongest marketing tools: nothing sells next year quite like a sharp aftermovie or a photo of a full hall. Sort the basics in advance and you can share with peace of mind. More on that forward planning in Why MijnEvent doesn't place tracking pixels and Why MijnEvent masks buyer e-mail addresses in the dashboard.
At MijnEvent we build privacy in by default — from masked buyer e-mail addresses to data minimisation in the dashboard, so you can focus on your event rather than the fine print. Want to see how it works? Register your organisation or take a look at our pricing first.