GDPR and Photo Metadata: What Businesses Need to Know

Yes, photo metadata falls within the scope of GDPR. GPS coordinates, device serial numbers, timestamps, and photographer names embedded in image files all qualify as personal data under the regulation. Businesses that handle photos — whether from customers, employees, or the public — must treat embedded metadata with the same care as any other personal data, or risk fines of up to 4% of annual global turnover.

Is EXIF data personal data under GDPR?

The GDPR defines personal data as any information relating to an identified or identifiable natural person. Photo metadata clearly meets this threshold. GPS coordinates can pinpoint a person's location to within a few metres. Device serial numbers can be linked to a specific individual through purchase records. Timestamps combined with location data can reveal behavioural patterns. Names and contact details embedded in IPTC or XMP metadata are explicitly personal.

The European Data Protection Board (formerly the Article 29 Working Party) has confirmed that location data and device identifiers constitute personal data, even when not directly attached to a name. Our guide to EXIF vs XMP vs IPTC explains the different types of metadata that may contain personal information.

Which businesses need to worry about this?

Any business that receives, processes, stores, or publishes photos should consider metadata compliance. Common scenarios include e-commerce businesses accepting customer-submitted product photos (which may contain customer home GPS coordinates), real estate agencies publishing property photos (exposing agent device information), news organisations distributing press photos (sharing photographer personal data beyond what is necessary), HR departments handling employee headshots (storing device identifiers unnecessarily), and user-generated content platforms retaining original uploads with metadata indefinitely.

What does GDPR require for photo metadata?

The data minimisation principle in Article 5(1)(c) requires organisations to process only personal data that is adequate, relevant, and limited to what is necessary. In most cases, the metadata embedded in a photo is not necessary for the business purpose of using that image. Stripping it before storage or publication is a straightforward path to compliance.

Article 25 requires data protection by design and by default. Building metadata removal into your image handling pipeline — rather than treating it as an afterthought — demonstrates compliance with this principle.

Article 6 requires a lawful basis for processing personal data. If you are storing photos with embedded GPS coordinates, you need a legal basis for processing that location data — which most businesses do not have.

How should businesses handle photo metadata?

The most effective approach is to implement metadata stripping at the point of image ingestion. When a photo enters your system — whether uploaded by a user, received via email, or captured by staff — strip all metadata before storing or processing it further.

For businesses that need to handle this at scale, client-side solutions like ExifVoid ensure that metadata is removed before files even reach your servers, reducing data protection liability from the outset. This is especially relevant for organisations that want to demonstrate privacy by design.

What are the penalties for getting this wrong?

GDPR fines can reach up to 4% of annual global turnover or 20 million euros, whichever is higher. While enforcement actions specifically targeting photo metadata have been limited so far, regulators are increasingly sophisticated in their understanding of technical data types. Proactive compliance is far cheaper than reactive remediation.

Frequently asked questions

Do I need consent to store photos with metadata?

If the metadata contains personal data (which it almost always does), you need a lawful basis under Article 6 — whether that is consent, legitimate interest, or another basis. The simplest approach for most businesses is to strip metadata on receipt, eliminating the need to process that personal data at all.

Does stripping metadata count as data minimisation?

Yes. Removing unnecessary personal data from photos before storage is a textbook example of data minimisation under Article 5(1)(c). It demonstrates that your organisation only retains data that is necessary for the stated purpose.

What about C2PA provenance metadata?

New standards like C2PA (Coalition for Content Provenance and Authenticity) are designed to verify image authenticity. These may create tension with GDPR's data minimisation requirements. Our article on C2PA and Content Credentials explores this emerging issue in detail.