GDPR and Photo Metadata: What Businesses Need to Know

GPS coordinates, camera serial numbers, and precise timestamps embedded in photo files are personal data under GDPR — and most businesses that handle images are not treating them that way. If your organisation collects, stores, or publishes photos, the metadata inside those files almost certainly falls under your data protection obligations.

Is Photo Metadata Personal Data Under GDPR?

Under the UK GDPR and EU GDPR, personal data is defined as any information relating to an identified or identifiable natural person. This is a deliberately broad definition.

GPS coordinates embedded in a photo can identify exactly where a person lives, works, or regularly spends time. Combined with other available information — which is the legal standard — they can identify an individual. The same applies to device serial numbers, which can link multiple images to the same person across different contexts.

The Information Commissioner's Office (ICO) and the European Data Protection Board have both confirmed that location data constitutes personal data, even when it is not attached to a name. Photo metadata meets this threshold.

What Does This Mean in Practice?

Businesses that handle employee photos, customer images, event photography, or user-generated content need to consider whether the metadata in those files is being processed lawfully.

Lawful basis — Under GDPR Article 6, you need a valid legal basis to process personal data. If you are storing photos with embedded GPS coordinates, you are processing location data. Whether your current legal basis covers that depends on what employees or customers were told when they consented, and what your privacy notice says.

Data minimisation — GDPR Article 5(1)(c) requires that personal data must be adequate, relevant, and limited to what is necessary for the purpose. If you are storing photos for staff profiles or product listings, keeping precise GPS coordinates from the device that took the photo is difficult to justify as necessary.

Retention — Data must not be kept longer than necessary. If photos are retained indefinitely with metadata intact, that metadata is being retained indefinitely — including location data that was not necessary to the original purpose.

Third-party sharing — If photos are published on a website, shared with marketing agencies, or uploaded to content management platforms, embedded metadata travels with them. Sharing personal data with third parties triggers additional GDPR obligations including data sharing agreements and privacy notices.

Which Business Scenarios Carry the Highest Risk?

HR and recruitment — Headshot photographs taken by an employee on their own phone and submitted for a company directory contain GPS coordinates (often from the employee's home) and device information. Storing these without stripping metadata retains location data about employees.

Real estate and property management — Property photos taken on staff devices embed the location of the property. If those photos are shared externally with agents, portals, or buyers, the metadata confirms the property address even when the listing is anonymous or under offer.

Event photography — Photos taken at corporate events, conferences, or client meetings can reveal attendees' device information and the precise location and time of events. If event images are published on websites or social media without stripping metadata, that information becomes publicly accessible.

E-commerce product photography — If product photos are taken on staff devices and uploaded to a website or marketplace, GPS metadata may reveal the address of the studio, warehouse, or home where the photos were taken.

User-generated content — If customers or users submit photos as part of a form, competition, or review process, the metadata in those images is personal data you are now processing. Do your terms, privacy notice, and data handling procedures reflect this?

What Should Businesses Do?

The most practical step is to establish a policy of stripping metadata from images before they are stored in any system or published anywhere. This is data minimisation in practice — removing personal data that serves no legitimate purpose.

ExifVoid can be used to strip metadata from individual images before upload. For larger volumes, the same principle applies: metadata removal should be part of the image handling workflow, not an afterthought.

Beyond the technical step, businesses should:

Review their privacy notices to confirm they accurately describe how photo metadata is handled. Update data processing records (Article 30 records) to reflect image metadata as a category of personal data. Ensure contracts with third parties who receive images include appropriate data protection clauses. Consider whether existing consent or legitimate interest assessments adequately cover the processing of location data embedded in photos.

Frequently Asked Questions

Does GDPR apply to metadata in photos?

Yes. GPS coordinates, device identifiers, and timestamps in photo files are personal data under GDPR when they relate to an identifiable person. Businesses must have a lawful basis to process this data and must comply with data minimisation, retention, and sharing obligations.

Is it a data breach if we publish photos with metadata intact?

It depends on the circumstances. Publishing an employee's home location (embedded as GPS in a headshot) without their knowledge or appropriate consent could constitute a personal data breach that requires notification to the ICO under Article 33.

Do we need to strip metadata from all photos we handle?

Not necessarily all — metadata retained for legitimate professional purposes (such as copyright information) may be justified. But metadata with no relevance to the purpose of processing — particularly GPS coordinates — should be removed as part of standard data minimisation practice.

What about photos collected before GDPR came into force?

GDPR applies to current processing, not just new data. If your organisation continues to store photos taken before 2018 with metadata intact, that ongoing storage is current processing and falls within scope.