GDPR-compliant client galleries: what photographers need to watch
Photos of identifiable people are personal data. These six points decide whether your client gallery is GDPR-compliant — explained in practical terms.
As soon as identifiable people appear in your photos, you’re processing personal data — and the GDPR applies. For the online gallery you use to hand images to clients, that means: there are a few points you shouldn’t ignore. This article isn’t legal advice, but a practical checklist.
1. Where are the servers?
The most important point first: where are the images physically stored? If the data sits with a US provider, then since the Schrems II ruling you need a documented legal basis for the third-country transfer — in practice a considerable effort. Servers within the EU, ideally in Germany, save you this problem entirely.
2. Is there a data processing agreement?
If a provider processes personal data on your behalf — and every gallery platform does — you need a data processing agreement (DPA). Reputable providers supply it as standard. If it’s missing or you have to search a long time for it, that’s a warning sign.
3. Encryption in transit and at rest
The transfer must be TLS-encrypted (recognizable by the lock icon / https). In addition, the files should also be stored encrypted at rest on the server. Both are standard today — still, check whether your provider explicitly guarantees it.
4. Access control for the galleries
A client gallery shouldn’t sit openly on the net for anyone. Look for password protection, expiring links or access-restricted proofing links. That ensures only authorized people see the images — especially relevant for weddings, family or nude photography.
5. A working deletion concept
The GDPR requires that data isn’t stored forever. Your platform should let you delete galleries and individual images reliably and completely — including all generated preview versions. An audit log documenting when what was deleted helps with your duty to demonstrate compliance.
6. Consent of the people depicted
This concerns not the platform but your workflow: do you have the consent of the people depicted to process and share the images this way? For commissioned work, the contract usually covers it. With third parties in the frame — e.g. guests at a wedding — it gets more complicated. Clarify it in advance.
Conclusion
GDPR compliance isn’t a single checkbox but a chain: EU hosting, DPA, encryption, access control, deletion concept and clean consents. The good news: if your gallery platform technically covers the first five points, you only need to take care of the last one — your own workflow.
Lumio is built exactly for that: hosting exclusively in Germany, a DPA as standard, encryption, access-restricted links, deletion functions and an audit log. The rest — the consents — no software can take off your hands, but we make the technical side as easy as possible.