Lumio
← Blog · May 22, 2026

How long must I keep client photos?

Keep or delete? Between client service and the GDPR duty to erase, photographers need to find a clear line. A practical orientation on periods and procedure.

GDPR Legal

“Can you send me the photos from three years ago again?” — requests like this are why many photographers keep everything forever. At the same time the GDPR requires not storing personal data longer than necessary. How do you resolve this contradiction? This article gives a practical orientation — it’s explicitly not legal advice.

The principle: as short as possible

The GDPR has the principle of storage limitation: personal data — and recognizable people in photos are exactly that — may only be stored as long as necessary for the purpose. Once the job is fulfilled and handed over, the original purpose of storage falls away.

That doesn’t mean you have to delete immediately. It means you need a deliberate decision with a justification for how long you keep it.

What can argue for longer retention

  • Contractual agreement: If you set a retention period in the contract (e.g. “I keep the images for 24 months, after which they are deleted”), you have a clear basis — and the client knows.
  • Legitimate interest: For handling reorders or complaints, a limited period can be justifiable.
  • Tax obligations: Careful, this is often confused — the commercial and tax retention periods concern your invoices and business records, not the image files themselves.

What argues against keeping everything forever

The more you store, the greater your risk: in a data breach more people are affected, and you have to be able to serve access and erasure requests for all that data. “Tidying up” is thus not only a duty but also self-protection.

A workable approach

  1. Set a default period — say 12 or 24 months after handover — and write it into your contract.
  2. Inform the client actively before deletion (“I’ll delete the shots in 4 weeks — let me know if you still need anything”).
  3. Then delete reliably and completely — including all copies and generated preview versions.
  4. Document the deletion so you can demonstrate, if in doubt, that you met your obligation.

Conclusion

There’s no blanket “right” period — but there’s a right approach: a deliberately chosen retention period set out in the contract, followed by a reliable, documented deletion. That protects you legally and creates clarity for the client.

Lumio supports you on the technical side: reliable deletion functions including all preview versions, and an audit log that documents when what was deleted. You set the period yourself — we make sure the deletion works cleanly.

This post is no substitute for legal advice. For specific questions, consult a law firm specializing in data protection.

Try it free for 14 days.

Full functionality, no upfront payment. If you don't want to continue, just let it lapse — we won't pester you with reminder emails.

Start trial Prefer to self-host? → lumio-app.de