Photo handover via WeTransfer — what you risk legally
WeTransfer is convenient and fast. For professional photographers it's problematic under the GDPR — here are the five concrete points you should know.
For years WeTransfer was the default for quick photo handover: drag-and-drop into a browser tab, type the recipient’s email, done. For private purposes that’s still okay today. For professional photographers — especially in Europe — real legal risks have arisen since the GDPR took effect in 2018 and the Schrems II ruling in 2020.
This article isn’t legal advice, but a practical list of the five points you should check yourself against as a studio owner.
1. Data lands outside the EU
WeTransfer does have a European headquarters (the Netherlands), but its technical infrastructure largely uses US cloud providers. That means: personal data — and photos of identifiable people are exactly that — are potentially processed outside the EU’s protective space.
Since the Schrems II ruling, a Privacy Shield notice is no longer sufficient. As the controller, you have to document that standard contractual clauses are in place AND that a transfer impact assessment was carried out. You don’t do that for a single WeTransfer send — and so you’re formally not compliant.
2. No DPA available by default
Under Art. 28 GDPR you need a data processing agreement with every provider that processes personal data on your behalf. WeTransfer Pro offers a DPA; the free tier usually doesn’t.
The concrete problem: every time you send a WeTransfer free link to a client, you process their data via a provider with whom you have no complete DPA.
3. No access control after sending
A WeTransfer link is a URL. Whoever knows it has access. No password, no time limit (on the basic tier), no audit log.
If your client forwards the link in an email, posts it in a Slack group, or shares screenshots of the link — you have no way to control or trace that. In the worst case, your clients’ wedding photos end up on some random photo-sharing platform six months later.
4. No rating or selection workflow
WeTransfer is a file-transfer tool, not a photo-workflow tool. If your client is supposed to review 500 images and mark favorites, that simply isn’t possible with WeTransfer. You end up with spreadsheets of image numbers and manual reporting — endless time sinks.
5. No branding, no professional impression
A WeTransfer URL is a generic experience for the client. For a premium wedding shoot with a four-figure fee, the gallery experience should be just as premium as the images themselves — with your logo, your colors, your domain.
What the alternative should look like
A GDPR-compliant gallery handover needs, at minimum:
- Servers in the EU, ideally Germany
- A DPA standardized and immediately available
- Password protection and/or an expiry date per gallery
- An audit log of access (who viewed what, when?)
- An image selection feature for an efficient workflow
- Your own branding on the gallery
Lumio meets these points as a German photo gallery platform. There are other providers in the market too — we’ve compared the most important ones on our comparison page.
Pragmatically: what to do if you’re currently using WeTransfer?
You don’t have to switch overnight. But over the next 30 days you should do the following:
- Take stock: what data have you sent via WeTransfer in the last 6 months? (Search your email archive.)
- Risk assessment: are these identifiable people (wedding, portrait) or anonymous shots (architecture, product)?
- Migration plan: for ongoing jobs, switch immediately to a GDPR-compliant tool; for legacy data, request DPAs retroactively or delete the data.
- Update your record of processing (you have one, right?).
If you’re looking for an easy entry: Lumio’s 14-day trial lets you run through the workflow switch without entering a card.