Hand images to clients — without building a GDPR risk.
WeTransfer, Dropbox and US galleries are convenient but legally risky. Here's what you as a photographer need to watch — and how Lumio takes the compliance work off your hands.
The problem with the usual handover routes
Most photographers hand over images via tools made for generic file transfer — not for handing personal data to end clients. That makes GDPR compliance difficult:
WeTransfer / Smash
Fast file transfer, but a DPA is complicated here (WeTransfer runs on US cloud infrastructure), and you have no control over who forwards the link or how long the file stays available.
Dropbox / Google Drive
Both are US providers. You need standard contractual clauses and a risk assessment per Schrems II. For pro studios an unbearable overhead per job.
US gallery providers (Pic-Time, Pixieset, ShootProof)
Functionally good, but data processing in the US. DPAs and standard contractual clauses are available, but Schrems II remains an open flank.
USB stick by mail
GDPR-wise unproblematic, but in 2026 no longer a fitting handover standard for pro jobs — and no rating or selection workflow possible.
What makes photo handover GDPR-compliant
You should check these eight points with any gallery provider. Lumio meets them all — but the checklist also works without Lumio as an audit template for other providers.
- ✓ Servers in Germany (Hetzner Falkenstein/Nuremberg)
- ✓ DPA (Art. 28 GDPR) available right in the studio and concludable electronically
- ✓ Record-of-processing entry supplied as a PDF template
- ✓ Data protection impact assessment (DPIA) not required
- ✓ No data transfer to third countries (no Schrems II risk)
- ✓ TLS encryption in transit, signed URLs for image access
- ✓ 60-day data export grace period on cancellation
- ✓ Deletion confirmation as a PDF for compliance documentation
Legal basis: performance of a contract
When you fulfill a job as a photographer (wedding, portrait, business shoot, event), the data processing usually rests on Art. 6(1)(b) GDPR — performance of a contract. That's the most legally established basis because it requires no separate consent.
For wedding guests and event participants who aren't direct contracting parties, the duty to inform lies with the client (e.g. the couple, the organizer). You should address this responsibility explicitly in your photography contract.
Note: this page is not legal advice. For more complex cases (politically sensitive events, journalistic work, publication) we recommend consulting a specialist lawyer for IT and media law.
Common questions about GDPR and photo handover
Do I need a data processing agreement with my gallery provider? +
Yes. If the provider processes personal data (which includes images of identifiable people) on your behalf, you need a data processing agreement under Art. 28 GDPR. With Lumio the DPA is available right in your studio area: you enter your master data once, conclude it electronically with a click (expressly permitted by Art. 28(9) GDPR) and can download it as a PDF anytime — including the annexes on data types, security measures and sub-processors.
What about the US cloud problem (Schrems II)? +
Lumio processes all data in the EU, primarily in Germany (Hetzner data centers). There is no data transfer to the US and therefore no Schrems II issue with standard contractual clauses and transfer impact assessments. That considerably simplifies your GDPR documentation compared with US-based providers like Pic-Time, Pixieset or ShootProof.
Who is the controller, who is the processor? +
You as the photographer are the controller under the GDPR — you decide what happens with the images, you have the contract with the client. Lumio is the processor — we process the data exclusively on your instructions (storing, displaying, making it available to the recipients you define).
What about wedding guests who appear in the photos? +
The legal basis for your processing is Art. 6(1)(b) GDPR (performance of a contract) toward your client, the couple. Informing guests about the photography activity is, by prevailing opinion, the task of the couple as the host. You should anchor this in your photography contract with the couple. Individual legal advice can't be replaced here — for more complex cases we recommend consulting a specialist lawyer.
Does Lumio store the images encrypted? +
Images are stored in object storage; transport is end-to-end TLS-encrypted. At-rest storage encryption is handled by the storage provider (Hetzner). Access to individual images happens via signed URLs with a limited validity period — direct storage access from outside is not possible.
What happens to the images when an account is cancelled? +
A 60-day grace period: your galleries stay reachable for you and your clients, and you can export all data. Only after this period is the data permanently deleted. You get timely reminders in case you forget the export.
How does an end client delete data under their GDPR rights? +
If an end client exercises their right to erasure under Art. 17 GDPR (e.g. the couple no longer wants the wedding photos stored), you delete the corresponding gallery in your studio — the data is then removed from all backups within 30 days. You receive a deletion confirmation as a PDF for your own compliance documentation.
Gallery handover without GDPR headaches.
Servers in Germany, DPA concludable right in the studio, no US cloud risk. Try it for 14 days without adding a card.