Managing pictures, interviews or films by which is meant photographing, filming, recording, storing, editing in addition to digital and analogue publishing constitute processing of personal data under the GDPR. All personal data processing shall therefore take place in accordance with the provisions of the GDPR and in accordance with what follows from supplementary national legislation and recommendations by inspection authorities. 

Pictures, moving pictures and audio recordings

In practice this means that management and processing of personal data in the University's digital media outlets shall observe the principles for personal data processing in the GDPR, observing information security, information minimisation, purpose-directed processing and information provided to the subject of the data. 

  • This also means that legal grounds must exist for the processing of personal data in the form of photographic or moving pictures of physical persons. 
  • The legal grounds which come into question for University image, audio and social media work is above all consent and exercise of official authority.

Under the GDPR the definition of what constitutes exercise of official authority follows directly from the GDPR, Swedish law or regulations. The information shall thus have been conferred to the authority by Parliament or the government. Under the regulations for state authorities, state authorities are obliged to provide information regarding their activities. Chapter 1, Section 2 of the Higher Education Act: The mandate of higher education institutions shall include third stream activities and the provision of information about their activities, as well as ensuring that benefit is derived from their research findings.

The Higher Education Act

If Stockholm University wants to make use of people in pictures, moving pictures or audio recordings (podcasts, audio files and radio interviews) in external communications, the legal grounds of consent shall be used and a consent form which is available on the University's internal website, shall be used. The requirement for information in the regulation is fulfilled by the person being photographed or filmed being informed of the procedures regarding the University’s personal data processing and what they should do if they wish to withdraw their consent. 

  • Consent form for those ordering photographs etc
  • Information to be indicated to those who give consent, www.su.se/consents

Respective departments in the University administration are responsible for ensuring the use of the consent form, and the manner in which consent documentation is stored and how any potential withdrawal of consent is managed. If pictures and films are stored in a media bank appropriate information regarding consent shall be registered. 

If a subcontractor carries out photography, filming or audio recording this subcontractor shall obtain consent in accordance with the University's instructions. If pictures, film or audio recordings are purchased from external suppliers the respective department is responsible for the supplier providing sufficient guarantees that legal grounds for processing according to the regulation are in place. 

For consent obtained before the regulation came into force on May 25, 2018, this may still be used as legal grounds for continued use if the prior consent meets the requirements of the regulation regarding informed consent. The subject whose data is being processed should, however, as far as is possible be kept informed of the continued processing. 

For photography, filming and audio recording as well as broadcasting in conjunction with lectures, events or social/networking events the recommendations of the Swedish Data Protection Authority apply, in that consent does not need to be attained for this type of personal data processing. However, participants shall be informed of photography and/or recording. This may be done in the form of information linked to the application, in inserts into the lecture or event or by means of verbal information before the lecture or event begins. 

For processing in the form of the use of staff pictures in external communication work, the legal grounds exercise of official authority may be used if it is appropriate to expect that the job description of the employees occasions the employee appearing in pictures on the University website or in social media outlets.

The University is not responsible for personal data processing in the form of pictures, films and audio recordings of living persons in material which is linked to or shared by the University. This is because, in this case, the University is not processing the personal data itself. 

Social media

For the University's social media outlets, personal data processing in the form of names, pictures, films and audio recordings of currently living people in the university’s outlets represents personal data processing and for this the publishing department must assess what the grounds shall be for personal data processing and thus publication may take place. The mission of the University to provide information regarding its education and research gives it the opportunity to make use of exercise of official authority as a legal ground for such processing/publishing. Using names, pictures and audio recordings of people where the purpose is not clearly based on the mission to provide information on education or research shall thus be done to a limited extent. 

From May 25, 2018 each department and administrative section is responsible for the existence of legal grounds for personal data processing of names, images and films in various social media outlets. The University is not responsible for personal data processing whereby another user publishes personal data in the University’s social media outlets. On the other hand, the University is responsible for ensuring against violations of the University’s social media outlets.  Thisunder the Act on Responsibility for Electronic Bulletin Boards.

The relevant department or section must also, as far as is possible and is permitted by the nature of the operations, ensure that legal grounds exist for the processing of personal data published in digital outlets before the regulation of May 25, 2018 came into force in which are still visible in the outlets. If there are no legal grounds for continued publication the personal data should and as far as is possible be deleted, piece by piece.