GDPR and Photo Metadata: What Businesses Need to Know

Photo metadata falls squarely within the scope of GDPR, and many businesses don't realise it. GPS coordinates, device serial numbers, and photographer names embedded in image files all qualify as personal data under the regulation. If your business handles photos — whether from customers, employees, or the public — metadata compliance should be on your radar.

Is EXIF data personal data under GDPR?

Yes. The GDPR defines personal data as any information relating to an identified or identifiable natural person. GPS coordinates can pinpoint a person's location. Device serial numbers can be linked to a specific individual. Timestamps combined with location can reveal behavioural patterns. Names and contact details embedded in IPTC or XMP metadata are explicitly personal.

The Article 29 Working Party (now the European Data Protection Board) has confirmed that location data and device identifiers constitute personal data, even when not directly attached to a name.

Common scenarios where this matters

E-commerce businesses that accept customer-submitted product photos may be storing GPS coordinates that reveal customer home addresses. Real estate agencies publishing property photos may be exposing agent device information. News organisations distributing press photos may be sharing photographer personal data beyond what's necessary. User-generated content platforms retaining original uploads may be storing metadata indefinitely without a legal basis.

What the GDPR requires

Under the data minimisation principle in Article 5(1)(c), organisations should only process personal data that is adequate, relevant, and limited to what is necessary. In most cases, the metadata embedded in a photo is not necessary for the business purpose of using that photo. Stripping it before storage or publication is a straightforward way to comply.

Article 25 requires data protection by design and by default. Building metadata removal into your image handling pipeline — rather than treating it as an afterthought — demonstrates compliance with this principle.

Practical steps for compliance

The most effective approach is to implement automated metadata stripping at the point of image ingestion. When a photo enters your system — whether uploaded by a user, received via email, or captured by staff — strip all metadata before storing or processing it further.

For businesses that need to handle this at scale, client-side solutions like ExifVoid ensure that metadata is removed before files even reach your servers, reducing your data protection liability from the outset.

The cost of getting it wrong

GDPR fines can reach up to 4% of annual global turnover or 20 million euros, whichever is higher. While enforcement actions specifically targeting photo metadata are still relatively uncommon, regulators are increasingly sophisticated in their understanding of technical data types. Proactive compliance is far cheaper than reactive remediation.