Does the GDPR apply to instances where someone shares a photo of another on social media?

June 19, 2025

Article 102 TFEU: The Prohibition of Abuse of Dominant Position

Supreme Court Upholds Consumer Rights in Landmark Vehicle Defect Case

The “Ultra Vires” Doctrine in Company Law

Social media has fundamentally transformed how we interact and share information. What was once a private conversation has become a public comment, and personal moments are now digital content shared across platforms. This shift raises important questions about privacy, consent, and data protection, particularly under the General Data Protection Regulation (GDPR). While social media could be a powerful tool, regulation could help monitor its impact on protecting people’s fundamental rights. As with any technological development, regulation may take some time to catch up to address any potential legal concerns – whether this lag is beneficial or problematic is a discussion for another time. In this article, we will examine whether the GDPR provides protection when individuals use photos of you for posts in their own social media accounts without your permission.

Starting with the foundations, Article 2(1) outlines the material scope of GDPR, specifying that it applies to the processing of personal data wholly or partly by automated means, and to non-automated processing if the data forms part of a filing system. In the current context, only automated processing is relevant. That being said, it is essential to note at this point that there are significant restrictions to the scope of GDPR, including the so-called ‘household exemption’ (analysed below).

The critical question, therefore, becomes: when someone posts your photos on social media, are they processing your personal data through automated means under GDPR?

To answer this, we must first examine the relevant definitions.

‘Personal Data’: Article 4(1) defines ‘personal data’ broadly, as “any information relating to an identified or identifiable natural person (‘data subject’);” and specifies that an identifiable person is one that can be identified through various ways including one or more factors specific to the physical, social, or cultural identity of that person. Thus, a photograph is considered personal data if it shows identified or easily identifiable people.

‘Processing’: Article 4(2) defines ‘processing’ broadly, encompassing any operation performed on personal data, including, among other things, collection, storage, dissemination, or otherwise making it available. Evidently, when someone saves or downloads your posted photo and then posts it on their social media, they are engaging in multiple actions within the definition of processing, including collecting (downloading), storing (saving to their device), and disseminating (posting). This processing occurs regardless of whether their account is private or public.

‘Automated means’: In Case C-101/01 Lindqvist (2003), the CJEU held that publishing personal data online constitutes processing by automated means.[1] Additionally, the European Commission explicitly states that posting photos of a person on a website constitutes data processing.[2]

Thus, from the above analysis, it seems that reposting someone’s photos falls within GDPR’s scope.

However, one potential avenue remains unexplored: could the household exemption shield individual users from liability? We now turn to explore whether the activity under review could fall under the household exemption, which essentially restricts GDPR’s scope to professional or commercially related data processing.

What is the so-called ‘household exemption’?

Pursuant to Article 2(2)(c) GDPR, the regulation does not apply to the processing of personal data by “a natural person in the course of a purely personal or household activity”. Recital 18 clarifies that GDPR targets professional or commercial activities whilst exempting personal ones. The same recital further expands on ‘personal or household activities’ to include online activity undertaken within the contexts of correspondence and the holding of addresses, or social networking. It does not, however, appear to cover the posting of photos online. Moreover, the Commission further explains that the GDPR does not apply to data processed by an individual for purely personal reasons or activities carried out in one’s home, if there is no connection to a professional or commercial activity.

Does the posting of photos of a third party without consent count as a ‘purely personal or household activity’?

Academics have argued that granting a blanket exemption from GDPR requirements to any private individual who uploads materials online would enable the circumvention of the rules, undermining the purpose of data protection and privacy rules.[3] This policy concern is reflected in the Court’s jurisprudence when the CJEU has emphasised the need to adopt a broad construction of the scope of GDPR when the relevant processing is ‘liable to infringe fundamental rights, in particular the right to privacy’.[4] It is thus only natural to examine whether posting photos of third parties without their consent infringes upon their right to privacy, particularly if those individuals have already posted the photo themselves online. To answer this, the court may consider: (a) whether the photo was initially published publicly or privately? (b) whether it is being used in a way that changes its meaning or purpose, and (c) the purpose for which the third party is using the photo.

To date, there has been no case dealing with this specific activity. Given the potential infringement of fundamental rights that this activity may cause, it is difficult to determine whether the household exemption would be triggered in this case, or whether the need to protect fundamental rights would prevail, leaving the Court to rule that this scenario falls within the scope of the GDPR. A good indication remains the aforementioned example of data processing provided by the Commission, specifically the posting of a photo of a person on the website. However, it remains to be seen how the Court will potentially rule in such cases. That being said, it is worth noting that each case may be unique, and therefore, determining whether the household exemption applies may be better handled on a case-by-case basis.

On the assumption that GDPR applies to the activity under examination, one must consider whether such processing is lawful in line with the Regulation. Under GDPR, processing personal data is prohibited unless explicitly permitted by law or with the data subject’s consent. We, thus, now turn to examine whether consent is present. Specifically, when someone posts their own photo on social media, have they consented to others downloading and reposting it on different accounts? Despite the absence of clear case law or Commission guidance, it seems rather unlikely. This is due to GDPR’s precise requirements for valid consent:

Consent must be freely given, specific, informed, and unambiguous.

When a third party posts someone’s photos without permission, such consent is absent from the data subject. The original posting could have provided consent relating to the sharing of the photo with the data subject’s own followers; however, this is irrelevant to the consent we are seeking in this scenario. The original posting is not authorising unlimited redistribution by others – and this applies irrespective of whether the account is public or private.

This analysis demonstrates that unauthorised re-sharing of others’ photos falls within GDPR’s scope and lacks valid consent. However, Article 6(1) provides six lawful bases for processing personal data. While consent is clearly absent, alternative bases—such as legitimate or public interest—might apply in specific circumstances.

Author:

Ioanna Patsalidou

Associate /PhD Candidate

ioanna.patsalidou@patsalides.com.cy

Disclaimer: This analysis is provided for general information only and does not constitute legal advice. GDPR compliance requirements may vary depending on specific circumstances. For personalised legal advice, please contact our office.

[1] Lindqvist v Kammaråklagaren (Case C-101/01) [2003] ECR I-12971

[2] European Commission, ‘Data Protection Explained’ https://commission.europa.eu/law/law-topic/data-protection/data-protection-explained_en(https://commission.europa.eu/law/law-topic/data-protection/data-protection-explained_en) accessed 16 June 2025

[3] Napoleon Xanthoulis, ‘Negotiating the EU Data Protection Reform: Reflections on the Household Exemption’ in AB Sideridis and others (eds), E-Democracy, Security, Privacy and Trust in a Digital World (Springer 2013) 141

[4] Ryneš v Úřad pro ochranu osobních údajů (Case C-212/13) [2014] para 29