Legal questions about photos on the employee ID card

Note: This article refers to the GDPR with application in the EU.

Can a company request a photo for the employee ID card?

Yes. For everything that is necessary to carry out the employment relationship or to ensure security, consent is not required under GDPR. A photo on the ID card is permitted under data protection law if it is necessary, for example for security and identification in the company.

The legal basis is based on:

• Art. 6 para. 1 lit. f GDPR: "Legitimate interest" - e.g. security, access control, prevention of fraud
• Possibly Art. 6 para. 1 lit. b GDPR: "Performance of a contract" - e.g. identification in the employment relationship

Do I need consent to Capturing the photo?

No. Consent is not required for a photo on the employee ID card; the legal basis is legitimate interest or contract fulfillment. Consent would be superfluous and even dangerous here because the employee could theoretically revoke it and the process would become legally unstable. Consent would not really be voluntary in the employment relationship, but the GDPR requires that consent is given voluntarily.

For additional purposes such as internet profile picture, Microsoft Teams picture, for the website or marketing material, on the other hand, separately documented, explicit and voluntary consent is required. It is best if employees can upload the photo to these channels themselves. Photo Collect can send a copy to each employee by email for their own use.

Is consent required for processing with Photo Collect?

No. The use of Photo Collect does not change the legal basis of consent (see above).

Must alternative processing be offered without Photo Collect ?

No. If Photo Collect is the selected service provider and processor, the company may handle the entire photo process centrally via Photo Collect .

Neither Art. 6 (legal basis) nor Art. 13 (information obligations) nor Art. 28 (order processing) require that employees can choose how their data is processed or which system is used for this purpose.

As long as the processing is lawful, earmarked, data protection-friendly and transparent, there is no legal obligation to provide other software or processing methods.

How must employees be informed about data processing?

Art. 13 GDPR regulates the information obligations that a company has towards employees as soon as personal data is processed - i.e. even if consent is not required. This means that even if the photo for the employee ID card is processed on the basis of legitimate interest or contract fulfillment, the employer must inform employees transparently about what happens to the photo.

For example:

As part of your employment relationship, we need a photo of you in order to create a personalized employee ID card and to enable access control in the company. The legal basis for this is Art. 6 para. 1 lit. b GDPR (performance of the employment relationship) and Art. 6 para. 1 lit. f GDPR (legitimate interest in access security).

The Capturing and processing of your photo takes place via the "Photo Collect" software, operated by Visible Solutions AG, Zurich. Photo Collect processes the data exclusively on our documented instructions and solely for the purpose of capturing, checking and technically processing your photo. The data is stored in an ISO 27001-certified data center in Switzerland, processed pseudonymously and automatically deleted after successful export. Metadata is removed after 90 days at the latest. Further technical and organizational measures and sub-processors are documented in our order processing contract.

You have the right to information, correction and deletion of your data, unless it is still required for the creation or use of the employee ID card. Further information can be found in our general privacy policy for employees.

Do employees have to use their private smartphone?

An obligation to use private devices (BYOD) is problematic under employment law, at least in Germany and Switzerland (employment law may differ in other countries). The employer cannot demand that an employee uses their private device for work purposes (Germany under Section 106 GewO, Switzerland under Art. 327 para. 1 OR). An alternative must therefore be available. Typical alternatives are the photo kiosk at reception or photo Capturing via app in the ticket office.

In addition to uploading via smartphone (BYOD or company smartphone), Photo Collect offers other channels that can be used in parallel, so there is no BYOD obligation:

• Self-service photo kiosk at the location
• Photo Collect app for HR employees, reception, ticket office
• API integration in intranet or employee portals
• Direct webcam control

In doing so, you are fulfilling your obligation under labor law to offer a reasonable alternative.

How long can photos be stored?

The GDPR applies to photos: as short as possible, as long as necessary. Here it is important to keep the Photo Collect side as the data processor and the company side as the data controller separate:

Photo Collect is deliberately not a long-term storage location, but a processing tool: After processing, the images are promptly transferred to the customer's respective system. Photo Collect adheres to the deadlines documented in the order processing contract - such as the immediate deletion of the photos after successful export and the automatic removal of the metadata after 90 days (or configured individually for each customer).

The customer, as the data controller, determines the company's internal deletion periods. Some companies do not store employee photos permanently, but remove them immediately after the card has been printed. This is the customer's responsibility. The photos must be deleted at the latest when employees leave the company.

Are the photos biometric data according to Art. 9 GDPR?

The question of whether photos count as biometric data in the context of Photo Collect often leads to uncertainty. It is true that a person is generally identifiable in a photo. However, this identifiability alone does not make a photo biometric data within the meaning of Art. 9 GDPR. The decisive factor is whether the image is processed in such a way that a person is clearly identified or authenticated on the basis of their biometric characteristics. This is precisely where the legal distinction comes in: A normal portrait photo that is merely stored or technically processed does not automatically fall under the stricter rules for biometric data.

In Photo Collect , the face is therefore not used for identification or for comparison with other databases. The software only performs functional analyses to technically prepare the photo for the intended purpose, for example to center the person within the image, check the quality or remove the background. These processing steps serve exclusively to optimize the image and not to determine or verify the identity of a person. Checking whether the person is the right employee is carried out outside the system and is the responsibility of the company.

This also applies if email addresses supplied with the data records typically allow conclusions to be drawn about real names. The processing of photos with Photo Collect remains normal personal data processing, but not the processing of biometric data in accordance with Art. 9 GDPR.

Which AI methods for photo processing are permitted?

Processing with AI is about which AI methods are used: Is the person in the image synthetically regenerated (GenAI), biometrically identified or is AI merely used to analyze head posture, remove the background and center the face? This distinction is crucial, as different data protection requirements apply depending on which method is used. And according to GenAI procedures, the image should no longer be used for security-relevant areas such as employee ID cards.

Find out which AI-based enhancements are permitted, where the limits are and how companies can correctly classify the legal requirements in the article Image enhancements with AI - what is allowed?

Can real names be used to address people?

A central principle of the GDPR is data minimization: companies should only collect and process the data that is absolutely necessary for the respective purpose. However, the real name of the person in question is not required for Capturing and processing a photo - whether for an employee ID card or for security-related identification processes. Photo Collect consistently follows this principle and therefore deliberately refrains from importing names into the system or using them in upload invitations. Instead, the assignment is made exclusively via technical identifiers such as employee or customer numbers, supplemented by the respective contact address (e-mail or telephone number), which is required for sending the invitation.

Conclusion: Photo processing should be handled professionally

Photos on the employee ID card seem trivial, but they are challenging in terms of data protection law. Companies must:

• Inform transparently
• Avoid BYOD obligations
• Manage consents cleanly
• Strictly adhere to deletion deadlines
• Document clear earmarking
• Ensure technical and organizational measures

Photo Collect meets these requirements. This provides companies with a clearly structured and data protection-friendly process that significantly simplifies the entire handling of employee photos. The photo process is not only more efficient, but also technically and legally secure.