How visual content creates legal obligations — and what compliance requires in practice.
Under the GDPR, images and video become regulated the moment a person can be identified.
This includes:
visible facial features
distinctive characteristics (e.g. tattoos, clothing)
contextual information
embedded metadata (e.g. location data)
Key principle
Identifiability does not require certainty — only the possibility of identification.
In practice
For digital platforms and organisations, this creates a fundamental shift:
This means organisations must:
establish a legal basis for use
control how content is processed and shared
ensure data subject rights can be enforced
document all actions taken
Images are no longer just assets — they are regulated data objects.
High-risk data
The complexity increases significantly when images are processed using AI.
If an image is used to:
identify a person
authenticate identity
extract facial features
— it may become special category data.
This introduces stricter requirements, including:
explicit consent
enhanced protection
stricter limitations on use
Underestimated risk
The risk is not limited to storing images.
It emerges from how images are:
The hidden exposure:
metadata can make anonymous images identifiable
distributed systems make deletion difficult
reuse across platforms breaks control
Result
Organisations lose visibility over where personal data exists.
Failure to manage visual data correctly creates direct exposure.
Regulatory consequences
fines up to €20 million or 4% of global turnover
enforcement actions for disproportionate processing
enforcement actions for disproportionate processing
Operational consequences
inability to fulfil "right to erasure"
inconsistent handling of consent
fragmented audit trails
Key issue
If you cannot track and control visual data, you cannot comply.
Deletion
The GDPR requires organisations to delete personal data upon request.
In practice, this is difficult because:
In practice, this is difficult because:
content is shared externally
metadata is inconsistent
storage is fragmented
Result
Deletion becomes unreliable — and therefore non-compliant.
What's required
To manage visual data under GDPR, organisations need systems that enable:
01
Images must only be used under a valid legal basis.
02
Organisations must know where images exist and how they are used.
03
Data must be removable across all systems and instances.
04
All actions must be traceable and documented.
This is not a storage problem — it is a system control problem.
Broader system
Visual data compliance does not operate in isolation.
It intersects with:
platform enforcement obligations (DSA)
AI-generated content and synthetic media (AI Act)
SASHA's role
Manual tracking of consent, usage, and deletion does not scale.
SASHA enables this by linking governance directly to the content itself.
This allows organisations to:
associate images with consent and usage rules
control how content is shared and reused
enforce deletion across systems
generate verifiable audit trails automatically
By embedding governance into the content lifecycle, compliance becomes:
consistent
scalable
defensible
Result
Visual data is no longer unmanaged risk — it becomes controlled infrastructure.
The shift
GDPR compliance for images is not achieved through policies alone.
It requires systems that can:
— consistently and at scale.
As images become increasingly central to digital products, GDPR compliance becomes a core capability. Organisations must move from reactive handling to system-level control of visual data.
