GDPR: Golf clubs probably don’t need to delete old website images

A golf course photographer has been told that golf clubs probably do not need to delete images featuring people from their websites by May 25, provided they gave verbal consent.

The General Data Protection Regulation (GDPR) is coming into effect on that date, and The Golf Business understands that several golf clubs have deleted images after taking legal advice.

The area of concern surrounds pictures of people in which they can be identified – such as golfers on the course or diners in the clubhouse – which appear on many golf club websites. At least one golf group took legal advice about GDPR to see if these pictures should be removed because the clubs do not have written confirmation from every person pictured that they consent to the publication of the images. The group then instructed its golf clubs to remove the pictures.

Image: Andy Hiseman

However, in an email exchange seen by The Golf Business, golf course photographer Andy Hiseman has been in dialogue with the Information Commissioner’s Office (ICO), and discovered that clubs only need verbal consent from those photographed, provided they are made aware of how the images will be used.

Hiseman said that every picture he took that is now used by golf clubs for marketing purposes “was taken with the golfers’ verbal permission on the day, and the individuals were told that the photos may be used on the golf club’s website. In addition, the golf club displayed posters (clearly headed ‘Notice Of Photoshoot’) in all high-traffic areas throughout the duration of the photoshoot, advising golfers a) of the presence of a photographer, and b) that they should make the photographer aware that they did not wish to be photographed, if that were the case. In addition, club staff were also telling golfers verbally about the photoshoot, repeating the advice on the posters.

“However, no signed consent forms were obtained at the time.”

Hiseman asked if the images should be removed despite this.

Image: Andy Hiseman

The ICO responded that under the above criteria, clubs do not need to remove the images. “In this particular case, I believe it would be reasonable for the club to consider relying upon the legitimate interests basis,” said a case officer.

“Marketing activity can be considered a ‘legitimate interest’ under the GDPR but the club would still need to conduct the three part test set out in the guidance to ensure that they are not going to do anything which would cause detriment or embarrassment to the individuals – clearly, if the processing was likely to cause detriment to the individuals, then it would not be appropriate to rely upon this basis.

Image: Andy Hiseman

“However, given the precautions that were in place at the time that the photos were taken, including posters about the presence of the photographers, verbal permission gained and so on, it seems likely that it would be within the individuals’ reasonable expectations that the photographs would continue to be used and would not cause them any detriment.

“The golf club would not have to remove the photos from its website to be GDPR compliant, as they would have identified an alternative basis for processing.”

Golf clubs will still need to remove any images from their websites if any person in them requests this. Last month the NGCAA wrote a piece advising golf clubs what to do regarding GDPR: http://www.thegolfbusiness.co.uk/2018/04/gdpr/