GDPR and Facial Recognition at Events: A Practical Guide for European and GCC Organisers

This article provides general information about data protection frameworks as they apply to facial recognition at events. It does not constitute legal advice. For specific compliance questions relevant to your organisation and jurisdiction, consult a qualified data protection solicitor or legal counsel.

When AI photo distribution first began appearing at corporate events, procurement teams started asking a question that photographers and event tech vendors weren't always prepared to answer well: "Is this GDPR compliant?" The question is legitimate, the stakes are real and the answer, when delivered by a well-designed platform, should be "yes, comprehensively and here's the documentation."

This guide walks through the legal landscape for facial recognition at events, the specific compliance requirements under each major framework, what well-structured consent looks like in practice and the questions procurement teams should be asking vendors.

Why GDPR applies to event face recognition

GDPR classifies biometric data as a "special category" of personal data under Article 9. Biometric data is defined as "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person." Face recognition data, specifically, the mathematical embeddings computed from facial images, meets this definition directly.

This classification matters because special category data requires a higher standard of justification than ordinary personal data. Article 9(1) prohibits the processing of special category data by default. Article 9(2) then provides a list of conditions under which processing is permitted. For commercial event applications, the relevant condition is Article 9(2)(a): the data subject has given explicit consent to the processing for one or more specified purposes.

The word "explicit" is doing significant work here. GDPR guidance from supervisory authorities across Europe has been consistent: for special category data, passive consent (burying a clause in event terms and conditions), implied consent (you attended the event therefore you consented to being photographed) and general consent (you agreed to photos being taken but not to face recognition processing) do not meet the standard. The consent must be active, specific and informed.

For AI photo distribution, this means the guest selfie flow, where a guest actively chooses to submit a photo of their face for the purpose of receiving their event photos, represents exactly the kind of explicit consent Article 9(2)(a) requires. The action is voluntary, the purpose is stated and no personal photos are processed without it.

What "explicit consent" means in a practical event context

Translating the GDPR standard into a compliant event experience requires addressing four elements on the consent capture screen:

Clear identity of the data controller: Who is processing the biometric data? This should be clearly identified, the event organiser, the photo platform, or both, depending on the contractual structure.

Specific purpose: Why is the biometric data being processed? The purpose must be specific, not vague. "To match your face against photos taken at this event and deliver a personalised gallery to you" is a specific purpose. "To improve our services" is not and cannot be bolted on.

Data retention: How long will the biometric data be held? The data minimisation principle requires that biometric data is not retained beyond what is necessary for the specified purpose. For event photo matching, this means the face embedding should be deleted after matching is complete, or within a defined window after the event.

Withdrawal mechanism: Consent must be as easy to withdraw as it is to give. The consent screen should include or link to a clear process for requesting data deletion. An email address (e.g., privacy@platform.com) or an in-gallery deletion request button are both acceptable.

A consent screen that clearly covers all four elements, presented before the selfie is captured and before any biometric processing occurs, meets the GDPR standard for special category data processing. It is also, in practice, a well-designed user experience that builds rather than erodes guest trust.

How to structure the consent flow at your event registration

The most common question from event organisers new to AI photo distribution is: where in the guest journey does consent happen?

There are two practical options, each with distinct advantages:

Option 1: Pre-event registration consent. Include the selfie registration step in the pre-event attendee journey, either in the registration confirmation email or as a step in the event app or attendee portal. Guests who complete this step arrive at the event with their face already indexed, which allows photos to begin matching immediately as they are uploaded. This also allows guests to review the privacy notice at their leisure, rather than on the day when they are in the midst of arrival logistics.

Option 2: On-the-day consent at point of experience. QR codes at the event trigger the selfie consent flow when the guest is ready to access their gallery. The consent screen is seen immediately before the selfie is taken, making the connection between consent and action explicit. This model works well for events where pre-event registration was not possible or where attendance was walk-in.

Either approach is valid under GDPR provided the four consent elements are present. Pre-event registration typically produces better matching rates (more time for indexing, higher photo coverage before guest arrival) while on-day capture is more flexible for events with varied registration patterns.

Data minimisation: how responsible platforms handle biometric data

The data minimisation principle under GDPR Article 5(1)(c) requires that personal data is "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." For biometric data, this has a specific technical implication.

A responsibly designed AI photo distribution platform processes face images but should not retain raw face image data beyond what is needed for matching. The output of the face recognition process, a mathematical embedding (a vector of numbers), is what is actually used for matching. Once the matching is complete, retaining the original face images is unnecessary and adds regulatory risk.

Best practice is a two-stage deletion process: raw selfie images deleted immediately after the embedding is computed; embeddings deleted after the event or on data deletion request. This means that within a defined period after the event, no biometric data associated with a specific individual should exist in the platform's systems.

When evaluating vendors, ask specifically: "What biometric data do you retain after the matching is complete and for how long?" The answer should be precise, documented and available for inclusion in your privacy notice.

UK GDPR vs. EU GDPR: what changed post-Brexit

For events organised in the United Kingdom after 31 December 2020, the applicable framework is UK GDPR - a retained version of EU GDPR incorporated into UK law by the Data Protection Act 2018. For most practical purposes, including the special category data rules and explicit consent requirements that apply to facial recognition at events, UK GDPR and EU GDPR are substantively identical.

The key difference is regulatory jurisdiction: UK events are supervised by the Information Commissioner's Office (ICO), not EU supervisory authorities. Cross-border data transfers between the UK and EU are governed by the UK's adequacy decisions and UK data controllers transferring data to EU processors (or vice versa) need appropriate transfer mechanisms.

For UK event organisers using a European-headquartered photo platform (or the reverse), confirm the transfer mechanism your vendor relies on, typically Standard Contractual Clauses and ensure it is documented in the Data Processing Agreement.

UAE PDPA and Qatar data protection law

Events in the Gulf Cooperation Council operate under regional data protection frameworks that share the core principle of consent for biometric processing, with important implementation differences.

UAE Federal Decree-Law No. 45 of 2021 (UAE PDPA): The UAE's primary data protection law applies to all controllers and processors operating in the UAE or processing data about UAE residents. Biometric data is classified as sensitive personal data under the PDPA and requires explicit consent for processing. The law establishes data subject rights including the right to access, correct and delete personal data. Controllers must implement appropriate technical and organisational measures to protect sensitive data and must be able to demonstrate compliance on request.

The UAE PDPA's enforcement authority is the UAE Data Office, which became operational in 2023. Penalties for violations include fines and, in serious cases, suspension of data processing operations. Events hosted by government entities in the UAE may also be subject to additional sector-specific requirements.

Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016): Qatar's framework predates the GDPR but was developed under similar principles. The law requires consent for the collection and processing of personal data and establishes protections for sensitive data categories. The National Cyber Security Agency has published supplementary guidelines that apply to biometric data processing specifically, requiring that biometric data collected for one purpose is not used for any other purpose, a direct constraint on secondary uses.

Saudi Arabia (PDPL): For events in the Kingdom of Saudi Arabia, the Personal Data Protection Law (PDPL) issued by Royal Decree M/19 governs biometric data processing. Similar to UAE and Qatar frameworks, explicit consent is required for sensitive data. The Saudi Data and AI Authority (SDAIA) is the supervisory authority and has issued implementation regulations that provide detailed guidance on consent requirements.

In practical terms, a consent flow designed to meet EU GDPR's explicit consent standard for biometric data will also satisfy the requirements of UAE, Qatar and Saudi Arabian frameworks, the consent standard is the highest common denominator and meeting it means compliance across all four jurisdictions for the core processing activity.

Data controller vs. data processor: who is responsible for what

Under GDPR and its equivalents, the event organiser and the photo distribution platform occupy distinct roles with distinct responsibilities. Understanding these is important for procurement teams.

Data controller: The entity that determines the purposes and means of processing personal data. For event photography with AI delivery, the data controller is typically the event organiser, you have decided to run this event, to have photography and to use facial recognition for photo delivery. The fact that you use a third-party platform does not transfer control; it creates a processing relationship.

Data processor: An entity that processes personal data on behalf of the controller, under contract, for purposes determined by the controller. The photo distribution platform acts as a data processor: it processes the biometric data according to the event organiser's instructions and on their behalf.

The practical implication: the event organiser must have a Data Processing Agreement (DPA) with the photo platform vendor. This is a legal requirement under GDPR Article 28 and is not optional. The DPA must specify what data is being processed, for what purpose, for how long and what security measures the processor applies.

When procurement teams ask "do you have a DPA?" to an AI photo vendor, they are asking the right question. Any vendor who cannot provide one should not be used for events where GDPR applies.

Breach notification requirements

In the event of a personal data breach involving biometric data, GDPR Article 33 requires the controller to notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Article 34 requires notification to affected individuals if the breach is likely to result in a high risk to their rights and freedoms. A breach of biometric data, which is special category data, is presumed to meet the high-risk threshold unless the data was encrypted or otherwise rendered inaccessible to the attacker.

The practical implication for event organisers is: know your vendor's incident response process before the event. Their DPA should include breach notification obligations (typically, they must notify you within 24–48 hours of discovering a breach, so you can meet your 72-hour supervisory authority notification window).

Frequently asked compliance questions from event procurement teams

Q: Does taking photos at an event require attendees' consent under GDPR?
A: Ordinary photography at an event (without biometric processing) has more nuanced legal treatment. A photographer capturing images at a large public or semi-public event is generally considered to process personal data, but the legal basis may be legitimate interests rather than consent, depending on context. Facial recognition processing, converting images to biometric embeddings, is unambiguously special category data requiring explicit consent under Article 9(2)(a).

Q: What if an attendee declines to participate in the selfie flow?
A: The design of the opt-in flow means that declining simply means the attendee doesn't receive a personalised gallery. They are not identified, matched, or processed. Where alternative access methods exist (BIB number, ticket code), declining biometric processing should not prevent access to general event photos. The right to refuse consent must be genuine, there should be no penalty for non-participation.

Q: Can we use the facial recognition data for purposes other than photo matching?
A: No. Purpose limitation is a core GDPR principle. If consent was obtained for photo matching, using the same biometric data for access control, attendance monitoring, or marketing profiling would be a separate, unconsented processing purpose. Each purpose requires its own consent.

Q: We are running the event outside the EU - does GDPR still apply?
A: GDPR has extraterritorial scope under Article 3. It applies when processing relates to offering goods or services to individuals in the EU, or monitoring their behaviour, regardless of where the processing takes place. If your event has EU-based attendees, or if your organisation is established in the EU, GDPR will apply to the biometric processing even if the event is held elsewhere.