GDPR-Compliant School Photography: A Consent Playbook for 2026

School photography sits at the intersection of three regulations that all matter: GDPR (especially Article 8 on children), the EU AI Act (face recognition is now classified as high-risk AI) and national supplementary rules across each EU member state. The simple shared-drive distribution that was once acceptable is no longer compliant for any school working with face matching, AI-organised galleries or biometric-based search.

This is a practical playbook for schools, school photographers and the data protection officers who sign off on either. It covers what consent actually has to look like, what biometric retention is allowed and what specifically to ask a vendor before letting them touch student photos.

Three regulations that apply to school photography

GDPR. Personal data of identifiable students is in scope. Photos identifying children require a legal basis for processing. Consent under Article 6 plus Article 8 (children's data) plus Article 9 (biometric special category) covers the relevant cases.

EU AI Act. Took full effect 2026. Face recognition classified as high-risk AI. School deployments require a conformity-assessed provider, ongoing monitoring and a clear deployer policy.

National rules. France, Germany, Italy and Ireland each have specific child-image protections that go beyond GDPR. Always check local guidance from the national data protection authority.

What parental consent must contain

Consent is not a single tick-box. The valid form covers six elements:

1. What data will be processed (photos plus, if applicable, biometric face embeddings).
2. The purpose (school yearbook, parent gallery, internal use only, etc).
3. Who the data is shared with (the photo platform, named).
4. The retention period (specific number of weeks or months).
5. How to withdraw consent (a self-service link or named contact).
6. The child's right of access and deletion.

Consent must be opt-in (not pre-ticked). Withdrawing consent must be as easy as giving it.

Biometric data retention rules

Face embeddings are biometric special category data under GDPR Article 9. The retention period must be justified by the purpose. For a single school photography session with face-matched parent delivery, 30 to 90 days is typical and defensible. Longer retention requires a documented purpose.

Embeddings must be deleted automatically when the retention period ends. Manual cleanup is not compliant. The platform must demonstrate this happens.

What to ask a school photo vendor before signing

• Where is the data stored geographically? EU residency may be required by your school's data policy.
• What is your retention default and how is it enforced?
• Have you completed an EU AI Act conformity assessment for the face recognition component?
• Can you provide a Data Processing Agreement that covers child data specifically?
• How do parents withdraw consent and request deletion?
• What is your incident response timeline if biometric data is breached?

If the vendor cannot answer any of these clearly, do not let them process student photos.

A practical consent flow for schools

Send the consent form before the photo day, not on it. Use a structured digital consent flow rather than a paper form. The flow should record: parent identity, child identity, what was consented to, timestamp, IP address (for evidence) and any specific opt-outs.

Schools should keep the consent record for as long as the photos exist. When consent is withdrawn, the deletion record should be retained even after the data is deleted, to demonstrate compliance.

What to do if a parent withdraws consent mid-term

Three actions, in order: (1) confirm withdrawal in writing within 24 hours, (2) instruct the platform to delete the child's biometric data and any face-matched gallery entries within 30 days, (3) ensure the child is excluded from any new processing going forward. Document each step. The audit trail matters more than the deletion itself.