Reading time: 4 minutes
With the development of digital platforms, anyone can become a content creator today: a smartphone, a good idea, and a few clicks are enough for our messages, videos, or pictures to reach thousands of people. However, online presence carries not only creative opportunities but also legal responsibilities and risk. When sharing various types of content – such as posts or videos – especially if identifiable persons appear in them, the processing of personal data occur.
General applicability of the GDPR
The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, serves a dual purpose: it ensures the protection of individuals’ personal data while also providing a framework for the free flow of such data within the European Union. The GDPR sets out in detail the rights of data subjects and the obligations of data controllers.
At the same time, the GDPR does not be applicable in certain exceptional cases; one such exception applies when a natural person processes personal data exclusively for personal purposes. Examples include private correspondence whether on paper or electronically, storage of addresses or contact details, personal notes or diaries, family photographs, communication on social networks, and other online activities. These exceptions must be interpreted narrowly, and data processing only falls outside the scope of the GDPR if it serves a purely private purpose – that is, it has no community, professional, or economic aspect. Thus, if data can be accessed by an indefinite number of persons or is made public, the activity no longer qualifies as private data processing. In the case of data processing carried out by business entities, personal or household use cannot be invoked. Therefore, the publication of any online content containing personal data (such as photographs, audio recordings, or other information) – whether it concerns employees or any other natural person – requires appropriate legal diligence in all cases.
Data processing related to online content creation
Digital platforms widely enable users to create and share photos, videos, or audio recordings – even of other people. The question may arise whether data protection rules apply in such cases. Since uploaded recordings – including images, voices, or other identifiable information – constitute personal data and are made accessible to the public, their processing falls under the GDPR.
One of the fundamental principles of data protection is that any processing of personal data must be based on a valid legal basis. When a data controller undertakes any activity involving the processing of personal data, it must carefully assess which legal basis best suits the intended purpose. In the context of content creation, data processing most commonly relies on the data subject’s consent.
Obtaining consent is crucial, as recording or publishing someone else’s image or voice is only lawful if the data subject has given explicit, informed, and prior consent. Simply tolerating the presence of a camera or answering a question does not constitute valid consent. This demonstrates how strictly the GDPR defines the requirement of a lawful basis: unlike the Hungarian Civil Code (“Civil Code”), which allows certain exceptions for public figures or mass recordings, the GDPR does not provide such derogations. This highlights the coexistence of parallel legal frameworks – compliance with the Civil Code does not necessarily mean compliance with data protection law, thus each legal regime has distinct requirements for lawful conduct.
Consequences of Non-Compliance
Publishing content online without a valid legal basis – such as consent – constitutes a violation of data protection rules. Unlawful data processing can have serious consequences, including regulatory procedures and administrative fines. If a recording is made or published without permission and results in significant harm to an individual’s interests, the act may not only be unlawful under data protection law but could also amount to a criminal offence or establish a claim for non-pecuniary damages under the Civil Code, depending on the circumstances. Liability always lies with the person who created or published the recording.
Particularly high-risk situations include cases involving children, healthcare settings, political opinions, or other sensitive personal data. If such content is shared without the data subject’s knowledge or consent, it does not qualify as private activity and is considered full-fledged data processing under the GDPR. In such cases, data subjects have the right to request information, withdraw consent, demand deletion of recordings, and pursue legal remedies.
Summary
Presence in the online space – particularly in the context of corporate communications, marketing, or HR content creation – requires careful data protection practices. What may not entail legal consequences under the Civil Code can still constitute a data protection violation.
Consent is therefore not a mere formality, but one of the fundamental prerequisites for lawful data processing. Organizations – whether content creators or employers – are advised to establish internal procedures, training programs, or policies to manage the data protection risks associated with online content creation.
Respecting data subject rights, properly documenting consents, and complying with GDPR requirements are not only matters of legal compliance, but also essential for maintaining corporate reputation and trust.
Photo source: pexels.com, Plann