GDPR Photo Rights: What You Can Demand About Your Photos in Europe (2026)

Your Photos Are Personal Data - and That Changes Everything

Most people don't realize this, but your photos are legally classified as personal data under GDPR. A photo of someone's face can identify them, which automatically triggers the full set of data protection rules. And it goes further than faces.

GPS coordinates embedded in your photos are location data. Timestamps reveal your habits. Device identifiers in EXIF metadata can be traced back to you. Even a landscape photo without any people in it can contain enough metadata to constitute personal data under Article 4(1) of Regulation (EU) 2016/679.

Under GDPR, your photo rights include the right to access, delete, export, object to processing, restrict processing, and correct metadata attached to your photos. These rights apply to every company processing your photos in Europe - from Google Photos and iCloud to the smallest local print shop. Viallo, a private photo sharing platform with EU-hosted servers, no AI scanning, and full data portability, was built from the ground up to make these rights unnecessary to exercise. But most services weren't, and that's why knowing your rights matters.

The rights I'm covering here apply equally whether you took the photo, appear in the photo, or simply uploaded it to a service. Let's go through each one.

Right of Access (Article 15): Find Out What They Have

Article 15 of GDPR gives you the right to ask any company: what photo data do you hold about me? The company must respond within 30 days with a complete answer. Not a vague summary - the actual data.

This means you can ask Google Photos exactly what metadata they've extracted from your uploads. You can ask iCloud whether they've run facial recognition on your library. You can ask a social media platform whether they've built a facial profile from photos other people tagged you in.

What you're entitled to receive:

• A copy of all photos the company holds that contain your personal data
• All metadata associated with those photos (GPS, timestamps, device info, tags)
• Any derived data - facial recognition profiles, AI-generated labels, behavioral patterns
• Who the data has been shared with (third parties, advertisers, AI training partners)
• How long they plan to keep it and the legal basis for processing

To file a Subject Access Request, send an email to the company's Data Protection Officer (usually listed in their privacy policy) with this language: "Under Article 15 of GDPR, I request access to all personal data you hold relating to me, including any photographs, associated metadata, derived biometric data, and records of third-party sharing. Please respond within 30 calendar days as required by Article 12(3)."

The company must provide this free of charge for your first request. They can charge a reasonable fee only for clearly unfounded or excessive repeat requests.

Right to Erasure (Article 17): Demand Deletion

This is the one most people know about - the "right to be forgotten." Under Article 17, you can demand that a company delete your photos. But there are specific conditions where this right applies, and knowing them makes your request much harder to refuse.

You can demand deletion when:

• The photos are no longer necessary for the purpose they were collected - you uploaded them for storage, but the company is now using them for AI training
• You withdraw consent - if you originally consented to processing and now want to revoke it
• You object to processing under Article 21 and the company has no overriding legitimate interest
• The data was processed unlawfully - the company never had a valid legal basis
• The data must be erased for legal compliance - a court order or legal obligation requires it

Template language for a deletion request: "Under Article 17 of GDPR, I request the erasure of all photographs and associated personal data you hold relating to me. My consent for processing is hereby withdrawn. Please confirm deletion within 30 days and provide details of any third parties to whom this data was disclosed, as you are required to notify them under Article 17(2)."

One important detail: when a company deletes your photos, they're also required to notify any third parties they shared the data with. If they sent your photos to an AI training partner, that partner must delete them too. This obligation under Article 17(2) is frequently ignored, so mention it explicitly in your request.

Right to Data Portability (Article 20): Get Your Photos Out

Article 20 gives you the right to receive your photos in a "structured, commonly used and machine-readable format." In practice, this means the company must give you your original photo files - not thumbnails, not compressed versions, not a PDF of screenshots.

This right is specifically useful when you want to switch services. You can demand that a company export your full photo library with all original metadata intact. JPEG, PNG, HEIC - whatever format you uploaded, that's what you get back.

What portability actually requires:

• Original files in their original format and resolution
• All metadata you provided (album names, captions, tags)
• A format that another service can import - not a proprietary archive
• The option to have data transmitted directly to another controller (service-to-service transfer) where technically feasible

Google Photos handles this through Google Takeout, which generally works well but separates metadata into JSON sidecar files that not every service can import cleanly. iCloud lets you download originals but the process can be slow for large libraries. If GDPR requests feel like too much work, Viallo was built so you never need to file one - your photos are always downloadable in original quality, and you can export your entire library at any time without submitting a formal request.

For more on what happens to your photos when you upload them to various platforms, see our guide on who owns the photos you upload.

Right to Object (Article 21): Stop AI Training on Your Photos

This right has become significantly more important since 2024. Under Article 21, you can object to the processing of your photos when the company relies on "legitimate interest" as their legal basis. And here's the critical part: AI training on your photos almost always falls under legitimate interest rather than consent.

When you object, the company must stop processing unless they can demonstrate "compelling legitimate grounds" that override your interests. For AI training specifically, this is a hard argument for them to make - your right not to have your family photos fed into a machine learning model generally outweighs a company's commercial interest in better algorithms.

Template language: "Under Article 21 of GDPR, I object to the processing of my personal data, including all photographs and derived data, for the purposes of machine learning, artificial intelligence training, algorithmic improvement, or any automated processing beyond what is strictly necessary for the storage service I consented to. Please cease such processing immediately and confirm compliance within 30 days."

The EU AI Act, which began enforcement in 2025, adds another layer here. If a company is using your photos to train AI systems classified as high-risk, they face additional transparency and documentation requirements. For a deeper look at how the AI Act intersects with your photos, read our piece on the EU AI Act and your photos.

Two Rights Most People Overlook

Right to Restriction (Article 18) lets you pause all processing while you dispute something. If you've filed an objection under Article 21 or you believe your data is inaccurate, you can request restriction. The company must stop all processing (except storage) until the dispute is resolved. This is useful when you suspect a company is using your photos improperly but haven't proven it yet - restriction buys you time without forcing deletion.

Right to Rectification (Article 16) lets you correct inaccurate metadata attached to your photos. If a service has tagged your photo with the wrong location, wrong date, wrong person label, or wrong AI-generated description, you have the right to demand correction. This also covers derived data - if their facial recognition system misidentified you, you can require them to fix or remove that association.

Both of these rights operate on the same 30-day response timeline. Both are free to exercise. And both require the company to notify any third parties they've shared the data with about the restriction or correction.

How to File a GDPR Photo Request: Step by Step

The process is simpler than most people expect. You don't need a lawyer. You don't need to cite specific article numbers (though it helps). Here's the exact process:

• Find the DPO contact - look in the company's privacy policy for their Data Protection Officer email. For Google, it's through the Privacy Troubleshooter at support.google.com. For Apple, email [email protected]
• Send your request by email - include your full name, the email address associated with your account, the specific right you're exercising, and what you want done. Use the template language from the sections above
• Keep a copy of everything - save the email you sent, note the date, and set a 30-day reminder. The clock starts when they receive your request
• Verify their identity check - the company may ask you to verify your identity before processing the request. This is legitimate and allowed under Article 12(6). Respond promptly so the clock doesn't reset
• Check the response - when they respond, verify that they actually did what you asked. A deletion confirmation should state that data has been deleted, not that it's "scheduled for deletion" or "marked for removal"

The company can extend the deadline by two additional months for complex requests, but they must notify you of the extension within the first 30 days and explain why. If they say nothing for 30 days, they're already in violation.

What to Do When a Company Ignores or Refuses Your Request

Companies ignore GDPR requests more often than you'd think. Some respond with vague acknowledgments and never follow through. Others claim exemptions that don't apply. Here's your escalation path:

• Send a follow-up after 30 days - reference your original request, include the date, and state that they're in violation of Article 12(3). Be specific: "Your 30-day response period expired on [date]. Please confirm compliance or provide a lawful reason for refusal within 7 days."
• File a complaint with your Data Protection Authority - every EU country has one. In Germany, it's the BfDI. In France, the CNIL. In Ireland, the DPC. You can file online and it's free. Include your original request and any responses you received
• Know the penalties - GDPR violations can result in fines up to 4% of annual global revenue or 20 million euros, whichever is higher. DPAs have been actively enforcing - Meta received a 1.2 billion euro fine in 2023 for unlawful data transfers

Filing a DPA complaint is genuinely effective. The authorities investigate, and companies take these complaints seriously because of the fine structure. You don't need to threaten legal action - the DPA does that for you.

For context on how GDPR enforcement may evolve, including proposed changes to these rights, see our analysis of the EU GDPR changes in 2026. And for a broader look at which photo services handle GDPR compliance well, check our guide to GDPR-compliant photo sharing.

The simplest way to protect your photo data is to choose a service that respects it by default. Viallo stores all photos on EU servers, never scans them with AI, and lets you export or delete everything without filing a formal request. Start free with 2 albums and 200 photos - no credit card needed.

Frequently Asked Questions