We process media files like series, movies etc for streaming service providers. In these movies you have a person (actor) and in the credits you can see the person's actual name so you can connect the picture to the actual person. Does this also make all films and series that we handle in our production fall under GDPR? Although this information is available on various streaming platforms and online etc.?
Assign topic to the user
Names and pictures are personal data, according to Article 4 GDPR – Definitions. By doing media processing of personal data – images, video feeds, and names in credits – you are processing personal data. If you are based in the EU, or if you offer goods and services to people in the EU, according to Article 3 GDPR - Territorial scope – GDPR applies to your personal data processing operations. The first step is to determine your role – controller or processor. If you are a processor, you need a Data Processing Agreement signed with the streaming service providers, where they mandate you to process these films based on their instructions.
If you are a controller, you need a purpose and a legal ground for processing, according to Article 6 GDPR - Lawfulness of processing. The actors and the crew have a contract with the movie production company, so they process their data based on Contractual Obligation, per Article 6.1.b GDPR – contractual obligation. The streaming service providers have a contract with the production company, and you have a contract with the streaming service providers, but the crew and actors are not part of your contract, so you cannot use Contractual Obligation. In my opinion, the best fit for a legal ground for processing would be Legitimate Interest, but in this case, you should perform a Legitimate Interest Assessment and you should inform the actors and the crew.
At Advisera, we have a great resource to help you, an EU GDPR Documentation Toolkit that contains all documents necessary to drive your GDPR-compliance efforts, which also contains templates for privacy notices, data subject access requests, data processing agreements, and so on.
Please check these links:
- EU GDPR Toolkit: https://advisera.com/toolkits/eu-gdpr-documentation-toolkit/
- Article 3 GDPR – Territorial Scope: https://advisera.com/gdpr/territorial-scope/
- Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
- Article 6 GDPR – Lawfulness of processing: https://advisera.com/gdpr/lawfulness-of-processing/
- Article 28 – Processor: https://advisera.com/gdpr/processor/
- EU GDPR controller vs. processor – What are the differences? https://advisera.com/articles/eu-gdpr-controller-vs-processor-what-are-the-differences/
- Key roles defined in EU GDPR: https://advisera.com/articles/key-roles-defined-in-eu-gdpr/
- How to use legitimate interest to comply with EU GDPR – recorded webinar: https://advisera.com/webinars/how-to-use-legitimate-interest-to-comply-with-eu-gdpr-free-webinar-on-demand/
Comment as guest or Sign in
Jan 13, 2023