Using Your Employees’ Image Could Cost You a Fine: What the Law Says

21 October, 2025
–
Data Protection
–
Lucas Charnet

!Protege la privacidad de tus empleados: cómo usar imágenes con consentimiento y evitar multas de la AEPD.

More and more companies use photographs of their employees on websites, social media, or advertising materials. However, inappropriate use of an employee’s image can become a serious legal problem. The Spanish Data Protection Agency (AEPD) has imposed fines of up to €5,000 on companies that published photos of their workers without consent, and the courts remind us that personal image is a fundamental right protected by the Constitution.

This article analyses what the law says, the most common mistakes companies make, and how to avoid sanctions by acting with legal certainty.

The Right to One’s Own Image: A Fundamental Right Protected by the Constitution

The right to one’s own image is recognised in Article 18.1 of the Spanish Constitution, alongside the right to honour and to personal and family privacy. It is a fundamental right, granting each individual control over the dissemination and use of their image and protecting against non-consensual intrusions.

This right is developed in Organic Law 1/1982 of 5 May, on the civil protection of the right to honour, personal and family privacy, and one’s own image. According to this law, capturing, reproducing or publishing someone’s image requires their express consent, except in exceptional cases, such as public events or persons of public interest.

In the business context, this means that a company cannot use an employee’s image without their prior authorisation, unless there is a direct and legitimate need linked to the employment relationship.

The GDPR and Image as Personal Data: Why the Company Needs Consent

The General Data Protection Regulation (GDPR) defines “personal data” as any information relating to an identified or identifiable person. Images that allow a person to be recognised (even partially) are personal data, and their use constitutes “processing” subject to data protection law. This means that any company publishing or distributing photos of its employees must have a legal basis for doing so. In most cases, that basis can only be the employee’s express, informed, and freely given consent (Art. 6.1.a GDPR).

Neither “tacit consent” nor voluntary participation in a photoshoot is sufficient. The AEPD has repeatedly stated that the fact that an employee poses for a photograph—or even posts that same picture on their LinkedIn profile—does not authorise the company to use it on its website or corporate social media.
Consent must be unequivocal (in writing or through a clear affirmative act), informed (detailing the purpose and duration of use), and revocable at any time.

In the employment context, consent must also be genuinely free. In other words, employees must not feel pressured to sign. The AEPD reminds companies that the imbalance of power between employer and employee can invalidate consent if it is not given voluntarily and without negative consequences for refusal.

AEPD Sanctions: When a Photo on the Web Leads to a Fine

The Spanish Data Protection Agency (AEPD) has repeatedly fined companies for using employees’ images without a legal basis.

Some of the most recent cases include:

€5,000 fine for a law firm that published employee photos on its website without consent. The AEPD ruled that the fact that the same images appeared on LinkedIn was irrelevant: posing or posting on social media does not equal authorisation for corporate use.

€2,000 fine for a company that kept a former employee’s image on YouTube after termination. Although partially visible, the AEPD determined that the person was still identifiable, breaching Article 6.1 GDPR.

Warning to a hair salon for using an employee’s photo in a commercial leaflet without consent, stressing that even microbusinesses must respect express consent.

These precedents show that company size doesn’t matter—a single image published without authorisation is enough to constitute an infringement. The AEPD’s message is clear: using your employees’ images without permission can be costly.

The Employment Law Perspective: Limits to Employer Power

From an employment law perspective, an employee’s image is linked to their right to privacy and professional dignity. The Spanish Workers’ Statute clearly limits the employer’s managerial powers: Article 4.2(e) recognises employees’ rights to privacy and dignity, and Article 20.3 establishes that workplace monitoring must respect these rights.

An employer cannot require employees to appear in advertising materials, videos, or social media posts unless it directly relates to their job duties.
The use of an employee’s image is only justified when it serves internal and necessary purposes, such as ID cards, internal directories, or intranet platforms.

Conversely, sharing those images externally (on websites, social networks, campaigns, or institutional videos) requires the employee’s prior and specific consent. Spanish case law clarifies that not every image-use clause in a contract is valid: it must be clear, specific, and proportionate.

Moreover, employees may withdraw their consent at any time, obliging the company to cease using the image from that moment onward. The Spanish Supreme Court has held that using an employee’s image without consent constitutes an unlawful intrusion, which may result in moral damages, in addition to administrative penalties.

Best Practices for Companies: How to Avoid Sanctions

Responsible use of employee images not only prevents fines but also strengthens corporate trust and reputation. Here are some practical recommendations that every organisation should implement:

1. Obtain written consent. Before publishing any image of an employee on your website, social media, or promotional materials, get express, documented authorisation.
2. Provide clear information. Employees must know exactly where and for what purpose their image will be used.
3. Respect refusals without consequence. Participation should always be voluntary.
4. Limit use to the agreed purpose. If consent was given for the website, do not reuse the image in advertising campaigns without new authorisation.
5. Remove images upon termination. When an employee leaves the company, review and delete their public photographs.
6. Adopt an internal image-use policy. Include procedures, responsibilities, and withdrawal mechanisms.
7. Train marketing and communications staff. Avoid spontaneous posts that could violate employee rights.
8. Seek legal advice before publishing. A prior legal review is always the best prevention.

Conclusion

Using employees’ images for corporate or promotional purposes is not an innocent practice. It constitutes the processing of personal data and affects a fundamental right that requires the employee’s express consent. AEPD decisions confirm that even small companies have been fined for ignoring this obligation. In short, a single photograph on your website or social media could cost thousands of euros in fines and damages if not handled correctly. For this reason, companies must implement clear protocols, obtain written consent, and regularly review compliance.

At MES Advocats, we provide comprehensive legal advice and support in regulatory compliance, data protection, and image rights management. Our team helps companies develop safe internal policies, draft consent clauses, and prevent legal risks. If you’d like to review how your company uses employee images or need to adapt your privacy policy, contact us. In this field, prevention is always the best strategy.

###


Derecho a la propia imagenPublicidad con trabajadoresRGPD ámbito laboralSanciones AEPD imagenUso imagen empleados consentimiento

---