Q: Can my boss just put my photo on the company website without asking me?
"No. In the Netherlands, your boss needs your clear consent first. A work contract doesn’t count as permission, and you can always say no or change your mind later."
Francesco Cattaneo
Photos Are Not Just Branding, They Are Personal Data
For many micro and small enterprises (MSEs), using staff photos feels natural. A team page makes a company more human, an Instagram post shows culture, an intranet “smoelenboek” keeps colleagues connected.
But under the GDPR, a photo is not decoration—it is personal data. Publishing it requires a lawful basis. And in the Netherlands, the Autoriteit Persoonsgegevens (AP) makes the rules very clear: in employment contexts, consent is the baseline, not legitimate interest.
What the AP Actually Expects
The AP’s position can be distilled into three hard truths:
Consent is the rule, not the exception. Whether the photo is on the website, intranet, or internal directory, there must be a lawful ground and almost always, that ground is consent.
Consent must be real. Because of the power imbalance at work, it only counts if refusal has zero negative impact, and withdrawal is always possible.
Legitimate interest is a narrow door. It may be defensible for limited internal uses (like a directory), but rarely for public-facing publication, where privacy almost always outweighs marketing goals.
Internal Use: Smoelenboeken vs. CCTV
An internal smoelenboek is a grey zone: legitimate interest can be argued, but consent is safer. CCTV, on the other hand, usually rests on legitimate interest, if and only if monitoring is proportionate, necessary, signposted, time-limited, and (if applicable) signed off by the works council.
External Use: Websites, Social Media, Marketing
When it comes to the public stage, company websites, LinkedIn campaigns, or ads, there is no shortcut: consent is the only lawful basis. Arguing that “branding outweighs privacy” does not survive scrutiny.
Events and Group Photos: No Implied Consent
Showing up at a company event is not the same as consenting to have your face published online. The only defensible practice is to ask in advance, via sign-in forms or clear notices and to make withdrawal as easy as ticking a box.
Quick Reference Table
| Use Case | AP Guidance | Legal Basis | Notes |
|---|---|---|---|
| Intranet / internal directory | Possibly LIA; consent preferred | Legitimate interest or Consent | LIA must be documented and allow opt-out. Consent must be informed, specific, freely given, and revocable. |
| Public / marketing (website, ads) | Consent required | Consent | Must be informed, specific, freely given, and revocable. |
| Events / group photos | Consent required | Consent | No implied consent. Must be informed, specific, freely given, and revocable. |
| Security cameras (CCTV) | Legitimate interest often valid | Legitimate interest | Only with necessity, signage, short retention, safeguards, possible DPIA. |
Why It Matters for Small Businesses
For small companies, these rules may feel bureaucratic, but the logic is consistent: consent is the default for external use.
Relying on legitimate interest externally? High risk of complaints, enforcement, and reputational damage.
Mishandling consent? If it is not valid, you have no lawful basis at all.
Security concerns? Legitimate interest can work, but only with strict documentation and safeguards.
The Bottom Line
In the Netherlands, publishing employee photos without valid consent is legally reckless. Legitimate interest remains useful for security and narrow internal use, but only after a serious balancing exercise.
From a strategic perspective, opt-in consent beats opt-out legitimate interest. Given the workplace power imbalance, employers must go the extra mile to prove that consent is real, revocable, and pressure-free.
Actionable Checklist
Use written consent forms for any public-facing employee photo.
Ensure consent is informed, specific, and revocable.
Guarantee that refusal carries no negative consequences.
Document every LIA that supports internal or security uses.
Refresh consent periodically, it is not a one-off forever.
Francesco Cattaneo is a qualified Italian lawyer with a Laurea in Law from the University of Florence and full Italian Bar certification (Esame di Stato). He began his career at Studio Legale Saverio Bartoli, advising on civil litigation, wealth planning, and trust law before transitioning into international compliance roles.
He later served as Legal Project Manager at Justlex, GDPR Consultant at DPO Consultancy, and Project & Compliance Manager at Tribal Agency, gaining hands-on experience across privacy law, AI regulation, and digital risk in Italy, the UK, and the Netherlands.
A graduate of Tilburg University’s Master in Law & Technology and CIPP/E-certified, Francesco combines legal depth with strategic clarity.
