As companies prepare to wrap up the year, staff functions, corporate lunches and end-of-year parties take centre stage. These gatherings usually come with plenty of photos, team snapshots, behind-the-scenes moments, and festive group shots. Many employers later upload these images to their LinkedIn pages, internal newsletters, recruitment brochures or digital marketing campaigns.

However, even at a casual work function, a company cannot simply snap photos and share them freely. South Africa’s data protection law, POPIA, still governs how those images may be captured, used and stored.

Why Employee Photos Fall Under POPIA

Under the Protection of Personal Information Act, any photograph that reveals who a person is counts as personal information. A single image can also expose sensitive details such as racial identity, cultural background, disability, religious practice or physical condition. These categories are treated as special personal information and come with stricter legal rules.

Employers Must Justify Why They Process Staff Images

POPIA requires organisations to follow eight lawful processing principles. In practice, this means any image taken of an employee must be:

• Used for a legitimate purpose
• Minimised to what is reasonably necessary
• Managed transparently
• Collected in a lawful and responsible way

The fact that a photo is taken at a work event does not automatically make it permissible to store or publish.

Typical Employment Grounds Do Not Cover Event Photos

Businesses often rely on legal obligations or employment contracts when processing staff data (for example, payroll information or ID documents). But photographs taken at social or corporate functions are not essential to the employment relationship and therefore cannot be justified on those grounds.

This leaves employers with two options: get proper consent or prove that taking and sharing the photo is in the organisation’s legitimate interest.

When Relying on Consent

If the business chooses to obtain consent, POPIA demands that the approval must be:

• Freely given, without pressure
• Specific to photos and their intended use
• Based on clear and understandable information

Importantly, employees can refuse or withdraw consent at any time. Employers must therefore create practical systems, such as wristbands, badges or opt-out lists, to ensure that only consenting staff appear in photos. Records of who agreed, who declined, and who later changed their mind must be kept up to date.

When Relying on Legitimate Interest

If a company wishes to rely on the “legitimate interest” ground instead of consent, it must first conduct a Legitimate Interest Assessment (LIA) before taking any photos.

This assessment should:

• Identify the benefit to the company
• Weigh that benefit against employees’ privacy rights
• Propose safeguards to minimise risks

An LIA cannot be verbal or informal, it must be written, reviewed periodically, and retained as evidence of compliance.

Developing an Internal Photo & Image Policy

Without proper rules in place, a simple photo from a year-end event can become a compliance headache. POPIA violations may result in reputational damage, privacy complaints, and regulatory action.

To avoid this, companies should adopt a dedicated image-processing policy that deals with:

• The legal justification for capturing photos
• Consent language and procedures
• Whether and when an LIA is needed
• Secure storage, access control and deletion timelines
• How and where the images may be published
• Notices to employees before photos are taken

Final Thoughts: Celebrate Responsibly and Legally

Taking photos at year-end functions is a great way to showcase workplace culture but only if done lawfully. Now is the ideal time for companies to revisit their POPIA policies, update consent mechanisms, and strengthen internal processes for handling staff images.

If your organisation needs assistance drafting compliant policies, preparing consent documentation or conducting a Legitimate Interest Assessment, our team can guide you through the requirements.