How does the GDPR module work?

Here you will find information on how to use the GDPR module in Mediaflow

Table of Contents

General information

Settings related to GDPR Permissions

administer GDPR

Settings for the GDPR module

GDPR labels

GDPR icons

Workflow for GDPR

Digital Signing

Overviews and status

GDPR/Index of persons

Information in the right side info panel

 

 

 

General information

Mediaflow can help you in your work with managing the requirements (and opportunities) introduced by the new Data Protection Regulation / GDPR. Since, among other things, images of identifiable persons are classified as a personal data, this means that the image itself, even if it has no name or other description, is a personal data that must be processed and handled accordingly. It is sufficient that you have an image that is stored in your image bank in order for it to be classified as handling of personal data, and thus fall under the GDPR legislation. This even if that image is not visible or available on your website or intranet.

This requires, among other things, that you must be able to state what legal basis you have for storing the image, and if there is no other legal basis, you must have the consent of all persons depicted in order for you to have the image at all. In addition, as most people know, there are requirements that it should be possible for a user to find out what individual personal data is stored and where, in order to selectively remove personal data if need be.

To facilitate this management of images (and files) and help you comply with the new data protection regulation, we have added some new GDPR features to Mediaflow to help with this.

 

Settings related to GDPR permissions

 

Administrate GDPR

Determine if you can access the GDPR section under Administer. Note that users who are set as "Pro + admin" access this section anyway.

Access GDPR information in files

This allows the user to see GDPR-related information in files, access the GDPR menu in the category tree on the right and access the personal register.

Be able to see which people are in files

This means that it is printed which people are specified in the image under the Info tab when you click on an image. By clicking on the name, you can then also do a search on all images that the person is included in (though limited to what access you have to files)

Modify GDPR information in files

This means that you can also change this information, both in terms of which people are in what pictures and files but also information about people in the personal register.

Access / download of GDPR documents/consents

This allows the user to view and download documents and files that are linked to the persons in the personal register. This is usually about scanned consent documents and model agreements.

Obtain digital consent (Only visible to customers with GDPR +)

This allows the collection of digital consents via email or text message. These are then approved via SMS, email or Bank ID and synchronized directly back to Mediaflow.

Settings for the GDPR module

Under the cog wheel you will find the section called GDPR. You control via the group permission
"Administrate GDPR" who should access this tab. Here you enter some general settings
for GDPR and state which fields you want to exist for persons in the personal register.

 

GDPR labels

If you check the setting for "If a person has been stated in the image, set GDPR-status to "Consent is needed", all images will appear and files in Mediaflow that do not have any GDPR status set get a small selection in the bottom right the corner where it says "GDPR?".

These files are also available under the category "Files without GDPR status" under the main category "Personal Data (GDPR)"

If you use the GDPR option "Consent required" when you indicate that there are people in the picture all pictures / files where you state (mark) that there is at least one person will automatically get the GDPR status "Identifiable people exist (Consent required)".

As long as you do not often have other legal grounds for storing images (for example, if you work with historical images, or where images usually have a "legitimate interest"), this can be a fairly flexible function to avoid ticking this separately.

At the bottom you specify which fields you want to be connected to people in the system. Here you can, for example, enter e-mail and telephone so that you have the opportunity to contact the person (who owns the personal information). You can also control exactly which groups should be able to access individual fields. This can be useful to know if you want to enter more sensitive information such as social security numbers.

There are always two default fields that you can not change, these are Name / ID and Comment / Restrictions (so these are not on the list). If you think you do not want to include the person's name in the register, you can check "Use automatic ID numbers instead of names of people". Then an automatic ID number will be generated every time you add a new person.

 

GDPR-icons

 

Workflow for GDPR

State Lawful grounds for personal data processing

The first thing you must specify for an image is whether it contains any form of personal data, and in that case what legal basis you have for storing ("managing") that personal data. To do this, right-click on an image (also works if you have selected several at once) and select the Personal Data (GDPR) submenu:

 

It is possible to state primarily three different reasons why an image / file should not be affected by the GDPR. These are :

  1. File does not depict any identifiable person. These are images or files that do not contain anything that can be classified as personal information, such as nature images, illustrations, logos, etc.
  2. Historical image. As soon as a person dies, it does not count as personal data, and you therefore do not need to take into account the GDPR. However, there may be some exceptions if images can in some ways be linked to now living people.
  3. Artistic / journalistic image. Images intended for artistic and journalistic purposes only are exempt from the GDPR.

For other images and files, you must specify the legal basis you have for storing the image. Article 6 of the Data Protection Regulation lists the six different legal grounds for storing personal data. Based on this, we have created three different options that you can choose from:

  • File contains Identifiable persons available (consent is needed)
    This means that there is no other legal basis, but then a consent from the person ("the registered person") is required that you may handle / store their personal data for one or more specific purposes. (Article 6.1.a)
  • Necessary for fulfilling agreements/obligations
    This means that you must store this image in order to be able to carry out your assignment according to agreement (Article 6.1.b + 6.1.c)
  • Other, consent is not required (legitimate interest)
    This collects other points (Article 6.1.d + 6.1.e + 6.1.f), which mainly says that you must store these images because it "concerns you or a third party's legitimate interests". This can apply to, for example, staff photos, marketing materiall.

For images and files that do contain personal information, but are purchased via an image agreement that guarantees that there is consent (eg from a photographer or image agency), we have added an additional alternative:

  • External agreement exists - stock photo

Pictures with identifiable people

For the images and files that you have chosen "File contains Identifiable persons available (consent is needed)" you must state which persons are included in the image / file in order for the system to be able to determine if there exist an available consent or not.

To mark this, a small pink "person symbol" appears in the lower right of the image view, and you are also informed in the text when you hover the mouse over this icon. These images are available under the category "Consent needed - Persons must be added"  under the main category "Personal data (GDPR)"



If you right-click on such an image, a new option will appear at the bottom of the menu. This option is called Show/tag people

If you click on this, the image is then displayed in a larger mode (same as the display mode "One image at a time") Here you can now click on Manage people in the file.

The people listed in the image are now displayed. If you have purchased the "AI" extension, the face of all the people in the image will already be marked with a box that says "Unknown".

What the system considers to be faces is automatically selected. Otherwise you must indicate where in the picture the person / persons are. To do this, click on the "Add" button to the right of the image. Select the face by clicking and dragging a square, and click again to attach the square. If you were not satisfied, click on the cross at the top right and do it again.

Once you have entered a square (or clicked on an existing unknown person), you can now specify which person it is or search for the person, if this person already appears in your personal register. Alternatively, you can continue to add people and at a later stage specify who they are. In this mode, you can scroll forward and backward through the images and select people.

If you choose to create a new person, you will see the box below. Here you then fill in what the person's name is, any telephone number or e-mail address and even if this is a minor person.

Under the Cog wheel - GDPR - New GDPR Field you can add more fields like "email", "adress" etc depending on your needs.


When you have clicked on save, it now looks like the image below. Now it's time to enter / create consent.

Now you fill in the name of the agreement, what type of agreement it is and then you can attach a consent if you have it available on file. (A picture of a handwritten consent works).

The name of the agreement can be anything. A logical name simplifies things down the line

Alternatively, it is possible to obtain consent digitally, Choose this under type of agreement. This is sent out with a consent template by text message or e-mail. This will then be able to be signed via email, sms or bankID (or other similar service depending on whats available in your country)

 

Digital Signing (SMS)

We are continuously expanding to be able to sign digitally from more countries - contact support@mediaflow.com for more info

Digital Signing (Email)

We are continuously expanding to be able to sign digitally from more countries - contact support@mediaflow.com for more info

Overviews and status

In the category tree on the left there is now a new main category called "Personal Data (GDPR)"
with various shortcuts to overviews and status information.

All categories lead to a file view that contains the images in question. This can be both images that need to be managed, for example "Files that do not have GDPR status"  or "Consent needed" .

To see images with a certain status, click on for example "External agreement / Stock photo"  to show all images which has been marked with this legal reason by you.

If the AI function is activated, the category "Tag people in file"  is automatically filled with images when the system has found images where a person seem to exist. Although the system automatically recognizes some people from previous tags, they are not automatically connected.

Manual input from a user is required to confirm the validity of such findings to confirm the status along with a consent connection if the image does indeed feature a person.

 

 

GDPR/Index of persons

In the left menu you will find the GDPR module. Here is a list of all the people who have been added to the GDPR registry. Here you can see files used, person tagging along with more. You can also manage the person and their consents from here as well as obtain new consents via the right side panel.

If you click on a person in the list, the same management box will appear as before where you have the option of administering the user with regards to GDPR. Above the list of people, you can easily filter and search for people. For example, you can directly get all people who do not have consent, all minors and all people who are included in images that have been used in any context with reported downloads, for example via portals or on the web.

The small thumbnail image that represents the person is automatically generated based on the first image in which he or she appears.

From the list, you can easily click on the text with the number of files and directly display all images or files in which the person appears. If there is no consent for a person, it is clearly marked in red in the list.

 

Information in the right side info panel

When you select an image that contains personal information, the right info panel shows more information. Here you can manage consents and you can also click on Add to add a new consent much like the previous steps above.