Table of Contents
Setting up a general GDPR consent workflow in Fotoware
17. June 2025
Table of Contents
Customers often ask how Fotoware can be used to manage GDPR for staff pictures.
Below is a framework for a generic GDPR configuration that can be expanded to accommodate customers' needs.
GDPR specific field configuration:
The fields below are used to describe the person(s) depicted, as well as the approval given for different types of use. The taxonomy of the "Use" field can be adapted to suit the organization's needs.
- Employee name (Single-entry field)
- Employee ID (Single-entry field)
- Consent Status (Values selectable using taxonomy)
- Approved
- Pending
- Withdrawn
- Use (Bag field to allow more than one value, values selectable using taxonomy)
- Social Media
- Website
- Internal
Important: Additional fields (Title, Description, Tags etc) can be added according to the customers' wishes to further describe each asset.
Markers
The markers below are displayed on the assets to allow a user to identify the GDPR approval state and the use for which approval is given. Usage may vary from one customer to another, so there may be additional uses set up in each individual case.
Actions
While the GDPR fields are filled in during upload of the asset(s), additional actions are required to update the consent of assets post-upload, for example when consent to use an asset has been withdrawn.
The actions execute a macro that updates the consent status field on the selected assets.
- Action: Grant consent - Macro to set Consent Status: Approved. This, in turn, will cause the Consent - Approved marker to display on approved assets.
- Action: Withdraw consent - Macro to set Consent Status: Withdrawn. Consequently, the Consent - Withdrawn marker will be displayed on assets whose usage consent is withdrawn.
Access lists
Access lists are used to control who can run the above actions, as well as access lists in the archives. Regular users can only see content that has been approved - this is handled through a search filter on the users' entry in the access list - typically it goes something like (IPTCxxx contains (Approved))
Consent forms
Some businesses may deal with consent forms where an employee states how the pictures of him/her can be used. By uploading the consent form along with the batch of pictures/video, it can be tagged with the same Employee ID as the assets. Then, searching for the employee ID will return all the photos as well as the consent form.
Another approach is to assign a batch number to the form and the associated pictures. That way, it will be possible to grant different types of use for pictures of the same employee based on the batch number.