top of page
2 Stream

GDPR-compliant corporate videos: pitfalls and best practices

  • Writer: Christophe Lenaerts
    Christophe Lenaerts
  • May 12
  • 7 min read


Why GDPR and corporate video are inseparable

Every recognizable face in your footage is a personal data point. That is the core principle established in the European Data Protection Board's Guidelines 3/2019 on the processing of personal data through video devices: a face captured on film qualifies as personal data unless the processing falls under a narrow journalistic or artistic exemption. For corporate event managers, that means every townhall recording, every hybrid event livestream, and every aftermovie is a data processing activity that requires a legal basis under GDPR Article 6.


We see this constantly in our work with corporate communications teams across Belgium. The event itself gets planned to the minute, the run-of-show is locked, the multicam direction is sorted, and then someone asks "do we need consent forms?" two days before the shoot. By that point, the compliance gap is already open. The earlier you treat video as a data processing activity, the easier it is to close.


The stakes are real. The GDPR, which came into force in May 2018, applies to all organizations processing personal data of EU residents. Fines are not theoretical: Belgium's Data Protection Authority has issued enforcement decisions against organizations of all sizes, and the Dutch supervisory authority imposed a €3.7 million penalty on the Belastingdienst (Dutch Tax Authority) in 2022 for AVG violations. Corporate video is not exempt from that enforcement landscape.


What are the most common GDPR pitfalls in corporate video production?

The four pitfalls below account for the majority of compliance gaps we identify when we come on board for hybrid events and livestreamed productions.


Pitfall 1: Filming recognizable individuals without a valid legal basis. Capturing attendees at a product launch or shareholders meeting and publishing that footage without explicit, informed consent is the most frequent mistake. Announcing "this event is being filmed" on a slide at the start of a session does not constitute valid consent under GDPR. Consent must be freely given, specific, informed, and unambiguous, per GDPR Article 7. For a townhall with 500 employees across three countries, that means a consent mechanism built into registration, not a disclaimer buried in the event agenda.


Pitfall 2: Assuming "legitimate interest" covers promotional video. Some legal teams advise that Article 6(1)(f) legitimate interest can justify filming attendees for internal communications. That argument is defensible for genuinely internal content with restricted distribution, but it collapses the moment that footage appears on a public YouTube channel, a shareholder webcast, or a branded social post. The EDPB's Guidelines 3/2019 are clear: the more public the distribution, the harder it is to sustain a legitimate interest argument over consent. Promotional video almost always requires explicit consent as the safer legal basis.


Pitfall 3: Viewer data collected by streaming platforms. When you livestream a townhall or investor call through a third-party platform, that platform is processing personal data on your behalf: IP addresses, viewing duration, device identifiers, and in some cases authentication data. If that platform stores data outside the EU without adequate transfer mechanisms, you have a GDPR exposure that has nothing to do with what appears on screen. Choosing a platform with EU-based data hosting and a signed Data Processing Agreement is not optional.


Pitfall 4: No accountability trail. GDPR's accountability principle (Article 5(2)) requires organizations to demonstrate compliance, not just claim it. That means a processing register entry for video production activities, documented consent records, a defined data retention period, and a process for honoring right-to-erasure requests. If a speaker filmed at your quarterly webinar series asks you to delete their footage eighteen months later, you need to be able to do it and prove you did.


How do you collect consent for event video without disrupting the experience?

Build consent collection into the registration flow, not the event itself. The cleanest approach is a registration form that specifies exactly how footage will be used: "recordings may be published on [company website / internal intranet / shareholder portal]" with a clear opt-out option. That specificity matters because consent obtained for internal use does not cover public broadcast.


For in-person attendees who did not pre-register, visible signage at entry points combined with a QR code linking to a consent form satisfies the transparency requirement, provided people have a genuine opportunity to decline and still attend. The EDPB Guidelines 3/2019 address this directly: the power imbalance in employment relationships means employee consent is rarely freely given, so for staff townhalls, a different legal basis — typically a legitimate interest assessment with strict distribution controls — is often more defensible than consent.


Our hybrid event production workflow builds consent checkpoints into the pre-event planning phase so that by the time cameras are rolling, the legal basis is already documented and the production team knows exactly which shots are cleared for which distribution channels.


Which streaming platforms and tools are GDPR-compliant for corporate use?

The non-negotiables are EU-based data storage, a signed Data Processing Agreement, and transparent data retention policies. Platforms that store viewer data on US servers without Standard Contractual Clauses or equivalent transfer mechanisms create a compliance gap that your legal team will flag, and rightly so.


For corporate webinars and investor calls, our enterprise broadcast platform CenterStage is built specifically for high-stakes corporate broadcasts where data control is not negotiable. It combines branded landing pages, speaker and session management, live Q&A moderation, and livestreaming in one operational dashboard, with the data governance controls that listed companies and regulated-sector clients require.


For productions that need a fixed facility, our webinar studio in Zaventem, five minutes from Brussels Airport, handles the full production stack including platform integration, backup recording, and the technical crew, so your internal IT team is not carrying the streaming infrastructure risk on the day of a live CEO keynote.


What should post-production do to fix compliance gaps after filming?

Post-production is your last line of defense, not your compliance strategy. It is, however, a legitimate tool when consent was not obtained for every face in the frame.


Blurring or cropping recognizable individuals in an aftermovie is standard practice and technically straightforward in post. The more important question is whether the footage should be published at all if consent was not collected at source. For wide-angle crowd shots at a product launch, blurring background faces is proportionate. For footage where a specific individual is the subject of the shot, deletion is the cleaner answer.


Data retention applies to the raw footage too, not just the published edit. Raw files containing personal data should have a defined retention period in your processing register and be deleted when that period expires. If you want to understand how professional post-production fits into a compliant workflow, our video production case studies show how we handle this across different event formats.


GDPR compliance checklist for corporate event video

Use this before every production:

  • Before the event: Add a specific consent clause to registration forms, naming each distribution channel (website, intranet, social, broadcast).

  • On-site: Post visible filming notices at entry points with a genuine opt-out path. Brief the production crew on which areas and individuals are consent-cleared.

  • Platform selection: Confirm EU data hosting, a signed DPA, and clear data retention terms before going live.

  • During livestreaming: For on-site live streaming productions, use redundant connections and a dedicated encoder so a technical failure does not result in uncontrolled footage distribution.

  • Post-production: Blur or remove non-consented individuals. Set a retention period for raw files. Log the production in your processing register.

  • Right-to-erasure process: Document how you will honor deletion requests for both published footage and archived raw files.



GDPR compliance in corporate video is not a legal checkbox bolted onto production — it is a production discipline that starts at registration and ends when the last raw file is deleted. Knowing where the four main pitfalls sit means you can close them before cameras roll rather than scrambling in post. To work with a production partner who handles consent workflows, platform compliance, and broadcast reliability in one brief, schedule a conversation with the 2 Stream team and tell us what you have coming up.


Frequently asked questions


Does GDPR apply to internal corporate videos that are never published externally?

Yes. GDPR applies to any processing of personal data, including storage and internal distribution of footage containing recognizable individuals. The legal basis may differ: for employee-facing content, legitimate interest or contractual necessity is sometimes defensible where consent is not freely given due to the employment relationship. However, a processing register entry and a data retention policy are required regardless of whether the video is public or internal.


Do I need consent to film speakers at a corporate event?

Yes, and the consent should be specific about how the footage will be used. A speaker agreeing to present at your conference has not automatically consented to their image being published on your website, broadcast to shareholders, or used in future promotional material. Collect written consent before the event that names each intended use, and keep a record of it.


What happens if a streaming platform stores viewer data outside the EU?

If the platform transfers personal data outside the EU without an adequate transfer mechanism, such as Standard Contractual Clauses approved under GDPR Article 46, you as the data controller are responsible for that non-compliance, not just the platform. Always require a signed Data Processing Agreement and confirm the data storage location before selecting a platform for a corporate livestream.


Can I use "legitimate interest" instead of consent for event video?

Legitimate interest under GDPR Article 6(1)(f) can provide a legal basis for video processing, but it requires a documented balancing test showing that your interest overrides the individual's privacy rights. For promotional or publicly distributed video, this test is hard to pass. For strictly internal content with limited distribution, it is more defensible. When in doubt, consent is the safer and more auditable legal basis.


How long can I keep raw event footage under GDPR?

There is no fixed statutory retention period for corporate event footage, but GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data is kept no longer than necessary for the purpose it was collected. Define a retention period in your processing register before the shoot, communicate it in your privacy notice, and delete raw files when that period expires. Published edited footage should follow the same logic.


What is the right-to-erasure obligation for video content?

Under GDPR Article 17, individuals have the right to request deletion of their personal data, including footage in which they appear. You must be able to honor that request for both published video and archived raw files. This means maintaining a record of where footage is stored, who has copies, and having a technical process to delete or irreversibly anonymize the relevant material within the one-month response window set by Article 12(3).


Sources

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page