Data protection in the film industry - mystery, documentary or material for sheer horror?

When we think of films and series, exciting thrillers, heartfelt stories or pure action spring to mind. If we think of data protection, few will feel fiery emotions. But in the background, data protection, which has been much talked about in recent years, plays an important role. Beyond directors, actors and actresses, scriptwriters and screenwriters, a film work unites a multitude of participants. And with all these participants come data, data and more data. Data wherever the eye looks, as the image of people is personal data as well What should production companies and clients such as broadcasters, studios or streaming platforms consider so that data protection law, including the General Data Protection Regulation (GDPR), does not provide material for an unintentional horror film?

Sneak peak at the legal background

The most important legal bases of data protection law are the GDPR and the Federal Data Protection Act (BDSG). In general terms, all information that allows to drawn conclusions about an identifiable natural person is protected. All this data is "personal data". The use of personal data is not forbidden in every case. There are various reasons ("legal grounds") that allow for the use of personal data.

Recognised legal grounds are, for example, the fulfilment of contractual obligations (if the data is not used, the contract cannot be fulfilled), overriding legitimate interests of the user or the consent of the natural persons. Now you might think that it's quite easy : you simply get consent for each case. Unfortunately, it is not that easy, because consent has a decisive disadvantage compared to other legal bases: it can be freely revoked at any time.

In any case, the transfer of data to countries outside the EU, especially to the USA, is problematic. Due to a ruling by the European Court of Justice, data transfer to the USA without contractual obligations (Standard Contractual Terms) for full encryption will generally not be compliant with data protection. This, in turn, can only be waived if the data transfer represents a fulfilment of contractual obligations.

Do the individual contracts have to contain data protection clauses? No, as a rule this is actually rather harmful. A mere reference to the data protection notice is sufficient. Consents, insofar as they are advisable at all, should in any case be obtained separately from the contractual relationship.

Data protection from the perspective of production companies

In the course of the production of a film work, production companies gather a large number of participants (cast & crew) and inevitably process their personal data. The legal basis for this processing is the fact that the processing is necessary for the performance of the contracts with cast & crew. An explicit consent from Cast & Crew is therefore not required and should not be obtained for the purposes of the production and exploitation of the films and series (as consent can always be withdrawn). Only if the producer wants to be able to use this data without reference to the film or series, e.g. invitations to events, newsletters and contacting for further productions, would such consent be required. However, this should then be strictly separated and obtained separately from the concluded cast & crew contracts. In any case, it is important to inform all participants comprehensively and transparently about the use of data by handing out so-called privacy policies.

Data protection from the perspective of the commissioning broadcasters, streaming providers or studios

The commissioning broadcasters, streaming providers or studios behind the production company also have an interest in using data of the persons involved in the production of the film work. In general, however, the commissioning parties will not have direct contractual relationships with cast & crew . Therefore, the use of the data cannot be justified by the fulfilment of contractual obligations. In this constellation, one of the other legal bases mentioned above often comes into play, the overriding legitimate interest in use. The concept of legitimate interest encompasses many possible considerations. However, it is necessary in every case to weigh the interests of the commissioning party against the interests of the person whose data is being used. Also, all parties involved must in turn be informed about the use of data by an additional privacy policy from the principal. From a practical point of view, only the production company will be able to hand out the privacy policy of the commissioning party to the cast and crew. It is therefore important that the production company is obliged to ensure this. Commissioning parties should not rely on obtaining consent from cast & crew. Even if this is successful, these consents can be revoked at any time.

We are happy to answer questions and provide advice in individual cases.