Personal data are inseparable from the filmmaking process. The production of films and series involves natural persons, from the director and the screenwriter to actors, extras and other members of the film crew.
For many months now, the subject of personal data has been the focal point of interest, not only for lawyers, due to the GDPR – the new EU regulation on the protection of personal data¹. The GDPR aims at improving personal data protection. GDPR duties apply to anyone who processes personal data.
In this text, we explain what legal aspects of personal data protection need to be kept in mind in the film industry to avoid administrative fines or data subjects’ claims.
The greatest burden of GDPR compliance is on the controller. The controller is an entity (such as a company, a natural person, a public institution) which processes personal data in accordance with a pre-determined structure. They decide how data are to be processed and for what purposes.
The filmmaking process may involve multiple controllers. First and foremost, the role of the controller is assumed by the producer – the entity which takes the initiative and effectively organises and manages the filmmaking process, bearing the responsibility for its creative, organisational and financial aspects. The role of the controller can also be assumed by the executive producer (who is engaged by the producer to deal with all or some of the technical and organisational aspects of the filmmaking process), the crew recruitment agency, the broadcaster or the distributor. Each of them may be a controller of the same data, though the scope in which the data are processed by each will differ slightly.
Co-productions, in which multiple entities enter into a film contract with one another, are a special case, since it might turn out that these entities are joint controllers, and, as such, have to jointly determine the scope and purpose of processing.
What to bear in mind? At the start of every production process, it should be determined who will be processing what kinds of personal data: who will be collecting the data, who will be storing them, who will conclude contracts, who will be making the data available etc. Determining the roles of each entity in the filmmaking process will allow for identifying the controller as it is the controller that will owe a number of duties to individuals.
Who can have access to personal data?
The controller may disclose personal data to others based on:
- Authorisation. The controller’s employees or associates may have access to personal data (for the purposes, for example, of performing agreements or setting the schedule for the production process). Such persons need to have specific written data processing authorisations, whether as stand-alone documents or as clauses in other agreements. Such authorisation should set out the kinds of personal data disclosed and the purposes of the disclosure. Importantly, the authorised persons should be notified of this fact and presented with the text of the authorisation. Authorisation should not merely be an unread attachment to the film crew members’ documentation. The text of the authorisation should contain a confidentiality clause. This is one of the ways of improving data security and preventing people involved in the filmmaking process from disclosing data to third parties.
- Outsourcing. The controller’s contractors or service providers may be engaged to process personal data on behalf of the controller (for example, acting agencies audition actors at the request of the producer). Such entities (processors) need to conclude written data processing contracts with the controller. The GDPR requires the contracts to indicate what kinds of personal data are outsourced and in what scope, for what purposes these data are to be processed, and what the processor should do with the data after the relationship is over (whether the data should be returned or deleted). The producer must also ensure that they have a right to monitor data processing by their processors and whether they have implemented appropriate security measures, including an incident report system.
- Transfer. This is where personal data are transferred to another controller (i.e. from producer to broadcaster). In this case, with respect to its broadcasts, the broadcaster will be a distinct controller with its own GDPR obligations.
What to bear in mind? The controller should disclose the persons to whom personal data disclosures/transfers are made. The controller should also execute contracts or other documents in support of such disclosures or transfers.
The GDPR specifies numerous obligations that are imposed on the controller. From the perspective of a film producer, the most important of these include the following:
- Each processing activity must have a legal basis. In most situations, the legal basis for processing will be a contract which will allow the controller to process personal data without the need for additional consents or representations. There are some duties which arise directly from the law. If the law requires the processing of certain personal data (e.g. tax or social security compliance), then such data may be processed without any other permissions. The need to process personal data can also arise from the legitimate interests pursued by the controller (e.g. in cases where the actor sues the producer). In such cases, the data required for the defence of claims can be processed to protect the controller’s interests. If the controller needs to process certain personal data which do not fall under any of the above situations, they may obtain data subject’s consent. This can happen when we want data which are not necessary for the purpose of concluding any contract (such as age of the data subject, names of their children, former jobs they have had) or when we want to retain certain data for other productions.
- The controller must follow the principle of transparency. They must ensure that all data subjects are informed of who processes their personal data and to whom their data may be transferred, and of the manner, purpose, legal basis and period of processing. The producer may give such information to data subjects in any form they want. For example, they may include the relevant information in a crew member’s contract or draft a data processing policy which will be individually delivered to the data subjects or published on the producer’s website.
- The producer must ensure personal data security. The IT systems on which the data are processed should be equipped with adequate safeguards. It is also important to ensure a proper organisation of work through designation of secure places for the storage of crew’s personal data. Furthermore, it is worth drafting a personal data processing policy to provide guidance and instructions for crew members. Such a document does not have to be a long list of rules phrased in a sophisticated legal language. A decalogue (“10 rules”) or a DOs and DON’Ts list, for example, will be much more fitting for the purpose.
What to bear in mind? The controller must inform all data subjects of the manner in which their data are processed. The controller is responsible for the actions of his crew and so should provide appropriate training adapted to the filmmaking reality so as to make the staff involved in processing operations more aware of the legal aspects of their work. The producer should also specify rules to be followed by the film crew members which will improve data security.
GDPR – not as black as it’s painted
Personal data processing requires operational co-ordination on three dimensions: the law (compliance), the organisation (data security), and the technology (secure IT systems). Implementing the GDPR does not have to make everyday work on the film set difficult. However, actions to raise the awareness of those responsible for data processing are by all means necessary.
¹Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Check what we refer to:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)