360° tours and GDPR. A complete guide for sensitive industries 2026

Why this guide

Every business considering a 360° virtual tour on Google Maps faces one question: can I legally show my interiors online? For a typical restaurant or shop the answer is simple: yes, with very few requirements. For sensitive industries (medical, dental, law firms, kindergartens, beauty salons) the answer requires 12 pre-session checkpoints.

We have been producing tours for sensitive industries for several years. This guide writes down the practical protocol we use for every clinic, practice, law firm, kindergarten and salon. This is not formal legal advice (I am not a qualified lawyer), but a practical checklist that we work from.

4 general rules for every industry

1. Session outside business hours

A 360° tour publishes panoramas on Google Maps in which the whole interior is visible. If a client / patient / child is present during the session, their image becomes publicly visible without their consent. It is enough for the salon owner to be doing a manicure for a client, and the client ends up on the panorama. That violates GDPR and image rights (Polish Civil Code art. 81).

Solution: a session during closed hours (Saturday morning 7:00-9:00, Monday evening, Sunday). Standard Lokal360 protocol. For sensitive industries this point is absolutely non-negotiable.

2. Computer screens free of personal data

Clinic reception, lawyer\'s desk, beautician\'s workstation, all of them have a monitor. Often with an open patient record, an open email, an appointment calendar. All of it contains personal data (first name, surname, phone, email, sometimes national ID and diagnoses). A 360 panorama will show these screens in high resolution.

Solution: monitors off or showing neutral content (company logo, screensaver, patient instructions). 5 minutes of work per workstation before the session. We verify each one together with the client at the start of the session.

3. Documents put away

Staff desks often have paper documents with personal data: patient cards, contracts, work orders, invoices with client names, kindergarten enrolment lists. The panorama will show them, legibly.

Solution: all paper documents containing personal data put away in drawers or binders for the duration of the session. Desks clean or stocked with neutral materials (brochures, info posters, marketing materials).

4. Staff image: written consent

If a staff member is visible on the panorama (receptionist, doctor, hairdresser, lawyer), this requires written consent for distribution of their image (Polish Civil Code art. 81). The consent template is short, 1 page A4, with the clause "consent to publication of the image on Google Maps as part of the 360 virtual tour of [company name]".

Solution: it is usually simpler to run the session without staff (empty interiors). Or: a staff member anonymously in the background, not in full focus (panorama from a distance, side profile). After the session we review together with the client whether anyone is identifiable.

Industry-specific checklists

Medical / dental / veterinary clinic

A sensitive industry with the strictest GDPR rules. Additional points:

• X-rays and ultrasound images on walls with patient data covered (a sticker or a substitute image).
• Patient cards off the desk (in the "to scan" tray).
• Phone with an open visit log turned off.
• Boards with specialist names allowed (public information, diplomas).
• Diplomas on walls allowed (public information).

Typical session: Saturday morning (7:00-9:00 before the first appointment). Time: 4-5 hours for a clinic with 6 consulting rooms. See our dedicated page: 360 tour for a clinic.

Law firm / legal counsel / notary

Here GDPR meets professional secrecy (Polish Bar Act, Polish Legal Counsels Act). Additional points:

• Client files locked in closed cabinets.
• Boards with client names allowed only with their written consent.
• Conference rooms empty (no documents on the table).
• Books / publications on shelves OK.
• Attorney / legal counsel diplomas on walls OK.

Typical 8-panel package (899 PLN): reception + 2 conference rooms + lawyer\'s office + legal library + client meeting room. See: 360 tour for a law firm.

Kindergarten / nursery / childcare facility

The most sensitive industry, because it involves the image of children (special protection under GDPR art. 8 and the Convention on the Rights of the Child). Additional points:

• Session ONLY during holidays, weekends or public holidays: zero children in the building.
• Childrens artwork on walls (drawings, posters) allowed only when anonymous (no names on the back).
• Boards with childrens names (group lists) taken down or covered.
• Visitor books / activity logs put away.
• Photos of children from events on walls taken down (unless parental consent has been obtained).
• Toys and furniture OK to panorama.

Typical 8-panel package (899 PLN): reception + cloakroom + 2 day rooms + activity room + dining room + playground + bathroom. See: 360 tour for a kindergarten.

Beauty salon / hairdresser / podiatry

GDPR + image rights of clients. Additional points:

• Client records (health information) put away in locked drawers.
• Before/after client photos on display taken down or covered (unless written consents are in place).
• "Intimate" zones (treatment room, bathroom) shown, but without clients present.
• Brand displays of product manufacturers on shelves OK (no personal data).
• Online booking displays (on screens) turned off.

12 pre-session checkpoints (checklist)

Copy this checklist before a session in a sensitive industry. We go through every point together with the client before the first panorama.

1. Session outside hours when clients / patients / children are present.
2. All monitors off or showing neutral content.
3. Documents containing personal data put away in drawers.
4. Boards with names of clients / patients / children taken down or covered.
5. Patient / client cards stored in binders.
6. X-ray / diagnostic images with names removed.
7. Before/after client photos on display taken down (unless consent exists).
8. Staff aware of the session (consent to appearing in the background or staying in another room).
9. Client / patient files in closed cabinets.
10. Interior staged as a "typical working day", but without people.
11. Personal items of staff (bags, phones) put away.
12. Posters / boards with current promotions left in place (this is public marketing information).

Who is legally responsible if something goes wrong

The personal data controller (i.e. the business owner, clinic, law firm) bears the main responsibility for GDPR compliance of the tour. Lokal360, as the contractor, is a "data processor" under GDPR art. 28. Our standard contract includes a clause about the GDPR protocol and the client\'s responsibility for preparing the session.

In practice: if we apply the 12-point checklist together before the session, the risk is minimal. After the session we run a quick review of the panoramas with the client before publication. The client accepts them or asks for a correction (covering something, retouching a specific element). Only after acceptance do we publish on Google Maps.

If, after publication, it turns out we missed something (a GDPR breach), we will carry out a correction (panorama edit removing a specific element) under a 14-day warranty. After 14 days, a full re-session or a targeted correction follows the terms we agree on.

FAQ

Do I need written consent from every employee?

Yes, if the employee is visible on the panorama (identifiable). No, if employees are not present during the session (empty interior). By default we run the session without employees, so consents are not needed.

Can I remove panoramas after publication?

Yes. The owner of the Google Business Profile listing can remove any panorama from the GBP dashboard. Google reaction time: 24-48h.

What if a client (e.g. a patient) demands the tour be removed?

An individual client can demand removal only if they are on the panorama (GDPR art. 17, right to be forgotten). If there are no identifiable people on the panoramas, and the tour only shows rooms, you cannot demand removal of the interior of the building itself (that is not personal data).

Does the tour require a clause in the website / privacy policy?

Yes, we recommend it. A short note in the privacy policy: "We publish a 360 virtual tour of the company on our Google listing. The tour covers only publicly accessible rooms, without identifiable persons. Producer: [contractor name]." 2-3 sentences are enough.

Do I need UODO (Polish DPA) approval before ordering a tour?

No. UODO (the Polish Data Protection Authority) does not require prior approval for ordinary processing (publishing interior photos). It is enough to meet GDPR requirements (transparent policy, legal basis, no personal data in the panoramas themselves).

What if clients walk in during the session?

By default the session runs during closed hours. If an unexpected client enters during the session, we pause the panorama, wait until they leave, then continue. Panoramas captured with an outside person present are deleted or reshot.