No doubt Alamy has done its due diligence, and it's possible that some pre-GPDR releases may not be compliant because of the information given without a GDPR statement, but it's unlikely to be because of the photograph as such. I've mentioned this before- a photograph of a person can be personal data, but most stock photographs won't be because they are not taken for the purposes of identifying the subject. How a non-compliant release can be made compliant just by asking the photographer I