Organizing an event? If you're covered by the General Data Protection Regulation (GDPR), you have some work to do to ensure you're complying with the law.

This article will look at the main GDPR considerations for event organizers, including identifying a legal basis for collecting personal information, applying the principles of data processing, and creating a GDPR-compliant Privacy Policy.

We'll also tackle some of the most common GDPR questions from event organizers regarding attendee lists and name tags.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



How the GDPR Impacts Events

There are many GDPR considerations if you're organizing a conference, exposition, or any other type of event.

The GDPR applies if you are based in or targeting people in the EU (or Iceland, Liechtenstein, Norway, or the UK).

Let's look at what you'll need to consider.

Personal Data Collected for Your Event

Personal Data Collected for Your Event

You'll almost certainly need to process (collect, share, erase, or otherwise use) some personal data when organizing, promoting, and putting on an event.

Here are some examples of the categories of personal data that might be relevant to your event:

  • First and last names: To enable people, speakers, or exhibitors to register for the event
  • Email addresses: To send a booking confirmation and tickets
  • Postal addresses: To send paper tickets
  • Phone numbers: For communicating with attendees, exhibitors, or speakers
  • Social media handles: To promote the event
  • Headshots: To promote speakers in marketing materials
  • Payment information: To process payment for tickets
  • Industry or demographic information: To learn about your event's attendees
  • Dietary requirements: To ensure there is suitable food for all speakers and attendees
  • Disability information: To ensure your venue or platform is accessible
  • Comments or feedback: To help improve future events

This is just the tip of the iceberg. The GDPR has a broad definition of "personal data."

Personal data might also include data collected by cookies or other trackers on your website. If you include a barcode or QR code on your name tags, this could constitute personal data.

And remember that personal data can be about your attendees, exhibitors, sponsors, speakers, partners, or employees - any identifiable living individual.

A good start to ensuring GDPR compliance at your event is to figure out what personal data you're likely to process.

Legal Basis for Processing Personal Data for Your Event

Whenever you intend to process personal data, you must determine your legal basis. If you do not have a legal basis for processing, you cannot proceed.

There are six legal bases for processing under the GDPR. Not all of them are likely to be relevant to you. Let's consider how the legal bases for processing might apply to your event.

You can process someone's personal data if you have their consent. You must still meet all other relevant GDPR principles and requirements.

Under the GDPR, consent must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Given via a clear, affirmative action
  • Easy to withdraw

This is a high bar. You should only request consent where people have a genuine, free choice and can change their minds.

You could consider relying on consent for the following types of activities:

  • Printing name tags
  • Sharing attendees' contact details with sponsors
  • Using speakers' headshots in promotional materials
  • Setting cookies on your website
  • Sending marketing materials to website visitors, attendees, or speakers (this might not be necessary if they use a corporate email address)

Remember that you must enable people to withdraw their consent. If you need to process personal data in a given way, consent is unlikely to be the right legal basis.

Contract

You can process someone's personal data if it's necessary in order to perform or enter into a contract with that person.

You probably have several "contracts" relevant to your event, including:

  • Your Terms of Service for attendees
  • The terms of sale for tickets
  • A contract covering a paid speaker's appearance

You might need to rely on "contract" to process the following types of personal data:

  • Names, for registration purposes
  • Email address, for booking confirmation
  • Mailing address, to send paper tickets
  • Payment information, to process payments
  • Speakers' names and headshots, for promotional purposes (if this is a contractual term)

If you don't need someone's personal information in relation to a contract, then "contract" is not the right legal basis.

You can process personal data to comply with the law. This might not come up, but it's important to let people know about your legal obligations in your Privacy Policy (we'll cover that later in this article).

Any organization can be required to provide personal data to the police or the courts. You might also need to comply with safeguarding, or diversity, equity, and inclusion laws.

Vital Interests

You can process personal data to protect someone's life or health. This might be relevant if an emergency situation arises at your event.

Again, hopefully, you won't need to consider this. But you must still be transparent about the possibility in your Privacy Policy.

Public Task

You can process personal data to perform a task in the public interest under official authority.

This legal basis is only likely to be relevant if you're a public sector organization or acting on behalf of a public sector organization.

Legitimate Interests

The legal basis of "legitimate interests" is the most flexible legal basis, but probably the least understood. You can process personal data if:

  • You need to process personal data for a legitimate, lawful purpose
  • The processing benefits your organization or a third party
  • The benefits of the processing outweigh any risks to individuals

For more information, read our article on the Three-Part Test for Legitimate Interests Under the GDPR.

Legitimate interests might be relevant to some activities related to your event. For example:

  • Printing name tags (you could alternatively get consent for this)
  • Publicizing speakers
  • Taking photos of the event
  • Analyzing attendee information for internal purposes
  • Sending marketing emails to existing customers

People have the right to object to ("opt out" of) your use of their personal data under the "legitimate interests" basis. You should consider requests carefully and comply with them unless you can show that your interests outweigh those of the person objecting.

Applying Principles of Data Processing to Event Data

Applying Principles of Data Processing to Event Data

Under the GDPR, you must apply the "principles of data processing" whenever you process personal data.

All of the principles apply to events:

  • Lawfulness, fairness, and transparency: Don't process people's personal data in ways that are illegal, unfair, or non-transparent. Ensure your Privacy Policy explains how you will process personal data.
  • Purpose limitation: Don't collect personal data for one purpose and use it for another, incompatible purpose. This might be relevant if you plan to sell attendee lists to sponsors. There are exceptions to this principle, including where you have consent.
  • Data minimization: Don't collect personal data unless you need it for a specified purpose. Do you need attendees' phone numbers to keep in touch? Do you need their job titles to help you understand your audience? Do you even need name tags? Maybe, or maybe not.
  • Accuracy: Make sure personal data is accurate and (if necessary) up-to-date. For example, you could check personal details after registration, and allow people to amend or update them. Make sure you're publishing correct information about speakers.
  • Storage limitation: Don't keep personal data for longer than necessary. Develop a Data Retention Policy and make sure you can demonstrate your reasons for storing all types of personal data.
  • Security: Apply technical and organizational measures to keep personal data secure. Think about who can access things like contact details, attendee lists, or lists of sponsorship prospects. More sensitive personal data requires stronger security.

Read our Principles of the GDPR article for a detailed look at the principles.

Privacy Policy for Events Organizers

Privacy Policy for Events Organizers

You need a Privacy Policy under the GDPR.

Among other things, your GDPR-compliant Privacy Policy should provide information about:

  • The types of personal data you process
  • Your purposes and legal bases
  • People's rights under the GDPR

For more information, see our article Privacy Policy for the EU.

Other GDPR Considerations for Events

There are several other GDPR considerations when organizing an event, including:

  • Data subject rights: You must allow people to request access to their personal data, and to delete or correct their personal data under certain circumstances.
  • Data Processing Agreements: If you share personal data with other organizations, you might need to put contracts in place.
  • Special category data: Information about attendees' dietary requirements and disabilities requires special protection under the GDPR.
  • International data transfers: The GDPR includes strict rules about transferring personal data out of the EU (or any other country where the GDPR applies).

These requirements might feel overwhelming at first, but data protection is a legal requirement that should benefit your company in the long term.

Can We Hand Out Name Tags Under the GDPR?

Can We Hand Out Name Tags Under the GDPR?

The GDPR does not prevent you from providing name tags for attendees. As always, you must have an appropriate legal basis.

The relevant legal bases for printing and distributing name tags are likely to be:

  • Consent: You could ask each attendee for consent. If you ask a person for their consent, you cannot print their name badge unless they accept. You must allow the person to withdraw consent.
  • Legitimate interests: If you determine that printing name badges is in your legitimate interests, you could print everyone a name badge by default. You must tell people that you intend to do this and allow them to object.

Consider how you can comply with the principles of data processing in creating, distributing, storing, and destroying the name tags.

Can We Share an Attendee List with Sponsors Under the GDPR?

Can We Share an Attendee List with Sponsors Under the GDPR?

Some companies monetize events by selling attendee's personal data to sponsors. The GDPR does not specifically prohibit this practice, but there are serious data protection considerations.

You should identify whether you have a legal basis for such an activity. In this case, the most appropriate legal basis is likely to be "consent."

Relying on "consent" means that each attendee must "opt in" under the GDPR's conditions for consent (see above) before you can share their personal data for this purpose.

You could consider whether you can rely on "legitimate interests." However, your interests might not prevail against your attendees' interests in the "three-part test."

There are many other GDPR implications.

  • You should not require people to "consent" to the sale of their personal data as a precondition of their attendance.
  • Think about how you can be transparent with attendees and whether they will reasonably expect you to share their data in this way.
  • Consider how you can minimize the amount of data received by sponsors. Most sponsors want contact details for marketing purposes. If not, can you provide statistical information instead?

You should take advice from your data protection officer (DPO), if you have one. If not, consider taking external advice from a data protection professional or your data protection authority.

Summary

If you're running an event, you must take data protection seriously.

We've looked at how the GDPR's legal bases, principles, and other provisions impact events. We've also considered common questions around name tags and attendee lists.

Remember to only collect personal data that you need, and that you can justify the need for. Protect the data, and strive to obtain consent for processing the data.

You must have a GDPR-compliant Privacy Policy to help ensure you're transparent with everyone involved in your event, including attendees, speakers, sponsors, and staff. You can disclose important information here such as what rights people have under the GPDR when it comes to their personal data.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy