Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
Widener University School of Law graduate, Managing Legal Editor at TermsFeed.
On this page
- 1. How the GDPR Impacts Events
- 1.1. Personal Data Collected for Your Event
- 1.2. Legal Basis for Processing Personal Data for Your Event
- 1.2.1. Consent
- 1.2.2. Contract
- 1.2.3. Legal Obligation
- 1.2.4. Vital Interests
- 1.2.5. Public Task
- 1.2.6. Legitimate Interests
- 1.3. Applying Principles of Data Processing to Event Data
- 1.5. Other GDPR Considerations for Events
- 2. Can We Hand Out Name Tags Under the GDPR?
- 3. Can We Share an Attendee List with Sponsors Under the GDPR?
- 4. Summary
Organizing an event? If you're covered by the General Data Protection Regulation (GDPR), you have some work to do to ensure you're complying with the law.
We'll also tackle some of the most common GDPR questions from event organizers regarding attendee lists and name tags.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
How the GDPR Impacts Events
There are many GDPR considerations if you're organizing a conference, exposition, or any other type of event.
The GDPR applies if you are based in or targeting people in the EU (or Iceland, Liechtenstein, Norway, or the UK).
Let's look at what you'll need to consider.
Personal Data Collected for Your Event
You'll almost certainly need to process (collect, share, erase, or otherwise use) some personal data when organizing, promoting, and putting on an event.
Here are some examples of the categories of personal data that might be relevant to your event:
- First and last names: To enable people, speakers, or exhibitors to register for the event
- Email addresses: To send a booking confirmation and tickets
- Postal addresses: To send paper tickets
- Phone numbers: For communicating with attendees, exhibitors, or speakers
- Social media handles: To promote the event
- Headshots: To promote speakers in marketing materials
- Payment information: To process payment for tickets
- Industry or demographic information: To learn about your event's attendees
- Dietary requirements: To ensure there is suitable food for all speakers and attendees
- Disability information: To ensure your venue or platform is accessible
- Comments or feedback: To help improve future events
This is just the tip of the iceberg. The GDPR has a broad definition of "personal data."
Personal data might also include data collected by cookies or other trackers on your website. If you include a barcode or QR code on your name tags, this could constitute personal data.
And remember that personal data can be about your attendees, exhibitors, sponsors, speakers, partners, or employees - any identifiable living individual.
A good start to ensuring GDPR compliance at your event is to figure out what personal data you're likely to process.
Legal Basis for Processing Personal Data for Your Event
Whenever you intend to process personal data, you must determine your legal basis. If you do not have a legal basis for processing, you cannot proceed.
There are six legal bases for processing under the GDPR. Not all of them are likely to be relevant to you. Let's consider how the legal bases for processing might apply to your event.
You can process someone's personal data if you have their consent. You must still meet all other relevant GDPR principles and requirements.
Under the GDPR, consent must be:
- Freely given
- Given via a clear, affirmative action
- Easy to withdraw
This is a high bar. You should only request consent where people have a genuine, free choice and can change their minds.
You could consider relying on consent for the following types of activities:
- Printing name tags
- Sharing attendees' contact details with sponsors
- Using speakers' headshots in promotional materials
- Setting cookies on your website
- Sending marketing materials to website visitors, attendees, or speakers (this might not be necessary if they use a corporate email address)
Remember that you must enable people to withdraw their consent. If you need to process personal data in a given way, consent is unlikely to be the right legal basis.
You can process someone's personal data if it's necessary in order to perform or enter into a contract with that person.
You probably have several "contracts" relevant to your event, including:
- Your Terms of Service for attendees
- The terms of sale for tickets
- A contract covering a paid speaker's appearance
You might need to rely on "contract" to process the following types of personal data:
- Names, for registration purposes
- Email address, for booking confirmation
- Mailing address, to send paper tickets
- Payment information, to process payments
- Speakers' names and headshots, for promotional purposes (if this is a contractual term)
If you don't need someone's personal information in relation to a contract, then "contract" is not the right legal basis.
Any organization can be required to provide personal data to the police or the courts. You might also need to comply with safeguarding, or diversity, equity, and inclusion laws.
You can process personal data to protect someone's life or health. This might be relevant if an emergency situation arises at your event.
You can process personal data to perform a task in the public interest under official authority.
This legal basis is only likely to be relevant if you're a public sector organization or acting on behalf of a public sector organization.
The legal basis of "legitimate interests" is the most flexible legal basis, but probably the least understood. You can process personal data if:
- You need to process personal data for a legitimate, lawful purpose
- The processing benefits your organization or a third party
- The benefits of the processing outweigh any risks to individuals
For more information, read our article on the Three-Part Test for Legitimate Interests Under the GDPR.
Legitimate interests might be relevant to some activities related to your event. For example:
- Printing name tags (you could alternatively get consent for this)
- Publicizing speakers
- Taking photos of the event
- Analyzing attendee information for internal purposes
- Sending marketing emails to existing customers
People have the right to object to ("opt out" of) your use of their personal data under the "legitimate interests" basis. You should consider requests carefully and comply with them unless you can show that your interests outweigh those of the person objecting.
Applying Principles of Data Processing to Event Data
Under the GDPR, you must apply the "principles of data processing" whenever you process personal data.
All of the principles apply to events:
- Purpose limitation: Don't collect personal data for one purpose and use it for another, incompatible purpose. This might be relevant if you plan to sell attendee lists to sponsors. There are exceptions to this principle, including where you have consent.
- Data minimization: Don't collect personal data unless you need it for a specified purpose. Do you need attendees' phone numbers to keep in touch? Do you need their job titles to help you understand your audience? Do you even need name tags? Maybe, or maybe not.
- Accuracy: Make sure personal data is accurate and (if necessary) up-to-date. For example, you could check personal details after registration, and allow people to amend or update them. Make sure you're publishing correct information about speakers.
- Storage limitation: Don't keep personal data for longer than necessary. Develop a Data Retention Policy and make sure you can demonstrate your reasons for storing all types of personal data.
- Security: Apply technical and organizational measures to keep personal data secure. Think about who can access things like contact details, attendee lists, or lists of sponsorship prospects. More sensitive personal data requires stronger security.
Read our Principles of the GDPR article for a detailed look at the principles.
- The types of personal data you process
- Your purposes and legal bases
- People's rights under the GDPR
Other GDPR Considerations for Events
There are several other GDPR considerations when organizing an event, including:
- Data subject rights: You must allow people to request access to their personal data, and to delete or correct their personal data under certain circumstances.
- Data Processing Agreements: If you share personal data with other organizations, you might need to put contracts in place.
- Special category data: Information about attendees' dietary requirements and disabilities requires special protection under the GDPR.
- International data transfers: The GDPR includes strict rules about transferring personal data out of the EU (or any other country where the GDPR applies).
These requirements might feel overwhelming at first, but data protection is a legal requirement that should benefit your company in the long term.
Can We Hand Out Name Tags Under the GDPR?
The GDPR does not prevent you from providing name tags for attendees. As always, you must have an appropriate legal basis.
The relevant legal bases for printing and distributing name tags are likely to be:
- Consent: You could ask each attendee for consent. If you ask a person for their consent, you cannot print their name badge unless they accept. You must allow the person to withdraw consent.
- Legitimate interests: If you determine that printing name badges is in your legitimate interests, you could print everyone a name badge by default. You must tell people that you intend to do this and allow them to object.
Consider how you can comply with the principles of data processing in creating, distributing, storing, and destroying the name tags.
Can We Share an Attendee List with Sponsors Under the GDPR?
Some companies monetize events by selling attendee's personal data to sponsors. The GDPR does not specifically prohibit this practice, but there are serious data protection considerations.
You should identify whether you have a legal basis for such an activity. In this case, the most appropriate legal basis is likely to be "consent."
Relying on "consent" means that each attendee must "opt in" under the GDPR's conditions for consent (see above) before you can share their personal data for this purpose.
You could consider whether you can rely on "legitimate interests." However, your interests might not prevail against your attendees' interests in the "three-part test."
There are many other GDPR implications.
- You should not require people to "consent" to the sale of their personal data as a precondition of their attendance.
- Think about how you can be transparent with attendees and whether they will reasonably expect you to share their data in this way.
- Consider how you can minimize the amount of data received by sponsors. Most sponsors want contact details for marketing purposes. If not, can you provide statistical information instead?
You should take advice from your data protection officer (DPO), if you have one. If not, consider taking external advice from a data protection professional or your data protection authority.
If you're running an event, you must take data protection seriously.
We've looked at how the GDPR's legal bases, principles, and other provisions impact events. We've also considered common questions around name tags and attendee lists.
Remember to only collect personal data that you need, and that you can justify the need for. Protect the data, and strive to obtain consent for processing the data.