What exactly does “comply with” and conform to the GDPR mean?

In summary, and in principle, the GDPR privileges the rights of individuals over that of companies. We list below some of the main obligations arising from compliance with legislation:

  1. Consent: event organizers are required to obtain and store the consent of each of the participants, which must also be obtained in a clear and objective manner. As stated in the article “What is the GDPR? Basic information on data processing”, consent must be based on a free and informed decision of the user.
  2. Breach notification: The GDPR defines mandatory notification to users and authorities whenever a security breach occurs, which must be done within 72 hours.
  3. Access: Organizers will always have to be prepared to provide digital copies of event attendees’ registrations and inform of the data storage location and the purpose of its treatment. If a participant requests access, it must be made available within 30 days.
  4. Right to be forgotten: any citizen or European resident can at any time not only ask to have their data erased, but also for it to stop being shared with any third party (hotels, venues, sponsors, etc.), and these entities will also have to stop processing that data.
  5. Data portability – individuals are given the possibility to request a copy of their previously submitted personal data and/or to transfer it to another organization (which may be a competitor). The information will have to be provided in a commonly used format so that the new organization is able to use it immediately.
  6. Privacy by design – data security is required to be integrated into all products and processes from scratch. This applies to – but not only – technological systems that help store and organize personal information of the attendees. Other systems in the company, such as CRM, billing systems, etc., will also have to meet this requirement.
  7. DPO – Data Protection officer – there must be a person within the organization responsible for compliance with the GDPR.

Return to our GDPR index: Are your events ready for the GDPR?

Still have questions about this? Talk to us!


Sergio Pinto

Sergio Pinto

With more than 15 years of experience in IT and telecom industry has passed the last years investigating and developing tech solutions for the events industry.