What exactly does “comply with” and conform to the GDPR mean?

Since 2018, the rules for the protection of personal data and respective obligations for companies have been radically changed in the way they treat their data (including their own workers).

All businesses and projects must, from the outset, keep in mind data protection legislation:

  • GDPR – General Data Protection Regulation, and
  • The new portuguese Data Protection Law (no. 58/2019)

In summary, and in principle, the GDPR legislation privileges the rights of individuals, as holders of personal data, and establishes a series of obligations for companies, which can incur heavy fines if they fail to do so.

We list below some of the main obligations that you should take into account when organizing an event that arise from compliance with legislation:

  1. Know the basis and purpose of data processing: if you need to request or access personal data, or process data in any other way, you will need to know whether you need to request prior consent from the data subject or if you are doing so based on a contract. You will also have to keep in mind exactly the “why” of the treatment and inform the data subject in detail about the treatment operations you will be doing and what measures you take to keep them safe.
  2. Consent: event organizers are required to obtain and store the consent of each of the participants, which must also be obtained in a clear and objective manner. As stated in the article “What is the GDPR? Basic information on data processing”, consent must be based on a free and informed decision of the user.
  3. Breach notification: The GDPR defines mandatory notification to users and authorities whenever a security breach occurs, loss of data or illegitimate access by a third party, which must be done within 72 hours. Depending on the cases, the National Data Protection Commission and/or the data subject (s) themselves must be notified.
  4. Access: Organizers will always have to be prepared to provide copies of event attendees’ registrations. If participants requests access to their own data, it must be made available within 30 days.
  5. Right to be forgotten: data owners can at any time not only ask to have their data erased, but also for it to stop being shared with any third party (hotels, venues, sponsors, etc).
  6. Data portability – individuals are given the possibility to request a copy of their previously submitted personal data and/or to transfer it to another organization (which may be a competitor). The information will have to be provided in a commonly used format so that the new organization is able to use it immediately.
  7. Privacy by Design and Privacy by Default – data security and data processing legality is required to be integrated into all products and processes from scratch. This applies to – but not only – technological systems that help store and organize personal information of the attendees. Other systems in the company, such as CRM, billing systems, etc., will also have to meet this requirement.

Return to our GDPR index: Are your events ready for the GDPR?

Still have questions about this? Talk to us!


Sergio Pinto

Sergio Pinto

With more than 15 years of experience in IT and telecom industry has passed the last years investigating and developing tech solutions for the events industry.