GDPR from the perspective of event organizers

Event organizers need to be prepared for and aware of changes in data protection legislation and how it is applied. They must also be aware that this responsibility goes far beyond the IT and legal departments of their organization. The marketing and operations departments of any company that organizes events (in European Union or elsewhere) must be aware of the obligations and, in our opinion, take advantage of the GDPR”wave” to differentiate its events from the others.

In fact, events by their very nature generate a massive processing of personal data, which is collected in a number of ways, from registration forms to mobile applications, questionnaires, registration in WiFi networks, requests for information, etc. An endless amount of means is at the disposal of each organizer.

There is a huge responsibility for agencies and event organizers, as they have to ensure that their event data is protected and that they choose the technology providers and technologies most appropriate for their events. Not only will they have to rely on trustworthy suppliers, but also ensure that the data processing (and integration between the various suppliers) respects the personal data of each visitor, supplier or employee.

Read also about the minimum GDPR requirements for your event and know more about the impact of the GDPR on your events.

What are the rights of event participants?

Event participants have the right to:

  • Access all personal information that has been collected/stored by the organizer;
  • Understand to what end the information is being used;
  • Requesting or performing the correction of errors;
  • Stop or restrict the use of their data;
  • Retrieve and reuse their personal data;
  • Ask for the total erasure of their data.

And the obligations of the organizers?

For their part, event organizers must ensure compliance with participants’ rights by ensuring that:

  • Has a legal ground for processing data;
  • The rights of prior information to data subjects have been fulfilled (for example, by communicating a privacy policy or notice);
  • Their personal data is stored securely;
  • That data will not be kept for longer than legally permitted;
  • They respond to any request for data access within a maximum of 30 days (without charging for this access);
  • They use data in a transparent, appropriate and properly way, with due legal basis, be it a contract, the consent of the holders or the legitimate interest of the company;
  • They have data control/processing procedures;
  • They implement measures of minimization and correction of errors and that are able to definitively erase the data;
  • They can respond within 72 hours to any leak of personal data;
  • Data is only accessed or communicated to other entities with the holder’s knowledge;
  • This access or communication is made on the basis of a contract between the two entities that regulates the responsibilities regarding the protection of personal data;

Return to our GDPR index: Are your events ready for the GDPR?

Still have questions about this? Talk to us!


Sergio Pinto

Sergio Pinto

With more than 15 years of experience in IT and telecom industry has passed the last years investigating and developing tech solutions for the events industry.