GDPR from the perspective of event organizers

Event organizers need to be prepared for and aware of changes on how data protection and privacy legislation is enforced and that this responsibility goes far beyond the IT and legal departments of their organization. The marketing and operations departments of any company that organizes events (in Europe or elsewhere) must be aware of the obligations and, in our opinion, take advantage of the GDPR”wave” to differentiate its events from the others.

In fact, events by their very nature generate a massive amount of personal data, which is collected in a number of ways, from registration forms to mobile applications, questionnaires, registration in WiFi networks, requests for information, etc. An endless amount of means is at the disposal of each organizer.

There is a huge responsibility for agencies and event organizers, as they have to ensure that their event data is protected and that they choose the technology providers and technologies most appropriate for their events. Not only will they have to rely on trustworthy suppliers, but also ensure that the data processing (and integration between the various suppliers) respects the personal data of each visitor, supplier or employee.

Read also about the minimum GDPR requirements for your event and know more about the impact of the GDPR on your events.

What are the rights of event participants?

Event participants have the right to:

  • Access all personal information that has been collected/stored by the organizer
  • Understand to what end the information is being used
  • Requesting or performing the correction of errors
  • Stop or restrict the use of their data
  • Retrieve and reuse their personal data
  • Ask for the total erasure of their data

And the obligations of the organizers?

For their part, event organizers must ensure compliance with participants’ rights by ensuring that:

  • Their personal data is stored securely
  • They respond to any request for data access within a maximum of 30 days (without charging for this access)
  • They use data in a transparent, appropriate and properly consented way
  • They have data control/processing procedures
  • They implement measures of minimization and correction of errors and that are able to definitively erase the data
  • They can respond within 72 hours to any leak of personal data

Return to our GDPR index: Are your events ready for the GDPR?

Still have questions about this? Talk to us!


Sergio Pinto

Sergio Pinto

With more than 15 years of experience in IT and telecom industry has passed the last years investigating and developing tech solutions for the events industry.