Running an event — whether a 500-person annual conference, a monthly webinar series, or a hands-on in-person workshop — means collecting a significant volume of personal data. Names, email addresses, job titles, dietary requirements, payment details, photos, video recordings, badge scans, and post-event email lists all count as personal data under GDPR.
Most event organizers think about GDPR only at the registration form stage. The reality is that GDPR governs every touchpoint: the platforms you use to manage registrations, what you record, who you share data with, how you follow up afterwards, and how long you keep attendee records.
This guide covers every major GDPR obligation for event organizers running both in-person and online events, and includes a practical compliance checklist at the end.
Registration Forms: What Data Can You Collect?
The starting point for GDPR compliance is data minimization: you may only collect personal data that is adequate, relevant, and limited to what is necessary for the purpose.
For a typical event registration, the following data is clearly necessary:
- Full name
- Email address
- Payment information (if the event is paid)
- Company name and job title (if relevant to the event)
A registration form that asks for everything you might possibly find useful is a GDPR problem. Before adding any field, ask: do we actually need this to deliver the event, or are we collecting it out of habit?
Lawful Basis: Contract vs. Consent
Under GDPR, every act of processing personal data requires a lawful basis. For event organizers, the two most relevant bases are contract and consent.
Contract is your basis for operational data — the information you need to process a booking, send event details, issue an invoice, and admit attendees on the day.
Consent is required for anything beyond what is necessary to deliver the event: marketing communications about future events, sharing attendee data with sponsors or exhibitors, optional profile data used for networking features, and any use of photos or recordings in marketing materials.
Consent under GDPR must be freely given, specific, informed, and unambiguous. A pre-ticked checkbox or a buried clause in your terms does not meet the standard.
Special Category Data: Dietary Requirements and Accessibility Needs
Dietary requirements and accessibility information are where event organizers most commonly stumble. Under Article 9 of GDPR, data revealing health conditions, religious beliefs, or disability status is special category data and attracts the highest level of protection.
A vegan or halal dietary requirement may imply religious beliefs. A gluten-free request might indicate coeliac disease. A request for wheelchair access discloses a disability.
Processing special category data requires explicit consent — a clear, separate opt-in that specifically identifies the data as sensitive. Share it only with those who need it (catering, venue staff) and delete it promptly after the event.
Event Platforms as Data Processors
Eventbrite, Hopin, Zoom Webinars, Luma, and similar platforms are data processors under GDPR. You need a Data Processing Agreement (DPA) in place with each, and your privacy notice must disclose them to attendees.
Most platforms provide DPAs but you need to actively accept them. For Zoom, also confirm that your data processing region is set appropriately for EU attendees.
Photography and Video Recording Consent
Photographs and videos of identifiable individuals are personal data. Legitimate interests is a defensible lawful basis for general event photography when photography is clearly expected and attendees have been notified in advance. Consent is required for close-up portraits and marketing use of specific individuals images.
Practical steps: include a photography notice in registration confirmation emails, post visible notices at the venue entrance, designate photography-free zones if needed, and obtain written consent for images used in marketing campaigns.
Speaker and Exhibitor Data
Speakers and exhibitors are data subjects too. Use contract as your basis for operational data required to fulfill the engagement, and ensure speakers are informed how their photos and bios will be used after the event.
Networking Apps and Badge Scanning
When an exhibitor scans an attendee badge, they are collecting personal data. Attendee consent is required — it must be presented as optional, not bundled with event registration. Exhibitors become data controllers for badge scan data and have their own GDPR obligations. Networking apps must have DPAs in place.
Post-Event Email Follow-Up
Event-related follow-up (feedback surveys, slides, recordings) can rely on legitimate interests. Marketing communications about future events require explicit prior consent obtained at registration. You cannot email attendees about your next event simply because they attended the previous one.
Sharing Attendee Lists with Sponsors
This is one of the most common serious GDPR breaches in the events industry. To share attendee data with sponsors lawfully, you must obtain explicit, informed consent at registration for specific named sponsors, with an optional unchecked checkbox. You cannot share data with sponsors not named at the time of consent.
Alternatives: offer opt-in lead retrieval at the event, share anonymized demographic data, or let sponsors present directly to attendees.
Retention of Attendee Data
Keep registration and contact data for 12-24 months with marketing consent (shorter without), payment data for 7 years, and delete dietary and accessibility data promptly after the event. Apply your retention policy to recordings too.
Virtual Event Recordings
Inform attendees at registration and at the session start that recording will take place. Make participation in recorded elements optional where possible. Attendees who appear in public recordings have the right to request removal. Ensure recordings stored on platform servers are covered in your DPA.
Compliance Checklist for Event Organizers
Before the event
- Registration form only collects data necessary to deliver the event
- Separate, optional consent checkbox for marketing communications
- Separate, explicit consent for dietary and accessibility data
- Separate, optional consent for badge scanning and sponsor data sharing
- DPA in place with your event platform and networking app
- Privacy notice updated to disclose all processors
- Speakers and exhibitors informed of data use
- Photography and recording notice in registration confirmation emails
At the event
- Photography notices posted visibly at venue entrances
- Attendees notified of recording at the start of virtual sessions
- Badge scanning presented as optional
- Exhibitors briefed on their GDPR obligations
After the event
- Post-event emails sent only with valid consent or legitimate interests basis
- Marketing emails only to those who explicitly opted in
- Dietary and accessibility data deleted promptly
- Data retention policy applied to attendee records and recordings
- Process in place for DSAR and deletion requests
Running a compliant event is less about doing extra work and more about doing the right work at the right time — primarily at the registration design stage. If you want to see how your event website stacks up on privacy compliance, run a free scan at app.custodia-privacy.com/scan. It checks for tracking technologies, consent management issues, and compliance gaps in 60 seconds.
This post provides general information about GDPR compliance for event organizers. It does not constitute legal advice. Consult a qualified data protection professional for advice specific to your organization.
Top comments (0)