GDPR for Events: Registration Data, Photography, and Attendee Privacy

Event organisers collect an extraordinary volume of personal data. A typical conference registration form captures names, job titles, company names, email addresses, phone numbers, and payment information. Behind that sits a layer of sensitive data: dietary requirements that reveal religious beliefs or medical conditions, accessibility needs that disclose disabilities, and optionally collected information about professional interests that feeds into post-event marketing.

Most event organisers have no idea that all of this is governed by GDPR — and that the rules extend far beyond the registration form into photography, badge scanning by exhibitors, networking apps, post-event email marketing, and data shared with third-party platform providers.

This guide covers what you actually need to do, from the legal basis for registration data through to retention and children's privacy. At the end, you'll find a practical compliance checklist for event organisers.

---

Lawful Basis for Event Registration Data

The first question under GDPR is always: what is your lawful basis for processing this personal data?

For event registration data, you have two plausible candidates: contract and consent.

Contract is typically the right choice for core registration data — the information you need to process someone's booking, send them event details, and admit them on the day. This includes name, email address, payment information, and any information directly necessary to deliver the event. You don't need consent for this data because the processing is necessary to perform the contract (the ticket purchase) that the attendee has entered into with you.

Consent is required for anything beyond what's necessary to deliver the event. This includes marketing communications for future events, sharing data with sponsors or exhibitors, and optional profile information used for networking features. Consent must be freely given, specific, informed, and unambiguous — a pre-ticked box or a buried clause in your terms does not constitute valid consent.

The practical split: use contract as your basis for operational data (what you need to run the event) and collect separate, explicit consent for any marketing or sharing beyond that.

---

Special Category Data: Health, Dietary, and Accessibility Information

Dietary requirements and accessibility needs are where event organisers routinely stumble into special category data without realising it.

Under Article 9 of GDPR, data revealing health conditions, religious or philosophical beliefs, or disability status attracts heightened protection. A vegan or halal dietary requirement may imply religious beliefs. A gluten-free requirement might indicate coeliac disease. A request for wheelchair access or a hearing loop discloses a disability. This is all special category data.

Processing special category data requires both a lawful basis under Article 6 and a separate condition under Article 9. For event organisers, the most relevant Article 9 conditions are:

• Explicit consent — the gold standard, but requires a clear, separate, opt-in confirmation specifically for the sensitive data
• Vital interests — relevant for medical emergencies, not routine dietary management
• Substantial public interest — unlikely to apply to most commercial events

In practice, this means you need a separate, explicit consent mechanism for dietary and accessibility information. It cannot be bundled into your general terms and conditions. The consent must explain precisely how the data will be used and who will see it.

Crucially, this data must be shared only with the people who need it — catering teams, venue staff — and must not be shared with exhibitors, sponsors, or third-party platforms for any other purpose.

---

Photography and Video Recording Consent at Events

Photography at events is a GDPR minefield. Photographs and videos of identifiable individuals are personal data. When you photograph a crowd at a conference and publish it, you are processing the personal data of everyone in that image.

The lawful basis question is complicated here:

Legitimate interests is commonly cited by event organisers, and it is defensible when photography is clearly expected (a large public conference where photography is industry-standard practice) and attendees have been clearly notified in advance. The legitimate interests assessment must weigh the organisation's interest in promotional content against attendees' reasonable expectation of privacy.

Consent is the safer and legally cleaner basis, particularly for images used in marketing materials. Consent is required where individuals are the primary subject — close-up portraits, speaker photos, interview footage. It becomes harder to obtain for incidental crowd photography, which is why many organisations rely on legitimate interests + advance notice for general event photography.

What you must do:

• Notify attendees before the event — in your registration confirmation, your event website, and on signage at the venue — that photography and video recording will take place
• Provide an opt-out mechanism — offer attendees a way to flag that they do not wish to be photographed, and have a practical process for honouring this (wristbands, badge stickers, and clearly marked photographer-free areas all work)
• Obtain explicit consent for footage where individuals are identifiable primary subjects — speaker videos, testimonials, interviews
• Document your approach — record your legitimate interests assessment if that is your basis, and your consent records if consent is your basis

Never use photography of attendees in your marketing without a clear legal basis, and never assume that buying a ticket implies consent to being photographed.

---

Badge Scanning by Exhibitors

If your event uses badge scanning — QR codes or RFID — to allow exhibitors to capture attendee contact details, you are enabling a data sharing arrangement that requires explicit consent from attendees.

The typical commercial arrangement is that exhibitors pay for the ability to scan badges and receive attendee data. From a GDPR perspective, this is a data sharing arrangement: you are the controller that collected the data; the exhibitor becomes a separate controller when they receive it.

This means:

• Attendees must be clearly informed that badge scanning will result in their data being shared with exhibitors — not in a page 7 terms-of-service clause, but prominently in registration information and on event signage
• Consent must be actively collected — attendees should be able to opt out of exhibitor data collection while still attending the event
• Each exhibitor must comply with GDPR for the data they collect — they become independent controllers and need to provide their own privacy notice to attendees
• You need a clear legal basis for sharing the data — this is typically consent, and it must be genuine consent (not "by registering you agree that exhibitors may contact you")

If your event registration platform enables badge scanning and automatic data transfer to exhibitors, audit that flow carefully. Many platforms treat this as a default feature without building in the consent architecture GDPR requires.

---

Event Apps and Data Sharing

Networking apps, virtual event platforms, and event management applications introduce additional data processing considerations.

When attendees create profiles in a networking app, that app is typically a separate data controller — or, if you've white-labelled the platform, a data processor acting on your behalf. The distinction matters:

• Data processor: you remain the controller and need a Data Processing Agreement (DPA) governing the processor's use of attendee data
• Separate controller: attendees need a privacy notice from the app itself, and you need to ensure data shared with it is covered by your privacy notice

Networking features that allow attendees to view each other's profiles, send messages, or share contact details require careful privacy notice language. Attendees should understand what information will be visible to other attendees, what the app does with messaging data, and how to delete their profile.

Virtual event platforms (Hopin, Zoom Events, Swapcard, and similar) also process significant personal data — attendance records, session engagement data, chat messages, video recordings of sessions where attendees are visible. Ensure you have a DPA with your platform provider and that attendees are informed of the processing taking place.

---

Post-Event Email Marketing: The Soft Opt-In Opportunity

Post-event email marketing is one of the most misunderstood areas of GDPR compliance for event organisers.

The common mistake is assuming that because someone registered for your event, you have ongoing permission to market to them. You don't — at least not automatically under GDPR's Article 6. What you may have is the soft opt-in under the Privacy and Electronic Communications Regulations (PECR) in the UK, or equivalent national implementation in EU member states.

The soft opt-in allows you to send marketing emails to existing customers (including event attendees) about similar products and services provided:

1. You obtained their contact details in the course of a sale or negotiation of a sale
2. The marketing is for your own similar products and services — not third parties
3. You gave them a clear opportunity to opt out at the time of registration and in every subsequent message

For event organisers, this means you can email registered attendees about your next event — but only if you meet all three conditions, only for your own events (not sponsors or partners), and only if you gave them a clear opt-out at registration.

For any broader marketing — emails on behalf of sponsors, adding attendees to general marketing lists, or sharing their contact details with exhibitors for marketing — explicit, separate consent is required.

Practically: include a clearly optional, unchecked checkbox at registration for marketing consent. Use the soft opt-in for follow-up event marketing. Never share attendee details with third parties for marketing purposes without explicit consent.

---

Retention of Attendee Data

How long should you keep attendee data? GDPR's storage limitation principle requires that personal data be kept for no longer than necessary for the purpose it was collected.

For event registration data, a reasonable retention schedule might look like:

• Payment information: retain for the period required by tax law (typically 6-7 years), then delete or anonymise the personal details while retaining the financial record
• Operational event data (attendance records, dietary requirements, accessibility requests): delete or anonymise within 3-6 months of the event, unless there is a specific ongoing reason to retain it
• Marketing consent records: retain consent records for as long as you rely on that consent, plus a reasonable period after to demonstrate compliance
• Photography and video: no fixed limit, but you should have a policy and apply it — and be prepared to respond to deletion requests for images where individuals are identifiable

Document your retention schedule and apply it. Keeping data indefinitely "just in case" is not GDPR-compliant, and it increases your risk in the event of a data breach.

---

Children at Events

If your event may be attended by children under 16 (under 13 in the UK post-Brexit), GDPR imposes additional requirements.

You cannot rely on consent as a lawful basis for processing children's personal data without verifiable parental consent. For events aimed at families or where children are likely attendees, this means:

• Requiring parental/guardian consent for any child attendee's registration data
• Not sending marketing communications to email addresses that may belong to children
• Being particularly careful with photography — never publish images of identifiable children without explicit parental consent
• Not using event networking apps or other data-sharing features for child attendees

Even where children aren't the target audience, consider whether your registration process adequately prevents children from registering (and therefore from having their data processed on the same basis as adults). Age verification or a simple age declaration in registration is common practice.

---

Virtual Event Platforms as Data Processors

If you use a virtual or hybrid event platform — or any third-party technology to run your event — those providers are likely data processors, and GDPR requires that you have a Data Processing Agreement in place with each of them.

Key questions to answer for each platform:

• Where is the data stored? If outside the UK/EEA, you need an international data transfer mechanism (Standard Contractual Clauses, adequacy decision, etc.)
• What does the platform do with attendee data? Read their terms carefully — some platforms use aggregated event data for their own analytics or product development
• Can they subcontract processing? Most do; your DPA should cover subprocessor arrangements
• What happens to the data after your event? Ensure the platform deletes or returns data after the contractual relationship ends

Many event platforms offer pre-signed DPAs or data processing addenda. Request these before your event, not after.

---

Practical Compliance Checklist for Event Organisers

Use this checklist before, during, and after your event:

Before the event:

• [ ] Identify the lawful basis for each category of data you collect (contract for operational data, consent for marketing and data sharing)
• [ ] Separate consent collection for special category data (dietary, accessibility, health)
• [ ] Include clear photography notice in registration confirmation and on your event website
• [ ] If using badge scanning, add clear disclosure to registration and obtain explicit consent for exhibitor data sharing
• [ ] Review your event app/platform — sign DPAs with all third-party processors
• [ ] Check where your data is stored and confirm international transfer mechanisms are in place
• [ ] Add a clearly optional, unchecked marketing consent checkbox to registration
• [ ] Create a retention schedule for event data

At the event:

• [ ] Display photography notices on venue signage
• [ ] Offer a practical opt-out mechanism for attendees who don't want to be photographed (wristbands, stickers, photographer-free areas)
• [ ] Brief your photography team on consent requirements for close-up and identifiable footage
• [ ] Ensure exhibitors using badge scanners have been briefed on their GDPR obligations as independent controllers

After the event:

• [ ] Send post-event follow-up using soft opt-in rules (or explicit consent) for marketing
• [ ] Do not share attendee lists with sponsors or exhibitors without explicit consent
• [ ] Apply your retention schedule — delete operational data (dietary, accessibility) within your defined window
• [ ] Respond to any data subject requests (access, erasure, correction) within 30 days
• [ ] Document your lawful basis, consent records, and legitimate interests assessments

---

Check Your Event Website's Compliance Now

GDPR compliance for events starts with your event website — the first point of data collection. Custodia's free scanner checks your event registration pages for tracking technologies, consent mechanisms, and privacy notice issues.

Run a free scan at https://app.custodia-privacy.com/scan — no account required, results in 60 seconds.

---

This post provides general information about GDPR compliance for events. It does not constitute legal advice. Privacy law requirements vary by jurisdiction and specific circumstances. Consult a qualified privacy law professional for advice specific to your organisation.