If you run a wedding business — whether you're a photographer, planner, florist, caterer, or venue — you handle an extraordinary amount of personal data. Couple names and addresses. Guest lists with dietary requirements and allergies. Religious and cultural ceremony preferences. Payment card details. Children attending the wedding. All of it is personal data under GDPR, and some of it — particularly health information like allergies — is special category data that requires a higher level of protection.
This guide covers everything wedding businesses need to know about handling client and guest data compliantly, in plain language.
What Data Do Wedding Businesses Collect?
Before you can manage data properly, it helps to map out everything you actually collect. Most wedding businesses handle:
Couple data
- Full names, addresses, email addresses, phone numbers
- Wedding date, venue, ceremony type
- Budget and payment information
- Contract details and correspondence
Guest data
- Names and contact details (often collected for RSVPs or table plans)
- Dietary requirements and food allergies — this is Article 9 special category health data
- Accessibility requirements and mobility needs (also special category)
- Religious or cultural preferences affecting the ceremony or catering
- Children attending (requiring extra care around photography and consent)
Photography and video data
- Images and videos of the couple and guests
- Photographs of children
- Drone footage (raising additional considerations)
The sheer breadth of data flowing through a single wedding is larger than most wedding businesses realise — and different lawful bases apply to different types of data.
Lawful Basis: Contract with the Couple
For the couple themselves, your primary lawful basis under GDPR Article 6 is contractual necessity. When a couple signs your contract, you have a clear legal basis to process their personal data to deliver your services.
This covers names, contact details, payment information, correspondence, and coordinating with other suppliers on the couple's behalf. You do not need separate consent from the couple for data that is necessary to fulfil the contract. But you should be transparent — your privacy notice should explain what you collect, why, who you share it with, and how long you keep it.
Dietary Requirements and Allergies: Article 9 Special Category Data
This is where many wedding businesses inadvertently create compliance problems. Dietary requirements and food allergies — coeliac disease, nut allergies, diabetes, Crohn's disease — are health data under GDPR Article 9. Health data is special category data, which means the usual Article 6 lawful basis is not enough. You need an additional condition under Article 9.
For wedding businesses, the most practical Article 9 condition is explicit consent from the individual guest. This means:
- A clear, specific consent request when collecting the information
- The guest actively confirms they consent to their health/dietary data being shared with relevant suppliers
- Consent must be recorded and stored
- Guests must be told who will receive their data (the caterer, the venue kitchen staff)
Practical approach: When sending RSVP forms, include a plain-language statement such as: "We need to share your dietary requirements and allergies with our caterers and venue kitchen team to ensure your meal is prepared safely. By completing this field, you consent to this sharing."
Wedding Photography: Consent for All Guests
Photography is one of the most legally complex areas for wedding businesses. Under GDPR, photographs are personal data when they can identify an individual.
- The couple: The lawful basis is contractual necessity — they hired you
- Guests: They have no contract with you. Legitimate interest is increasingly difficult to rely on for identifiable photography. Give guests reasonable notice via venue signage or wedding invitations
- Children: Do not publish images of children on your portfolio, website, or social media without explicit parental consent
- Portfolio use: Your contract with the couple should clearly address whether you can use wedding images for your marketing
Sharing Guest Data with Caterers, Venues, and Suppliers
When you share personal data with another business:
- A caterer preparing meals from your guest dietary list is typically a data processor — you need a Data Processing Agreement (DPA) with them (required by GDPR Article 28)
- A venue collecting its own guest information for their own purposes is a separate data controller
Ensure your RSVP consent form told guests their data would be shared with the caterer, and ensure you have a DPA in place.
Wedding Management Software as Data Processors
HoneyBook, Dubsado, Aisle Planner, Tave, Studio Ninja — these platforms act as data processors on your behalf. You remain the data controller.
- Check each platform has a DPA available
- Many US platforms rely on Standard Contractual Clauses for UK/EEA data transfers
- If you cannot find DPA documentation, contact the platform's support team
Social Media Posting and Wedding Photos
- The couple: Your contract should explicitly address social media use. If the couple opts out, respect it
- Guests: If posting identifiable guest images, ensure guests have been notified. Have a process for takedown requests (right to erasure)
- Children: Do not post identifiable images of children without explicit parental consent
Online Galleries and File Sharing
Pixieset, Pic-Time, Shootproof, Google Drive, Dropbox — these services process personal data.
- Ensure your gallery platform has a DPA or appropriate data processing terms
- Use password protection for all client galleries
- Set a reasonable expiry period — keeping images accessible for years beyond what clients need violates the GDPR storage limitation principle
Marketing to Past Clients
Under UK GDPR and PECR:
- Email marketing requires either prior consent or the soft opt-in rule — you can email past clients about similar services if they purchased from you, you gave them a clear opt-out opportunity, and every email includes an unsubscribe link
- Action unsubscribe requests promptly and record marketing preferences
Compliance Checklist for Wedding Businesses
Documentation
- [ ] Privacy notice on your website
- [ ] Client contract covers data use, photography rights, and social media
- [ ] DPAs with caterers, gallery platforms, and wedding management software
Guest data
- [ ] RSVP forms include explicit consent for dietary/health data sharing
- [ ] Consent records stored
- [ ] Guest data shared only with suppliers who need it
Photography and video
- [ ] Contract addresses portfolio and social media use
- [ ] Guest notification process in place
- [ ] No identifiable children photos posted without parental consent
- [ ] Takedown request process documented
Data security and retention
- [ ] Client galleries password protected with expiry dates
- [ ] Secure data deletion process after retention periods
- [ ] Software platforms have DPAs
Marketing
- [ ] Past client marketing follows soft opt-in rule
- [ ] Unsubscribe requests actioned promptly
Where to Start
If you're unsure whether your current setup meets GDPR requirements, start by understanding what data your website is already collecting and sending to third parties.
Run a free privacy scan at Custodia — it audits your website for trackers, data flows, and compliance gaps in 60 seconds.
Wedding businesses handle deeply personal data at a deeply personal moment in their clients' lives. Getting data protection right is not just a legal obligation — it's part of the trust your clients place in you.
This guide provides general information about GDPR obligations for wedding businesses. It does not constitute legal advice. Consult a qualified data protection professional for advice specific to your circumstances.
Top comments (0)