Data protection at conferences, trade shows, assemblies, etc.: A mammoth task for event management
You have certainly been to one or more events in your private or professional life. Be it a concert, a conference or an important workshop – usually all relevant information for and about the event is prominently displayed on a website:
a) The data of the participants or speakers is freely accessible on the Internet.
b) Pictures are taken and often published on the corresponding event pages.
This procedure has become part of our everyday life. With the new General Data Protection Regulation, however, this is no longer so easy. This is because the GDPR also tightens the data protection guidelines for conferences and other public events. As an event planner, you must exercise greater care than you did a few years ago in the following areas, among others:
- Social media
- Event photography
- Participant data and lists
The number of data protection issues that need to be addressed at a conference is, of course, endless. So that you don’t lose track of the measures that need to be taken, we take a close look at the subject of “Data protection at events” in this guide.
Personal data is part of every event
Therefore, you are of course also affected by the EU GDPR. This is because personal information from different groups of people is processed at every event:
- Both participants and visitors disclose data about themselves when purchasing admission to or planning an event.
- Most companies use some form of software that plays a major role in data protection at conferences.
- Event planners usually work together with other service providers to whom personal content is transferred for processing.
- In many cases, speakers or organizers have employed photographers specifically to document the event.
The processing of personal data is omnipresent in the event sector. Therefore, you inevitably need to deal with the topic in order to prevent GDPR warnings or even lawsuits.
What general measures do you have to take regarding data protection at conferences?
1. Obtain the consent of data subjects
If you want to conduct GDPR-compliant event management, a declaration of consent is the basis of your entire planning. This is the only way to ensure that you do not violate the rights of data subjects. If, for example, you are the initiator of a data protection conference, you should send all speakers a document to sign in advance. To increase data protection at your conference, you should also point out on your website that personal data is processed when a ticket is purchased. A declaration should then pop up, which users and potential participants need to click to confirm.
2. Don’t forget your duty to provide information
More data protection at a conference also means that on request you are obliged to provide detailed information about the nature and purpose of the information processed. Furthermore, data subjects have the right to be “forgotten.” This means that after collecting data, you must delete as much of it as possible. At the same time, however, remember to observe the legally prescribed obligation to retain data.
3. Enter into the necessary processing contracts
As soon as you work with third-party vendors such as subcontractors, registration platforms, or software manufacturers, you can’t avoid a variety of processing agreements. This will ensure that all parties comply with the requirements of the EU GDPR and that the data protection of your conference is not endangered. We recommend that you minimize the data to be processed. Limit yourself exclusively to the absolutely necessary information that you really need to carry out your work. Otherwise, you will very quickly appear suspect.
4. Ensure that adequate safety measures are in place
As an organizer, you are obliged to implement data protection at conferences and other events in the best possible way. This also includes organizational and technical measures. These begin with the fact that you do not leave unattended any equipment on which personal data is stored. The next step is data protection precautions on the internet. Encrypt both your emails and your website (e.g., the contact form). Do not limit yourself to the minimum, but get expert support for implementation if necessary.
5. Appoint a data protection officer
As soon as nine employees of your company are permanently occupied with processing personal data, you must appoint a data protection officer. Among other things, the expert will help you draw up legally compliant lists of participants, formulate your data protection declaration for the conference in accordance with the law and discuss with you all the necessary measures you need to take. You have the choice of appointing an internal employee for this purpose or involving an external person by visiting our category “External data protection officer,” where you can compare providers.
Special data protection measures for conferences
However, the general arrangements are not enough. As an event organizer, you are faced with many other requirements which you must not ignore:
1. Check-in and event participant lists:
This point is extremely important in the area of data protection. It is precisely the entrance to the event that offers a great deal of potential for unauthorized persons to gain access to the data of third parties. We recommend that you do not use printed information, because it is often easily visible. Of course, this does not apply to events where you simply scan a ticket to let people in. Instead, it applies to events with a guest list. For this, you can use electronic measures, such as scanning QR codes. This increases the data protection of participant data at your conference.
2. GDPR and photos at an event
This is a difficult issue. Although it is common practice at public events to create video footage, it is still a violation of the General Data Protection Regulation. Basically, you are obliged to obtain the consent of every filmed person – especially when the material is to be published at a later date. You can protect yourself by placing an appropriate video and photo notice in the entrance area of your event. In order to take GDPR-compliant event photography, you should also obtain the oral consent of the participants. Once this has been done, it is no problem from a data protection point of view if you publish the pictures of your conference on your website or your social media account.