GDPR

The General Data Protection Regulation (“GDPR”) is a data privacy regulation that came into effect on May 25th, 2018 and applies to any event worldwide that collects data from citizens of the European Union. Event organizers who collect personal data from attendees living in the European Union is required to obtain an expressed and free consent from these attendees before collecting and using their data.

In summary, each participant must give his/her free and prior consent regarding: GDPR states that data may not be stored for longer than is necessary for its intended purpose however does not define any reasonable standard duration. As a best practice, it is recommended for event organizers & subcontractors to remove those participants from their database who have not registered for one of his/her events in more than three years and with whom they do not maintain an active business relationship The organizer and the subcontractor must keep a record of all processing activities being carried out under their responsibility. This record is very intricate because it must include: In addition, any organizer who processes his/her data through a subcontractor must draw up a contract which defines the purpose and duration of the processing, terms of destruction of the data, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. The organizer is the controller of data with regards to the participants, unless the subcontractor determines the purposes and means of the treatment, then he/she is considered in charge of the processing. GDPR states that data may not be stored for longer than is necessary for its intended purpose however does not define any reasonable standard duration. As a best practice, it is recommended for event organizers & subcontractors to remove those participants from their database who have not registered for one of his/her events in more than three years and with whom they do not maintain an active business relationship The organizer and the subcontractor must keep a record of all processing activities being carried out under their responsibility. This record is very intricate because it must include: In addition, any organizer who processes his/her data through a subcontractor must draw up a contract which defines the purpose and duration of the processing, terms of destruction of the data, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. The organizer is the controller of data with regards to the participants, unless the subcontractor determines the purposes and means of the treatment, then he/she is considered in charge of the processing.

As stated within this regulation, EU citizens have the right to access their private information and to request its deletion. The GDPR must be treated seriously because it impacts almost every event organizer around the world and non-compliance can lead up to 20 million euros or 4% of the overall turnover of the company as penalties. Furthermore, large brands & organizational sponsors are equally careful whether data collection is done as per GDPR norms.

What is GDPR?

The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas

This (relatively new) regulation aims to better manage the rights of individuals within the digital evolution, including the development of “big data”, e-commerce and connected devices, which are based primarily on the collection and processing of personal data.

It aligns data privacy laws in Europe, protects the privacy of EU citizens and imposes important new obligations on anyone who processes data concerning (i) the collection and transfer of personal data and rules regarding (ii) data security.

Fundamentals of GDPR

Consent

You must obtain consent from your participants who are EU citizens to store and use their data and transparently explain how this data will be used.

Privacy

Participants can ask you to delete their data and to stop sharing their data with third parties. These third parties are obliged to stop processing the data and must delete it upon request.

Access:

You must provide your participants access to their data within 30 days and explain to them how you are using their data.

Portability:

Participants can ask you to transfer to them their data in a digital format in order to transmit their data to another data controller.

Security:

Any security breach should be reported to the participants with 72 hours of you becoming aware of such breach and you are liable to use technology systems that manage participants’ data according to industry standards.

Why is GDPR important for Event Organizers?

GDPR affects almost any company processing personal data. Personal data can be defined as any information used to identify a person (e.g. name, address, date of birth, location, ID numbers, etc.). In case of events, it applies to all event organizers, event registration platforms, mobile applications and business meeting platforms used in events.

GDPR has a principle of extraterritoriality which automatically requires any company that collects data from a European citizen to comply with the regulation, even if the company is not established in the European Union. If a European citizen registers for that event abroad, the organizer and his/her subcontractors must comply with GDPR. This regulation has therefore affected almost all events worldwide.

Responsibilities of Event Organizers

The GDPR introduces new rights for attendees of an event and obligations that require event organizers to review the way they work, how they collect data from participants, inform them of the purpose of data collection and their rights and how the organizer ensures the security of his/her data.

As the person managing the data, the organizer must prove that the participant has provided consent regarding the processing of his/her data and that this processing is carried out under the rules of GDPR.

Information Obligations

When collecting participant data via his/her ticketing tool, the organizer must provide him/her with information that is concise, transparent, understandable and easy to access regarding the processing associated with his/her data. The information must be accessible and easy to understand.

Regarding the processing of data for participants and exhibitors, the organizer must indicate the below mandatory information when registering a participant:

Data Collection Obligations

The collection & processing of participant data is lawful only if: (a) the participant has consented to the processing of his/her data for a specific purpose and (b) the processing is necessary for the performance of a contract where the participant concerned is a party.

Security Obligations

The organizer and his/her subcontractors must enforce measures to:

Summary (TLDR version):

Event Registration:

The organizer and his/her subcontractors must enforce measures to:

Attending the Event

On the very first login of the participant, we offer the option to the participants to review the conditions pertaining to their data access & sharing. This allows them the option to reconfigure these provisions in their individual profile pages. The participant can restrict their data from being shared with the sponsors, exhibitors, as well as request EventEngage for the deletion of their account at any time.

Networking & Sharing contact info

By default, the contact details of all attendees are private. Unless they exchange business cards or accept a LinkedIn connection request, the participant’s data is not shared with another party. The participants can also configure if they don’t want their data to be visible & accessible for networking in which case they won’t be listed in the networking section, so no one will be able to connect with them. They can change their mind and join the networking area later on by changing the setting in their profile page.

Security of Data

EventEngage is hosted with AWS and uses a secure infrastructure to ensure participant data is fully secure at all times. We work with highly accredited subcontractors who are certified with latest security credentials such as ISO27001, ISO27018, SOC2, PCI DSS, etc.

Disclaimer. This document is intended to convey general information only as a starting point for your understanding the GDPR regulatory requirements. It is not intended as legal advice, nor is it meant to convey legal facts. No action should be taken in reliance on the information found here, and EventEngage disclaims all liability with respect to any acts or omissions based on the contents of this document. You should consult a licensed attorney or regulatory expert to discuss your specific legal, compliance and GDPR-related issues


EventEngage

All-in-one virtual & hybrid event platform, that allows event planners to host branded immersive events. EventEngage covers all virtual & hybrid event requirements from registration microsite, EDM , payment integration, registration workflow, agenda, virtual lobby, virtual expo hall, virtual booth, live chat poll & QNA, live & recorded streaming, translations, business card, real time analytics & more

Copyright © 2021 EventEngage LLC CA, United States

Company