GDPR

The General Data Protection Regulation (“GDPR”) is a data privacy regulation that came into effect on May 25th, 2018 and applies to any event worldwide that collects data from citizens of the European Union. Event organizers who collect personal data from attendees living in the European Union is required to obtain an expressed and free consent from these attendees before collecting and using their data.

In summary, each participant must give his/her free and prior consent regarding: GDPR states that data may not be stored for longer than is necessary for its intended purpose however does not define any reasonable standard duration. As a best practice, it is recommended for event organizers & subcontractors to remove those participants from their database who have not registered for one of his/her events in more than three years and with whom they do not maintain an active business relationship The organizer and the subcontractor must keep a record of all processing activities being carried out under their responsibility. This record is very intricate because it must include: In addition, any organizer who processes his/her data through a subcontractor must draw up a contract which defines the purpose and duration of the processing, terms of destruction of the data, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. The organizer is the controller of data with regards to the participants, unless the subcontractor determines the purposes and means of the treatment, then he/she is considered in charge of the processing. GDPR states that data may not be stored for longer than is necessary for its intended purpose however does not define any reasonable standard duration. As a best practice, it is recommended for event organizers & subcontractors to remove those participants from their database who have not registered for one of his/her events in more than three years and with whom they do not maintain an active business relationship The organizer and the subcontractor must keep a record of all processing activities being carried out under their responsibility. This record is very intricate because it must include: In addition, any organizer who processes his/her data through a subcontractor must draw up a contract which defines the purpose and duration of the processing, terms of destruction of the data, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. The organizer is the controller of data with regards to the participants, unless the subcontractor determines the purposes and means of the treatment, then he/she is considered in charge of the processing.



As stated within this regulation, EU citizens have the right to access their private information and to request its deletion. The GDPR must be treated seriously because it impacts almost every event organizer around the world and non-compliance can lead up to 20 million euros or 4% of the overall turnover of the company as penalties. Furthermore, large brands & organizational sponsors are equally careful whether data collection is done as per GDPR norms.





What is GDPR?

The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas

This (relatively new) regulation aims to better manage the rights of individuals within the digital evolution, including the development of “big data”, e-commerce and connected devices, which are based primarily on the collection and processing of personal data.

It aligns data privacy laws in Europe, protects the privacy of EU citizens and imposes important new obligations on anyone who processes data concerning (i) the collection and transfer of personal data and rules regarding (ii) data security.



Fundamentals of GDPR

Consent

You must obtain consent from your participants who are EU citizens to store and use their data and transparently explain how this data will be used.



Privacy

Participants can ask you to delete their data and to stop sharing their data with third parties. These third parties are obliged to stop processing the data and must delete it upon request.



Access:

You must provide your participants access to their data within 30 days and explain to them how you are using their data.



Portability:

Participants can ask you to transfer to them their data in a digital format in order to transmit their data to another data controller.



Security:

Any security breach should be reported to the participants with 72 hours of you becoming aware of such breach and you are liable to use technology systems that manage participants’ data according to industry standards.





Why is GDPR important for Event Organizers?

GDPR affects almost any company processing personal data. Personal data can be defined as any information used to identify a person (e.g. name, address, date of birth, location, ID numbers, etc.). In case of events, it applies to all event organizers, event registration platforms, mobile applications and business meeting platforms used in events.

GDPR has a principle of extraterritoriality which automatically requires any company that collects data from a European citizen to comply with the regulation, even if the company is not established in the European Union. If a European citizen registers for that event abroad, the organizer and his/her subcontractors must comply with GDPR. This regulation has therefore affected almost all events worldwide.



Responsibilities of Event Organizers

The GDPR introduces new rights for attendees of an event and obligations that require event organizers to review the way they work, how they collect data from participants, inform them of the purpose of data collection and their rights and how the organizer ensures the security of his/her data.

As the person managing the data, the organizer must prove that the participant has provided consent regarding the processing of his/her data and that this processing is carried out under the rules of GDPR.



Information Obligations

When collecting participant data via his/her ticketing tool, the organizer must provide him/her with information that is concise, transparent, understandable and easy to access regarding the processing associated with his/her data. The information must be accessible and easy to understand.

Regarding the processing of data for participants and exhibitors, the organizer must indicate the below mandatory information when registering a participant:

  • The organizer’s role as the one responsible for the processing of data

  • Whether the fields are mandatory or optional for participation in the event

  • The reasons for requesting this data from his/her participants (i.e., the purpose for collecting the data)

  • A list of the companies that will have access to the data (i.e., security companies, IT service providers, sponsors, etc.)

  • The shelf life of this data in databases (recommended to be maximum of three years)

  • How the data subjects can exercise their rights, and if the data will be transmitted outside the EU (doing so is not recommended)



Data Collection Obligations

The collection & processing of participant data is lawful only if: (a) the participant has consented to the processing of his/her data for a specific purpose and (b) the processing is necessary for the performance of a contract where the participant concerned is a party.

  • With regards to prospecting emails, GDPR principle remains the same: when collecting data, the participant must give consent in an explicit, free, specific, and informed manner to being prospected by phone or email.

  • With regards to collecting participants' data by exhibitors, GDPR has the same rules as other commercial contact attempt. However, sponsors and exhibitors can retrieve the details of the participants on their stand through the collection of business cards, badge scans or through a networking platform. These forms of data collection are preferable because they are subject to the explicit consent of the participant, which is materialized by a free and positive action on his/her part.

  • With regards to transfer of participant data to events platform (like EventEngage), GDPR states that the consent of participants regarding the collection and transfer of their data is not required if this processing is necessary for the performance of the contract between the participant and the organizer. The need to collect and process this data will be strictly interpreted in relation to the nature and purpose of the contract determined between the organizer and the participant, namely regarding his/her participation in the event. Since participation in an event is governed by the desire to receive information and/or to network, any means that facilitates the achievement of these objectives can be considered as contributing toward the objective of the contract entered between the participant and the organizer. As such, it is not necessary to collect explicit consent of participants to transfer their data to an event platform where he/she can register for the event, access the content and network with other participants

  • The collection of sensitive data

  • The re-use of data for commercial purposes

  • The use of cookies for certain purposes





Security Obligations

The organizer and his/her subcontractors must enforce measures to:

  • Prevent unauthorized persons from accessing the facilities used for data processing

  • Prevent data from being read, copied, modified or deleted without authorization

  • Prevent unauthorized inspection, modification or deletion of personal data

  • The name and contact information of the person in charge of the data

  • The purpose of each treatment of data

  • The recipients/subcontractors who received the data

  • The participants involved and the data collected

  • The possible use of profiling, etc.





Summary (TLDR version):

  • The GDPR applies to any event organizer and subcontractor who collects data from European citizens,

  • The organizer must inform the purpose of data processing in an understandable and transparent way,

  • The transfer of data outside the European Union is strictly supervised, Any transfer of data to commercial partners must be consented by the participant, and consent by the participant must be provided for each partner and be demonstrated by a mark in a checkbox,

  • Consent is not required for transferring participant data to subcontractors involved in the execution of the contract, such as a ticketing solution, networking platform or when using Artificial Intelligence services for profiling,

  • The scanning of badges, business cards and the retrieval of participant data by exhibitors/sponsors for the purpose of prospecting is lawful, provided that the participant can oppose any solicitation both during the collection of their data and after,

  • The organizer remains the sole entity responsible for the handling of participants’ data and must ensure its subcontractors are GDPR compliant,

  • Subcontractors of the organizer must respect the rules of GDPR, and their contracts must include the mandatory clauses imposed by the GDPR, and

  • Subcontractors are responsible for processing participants’ data when they determine the purposes and means of their own treatment.



Event Registration:

The organizer and his/her subcontractors must enforce measures to:

  • Direct registration via Event Engage: When data collection happens directly within EventEngage, we ensure that the participants are providing their free and explicit consent, conditioned for each category of data accessibility and sharing requirements. Our registration pages specifically indicate transparently to the participants our Privacy Policy, Cookie Policy & Terms of Use which dictate how we treat their data, their rights to access, modify and delete their data, how to file a complaint, what actions do we track and how the cookies we use work.

  • Using third party registration platform: When using a third-party ticketing & event registration platform, we strongly recommend that you add a mention on your website and ticketing solution that you are using an event platform and provide a link to our website.

  • When importing your participants’ data (collected via another platform): We recommend that you decide which tickets and data to import and which ones not to (if the appropriate consent is not available).

  • The name and contact information of the person in charge of the data

  • The purpose of each treatment of data

  • The recipients/subcontractors who received the data

  • The participants involved and the data collected

  • The possible use of profiling, etc.



Attending the Event

On the very first login of the participant, we offer the option to the participants to review the conditions pertaining to their data access & sharing. This allows them the option to reconfigure these provisions in their individual profile pages. The participant can restrict their data from being shared with the sponsors, exhibitors, as well as request EventEngage for the deletion of their account at any time.



Networking & Sharing contact info

By default, the contact details of all attendees are private. Unless they exchange business cards or accept a LinkedIn connection request, the participant’s data is not shared with another party. The participants can also configure if they don’t want their data to be visible & accessible for networking in which case they won’t be listed in the networking section, so no one will be able to connect with them. They can change their mind and join the networking area later on by changing the setting in their profile page.



Security of Data

EventEngage is hosted with AWS and uses a secure infrastructure to ensure participant data is fully secure at all times. We work with highly accredited subcontractors who are certified with latest security credentials such as ISO27001, ISO27018, SOC2, PCI DSS, etc.





Disclaimer. This document is intended to convey general information only as a starting point for your understanding the GDPR regulatory requirements. It is not intended as legal advice, nor is it meant to convey legal facts. No action should be taken in reliance on the information found here, and EventEngage disclaims all liability with respect to any acts or omissions based on the contents of this document. You should consult a licensed attorney or regulatory expert to discuss your specific legal, compliance and GDPR-related issues






EventEngage



All-in-one virtual & hybrid event platform, that allows event planners to host branded immersive events. EventEngage covers all virtual & hybrid event requirements from registration microsite, EDM , payment integration, registration workflow, agenda, virtual lobby, virtual expo hall, virtual booth, live chat poll & QNA, live & recorded streaming, translations, business card, real time analytics & more



Copyright © 2021 EventEngage LLC

Company








Linkedin

hello@eventengage.io