The General Data Protection Regulation (“GDPR”) is a data privacy regulation that came into effect on May 25th, 2018 and applies to any event worldwide that collects data from citizens of the European Union. Event organizers who collect personal data from attendees living in the European Union is required to obtain an expressed and free consent from these attendees before collecting and using their data.

What is GDPR?

The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas

This (relatively new) regulation aims to better manage the rights of individuals within the digital evolution, including the development of “big data”, e-commerce and connected devices, which are based primarily on the collection and processing of personal data.

It aligns data privacy laws in Europe, protects the privacy of EU citizens and imposes important new obligations on anyone who processes data concerning (i) the collection and transfer of personal data and rules regarding (ii) data security.


We may ask for personal information, such as your:

  • Name
  • Email
  • Social media profiles
  • Date of birth
  • Phone/mobile number
  • Home/Mailing address
  • Work address
  • Website address
  • Payment information

Fundamentals of GDPR


You must obtain consent from your participants who are EU citizens to store and use their data and transparently explain how this data will be used.


Participants can ask you to delete their data and to stop sharing their data with third parties. These third parties are obliged to stop processing the data and must delete it upon request.


You must provide your participants access to their data within 30 days and explain to them how you are using their data.


Participants can ask you to transfer to them their data in a digital format in order to transmit their data to another data controller.


Any security breach should be reported to the participants with 72 hours of you becoming aware of such breach and you are liable to use technology systems that manage participants’ data according to industry standards.

Why is GDPR important for Event Organizers?

GDPR affects almost any company processing personal data. Personal data can be defined as any information used to identify a person (e.g. name, address, date of birth, location, ID numbers, etc.). In case of events, it applies to all event organizers, event registration platforms, mobile applications and business meeting platforms used in events.

GDPR has a principle of extraterritoriality which automatically requires any company that collects data from a European citizen to comply with the regulation, even if the company is not established in the European Union. If a European citizen registers for that event abroad, the organizer and his/her subcontractors must comply with GDPR. This regulation has therefore affected almost all events worldwide.

Responsibilities of Event Organizers

The GDPR introduces new rights for attendees of an event and obligations that require event organizers to review the way they work, how they collect data from participants, inform them of the purpose of data collection and their rights and how the organizer ensures the security of his/her data.

As the person managing the data, the organizer must prove that the participant has provided consent regarding the processing of his/her data and that this processing is carried out under the rules of GDPR.


When collecting participant data via his/her ticketing tool, the organizer must provide him/her with information that is concise, transparent, understandable and easy to access regarding the processing associated with his/her data. The information must be accessible and easy to understand.

Regarding the processing of data for participants and exhibitors, the organizer must indicate the below mandatory information when registering a participant:

  • The organizer’s role as the one responsible for the processing of data
  • Whether the fields are mandatory or optional for participation in the event
  • The reasons for requesting this data from his/her participants (i.e., the purpose for collecting the data)
  • A list of the companies that will have access to the data (i.e., security companies, IT service providers, sponsors, etc.)
  • The shelf life of this data in databases (recommended to be maximum of three years)
  • How the data subjects can exercise their rights, and if the data will be transmitted outside the EU (doing so is not recommended)

The collection & processing of participant data is lawful only if: (a) the participant has consented to the processing of his/her data for a specific purpose and (b) the processing is necessary for the performance of a contract where the participant concerned is a party.

  • With regards to prospecting emails, GDPR principle remains the same: when collecting data, the participant must give consent in an explicit, free, specific, and informed manner to being prospected by phone or email.
  • With regards to collecting participants’ data by exhibitors, GDPR has the same rules as other commercial contact attempt. However, sponsors and exhibitors can retrieve the details of the participants on their stand through the collection of business cards, badge scans or through a networking platform. These forms of data collection are preferable because they are subject to the explicit consent of the participant, which is materialized by a free and positive action on his/her part.
  • With regards to transfer of participant data to events platform (like EventEngage), GDPR states that the consent of participants regarding the collection and transfer of their data is not required if this processing is necessary for the performance of the contract between the participant and the organizer. The need to collect and process this data will be strictly interpreted in relation to the nature and purpose of the contract determined between the organizer and the participant, namely regarding his/her participation in the event. Since participation in an event is governed by the desire to receive information and/or to network, any means that facilitates the achievement of these objectives can be considered as contributing toward the objective of the contract entered between the participant and the organizer. As such, it is not necessary to collect explicit consent of participants to transfer their data to an event platform where he/she can register for the event, access the content and network with other participants
  • The collection of sensitive data
  • The re-use of data for commercial purposes
  • The use of cookies for certain purposes

The organizer and his/her subcontractors must enforce measures to:

  • Prevent unauthorized persons from accessing the facilities used for data processing
  • Prevent data from being read, copied, modified or deleted without authorization
  • Prevent unauthorized inspection, modification or deletion of personal data
  • The name and contact information of the person in charge of the data
  • The purpose of each treatment of data
  • The recipients/subcontractors who received the data
  • The participants involved and the data collected
  • The possible use of profiling, etc.

Summary (TLDR version):

  • The GDPR applies to any event organizer and subcontractor who collects data from European citizens,
  • The organizer must inform the purpose of data processing in an understandable and transparent way,
  • The transfer of data outside the European Union is strictly supervised,
    Any transfer of data to commercial partners must be consented by the participant, and consent by the participant must be provided for each partner and be demonstrated by a mark in a checkbox,
  • Consent is not required for transferring participant data to subcontractors involved in the execution of the contract, such as a ticketing solution, networking platform or when using Artificial Intelligence services for profiling,
  • The scanning of badges, business cards and the retrieval of participant data by exhibitors/sponsors for the purpose of prospecting is lawful, provided that the participant can oppose any solicitation both during the collection of their data and after,
  • The organizer remains the sole entity responsible for the handling of participants’ data and must ensure its subcontractors are GDPR compliant,
  • Subcontractors of the organizer must respect the rules of GDPR, and their contracts must include the mandatory clauses imposed by the GDPR, and
  • Subcontractors are responsible for processing participants’ data when they determine the purposes and means of their own treatment.

On the very first login of the participant, we offer the option to the participants to review the conditions pertaining to their data access & sharing. This allows them the option to reconfigure these provisions in their individual profile pages. The participant can restrict their data from being shared with the sponsors, exhibitors, as well as request EventEngage for the deletion of their account at any time.


By default, the contact details of all attendees are private. Unless they exchange business cards or accept a LinkedIn connection request, the participant’s data is not shared with another party. The participants can also configure if they don’t want their data to be visible & accessible for networking in which case they won’t be listed in the networking section, so no one will be able to connect with them. They can change their mind and join the networking area later on by changing the setting in their profile page.


EventEngage is hosted with AWS and uses a secure infrastructure to ensure participant data is fully secure at all times. We work with highly accredited subcontractors who are certified with latest security credentials such as ISO27001, ISO27018, SOC2, PCI DSS, etc.

By providing personal information to us, you consent to us collecting, holding, using and disclosing your personal information in accordance with this privacy policy. If you are under 16 years of age, you must have, and warrant to the extent permitted by law to us, that you have your parent or legal guardian’s permission to access and use the website and they (your parents or guardian) have consented to you providing us with your personal information. You do not have to provide personal information to us, however, if you do not, it may affect your use of this website or the products and/or services offered on or through it.

If we receive personal information about you from a third party, we will protect it as set out in this privacy policy. If you are a third party providing personal information about somebody else, you represent and warrant that you have such person’s consent to provide the personal information to us.

You may choose to restrict the collection or use of your personal information. If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us using the details below. If you ask us to restrict or limit how we process your personal information, we will let you know how the restriction affects your use of our website or products and services.

You may request details of the personal information that we hold about you. You may request a copy of the personal information we hold about you. Where possible, we will provide this information in CSV format or other easily readable machine format. You may request that we erase the personal information we hold about you at any time. You may also request that we transfer this personal information to another third party.

If you believe that any information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, please contact us using the details below. We will take reasonable steps to correct any information found to be inaccurate, incomplete, misleading or out of date.

We will comply laws applicable to us in respect of any data breach.

If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint. You also have the right to contact a regulatory body or data protection authority in relation to your complaint.

To unsubscribe from our e-mail database or opt-out of communications (including marketing communications), please contact us using the details below or opt-out using the opt-out facilities provided in the communication.

Disclaimer: This document is intended to convey general information only as a starting point for your understanding the GDPR regulatory requirements. It is not intended as legal advice, nor is it meant to convey legal facts. No action should be taken in reliance on the information found here, and EventEngage disclaims all liability with respect to any acts or omissions based on the contents of this document. You should consult a licensed attorney or regulatory expert to discuss your specific legal, compliance and GDPR-related issues

Scroll to Top

Please fill your details below