When the European General Data Protection Regulation came into force in May 2018, it had far-reaching consequences for event planners. This impact was particularly noticeable in participant management, where guest data is collected and processed: data processing procedures had to be reviewed and adjusted.
Even today, there are still – and frequently recurring – uncertainties regarding compliance with the EU GDPR. In addition, the COVID-induced boom in virtual events has raised new questions: What about data protection for virtual events? Which tools and providers can be used to conduct GDPR-compliant online events?
The General Data Protection Regulation comprises 99 articles. Here, we have compiled a brief overview of the most important points regarding data protection for events.
Data Minimization and Purpose Limitation. The principle of data minimization states that as little data as possible should always be collected. Only data strictly necessary for the purpose should be collected. For example, event organizers should ask themselves whether they need the private addresses of their participants. Are goody bags being sent? Then the private address may be collected. Is the event purely virtual? Then a name and email address will probably suffice. Particularly sensitive data, such as health data, is also subject to special protection; it may only be collected with legitimate interest and the consent of the individuals. This applies, for example, to questions about food intolerances. Here, it must then be ensured that the data is also protected by the catering company.
Self-determination. The small checkbox, awaiting an affirmative tick, has become an indispensable part of every registration process. Personal data may only be stored with the consent of the data subjects. Registration forms must therefore always obtain the active consent of participants.
Transparency. Participants have the right to know what data about them is stored and how. For this transparency, event organizers need an overview of stored data and storage locations. If they need to provide information, the data overview should be readily available. The right to know is also accompanied by the right to be forgotten. Participants can request the deletion of their data. Therefore, it is advisable to design a deletion concept that allows for quick responses to such requests.
Encryption. The first step is the secure transmission of personal data. Data must be protected. Websites where participant data is collected via registration forms or during virtual events must therefore be sufficiently encrypted and always up to date.
Double Opt-in Procedure. To document the active consent of participants, the double opt-in procedure is recommended. This means that after registration, a confirmation email is sent, requesting active consent for data processing via a link. Only when participants actively confirm by clicking the link that their data may be processed is storage permitted.
Server locations and storage locations. To benefit from the EU GDPR, data must remain within the EU and be both processed and stored there. Services that store their data, for example, in the USA, therefore pose a problem for organizers. AirLST, for instance, hosts all data stored via its participant management tool in Frankfurt. This ensures the data stays in Germany and is not sent via the USA or other non-EU countries during processing.
For virtual events, all participants log in to the event platform via their computers. Even the IP address is defined as personal data in this context. Therefore, even if the event is open and no registration is required, consent from those logging in is necessary. Furthermore, if interactions, videos, or shared virtual whiteboards are used, it is essential to obtain participants' consent beforehand. This is especially true if these interactions are recorded and later published. If sensitive company data is discussed or published in virtual discussion rooms, it must be particularly protected. Participants should also be explicitly informed about data confidentiality in such cases.
In general, it can be summarized that participants, users, and event managers alike should continue to be sensitized to data protection. Awareness of sensitive information must be trained, while sound knowledge simultaneously breaks down barriers and fears. After all, it's not that complicated, and there are tools, means, and ways to make events data-secure in a straightforward manner.
In October 2021, we supported the autumn conference of the Professional Association of Data Protection Officers in Germany (BvD) e.V. . Under the motto "Economy Meets Supervision. Shaping Digitalization: Challenges of the Modern World of Work" , the professional association met in person in Munich and virtually on our platform. Naturally, everything was EU GDPR-compliant. Our servers are located in Frankfurt, and with Big Blue Button, we rely on a German conference system that we individually modify. In the live stream and breakout rooms, approximately 300 logged-in visitors discussed topics such as handling data breaches, the relationship between data protection and social media, and data protection in human resources.
Further Resources:
Fraunhofer Institute for Secure Information Technology SIT: Selection and Use of Web-Based Communication Services in Times of Corona. Data Protection and Data Security Aspects, 2020, https://www.athene-center.de/fileadmin/content/PDF/Onlinetools-Whitepaper.pdf?_=1589355004

Plan your own events with up to 50 guests — including landing page, email delivery and ticket scan.
Try it now