An event with 300 attendees means 300 registration forms, attendance lists, badge scans, confirmation emails, photos, and perhaps a follow-up newsletter. That’s just as many points where personal data is collected—and just as many GDPR obligations. As an organizer, are you truly compliant? It’s a question worth asking head-on. This article reviews the specific obligations that apply to your business—from collecting participant data to ensuring the security of the platform you use—so you can take action rather than just react.
GDPR: A European regulation that also applies to events
The General Data Protection Regulation (GDPR), which took effect on May 25, 2018, applies to any organization that processes the personal data of European residents, regardless of its size. For an event organizer, this means in practice that every instance of data collection—including a paper attendance list or a badge scan—constitutes processing under the GDPR and triggers certain obligations. The penalties imposed by the CNIL are substantial: in 2024, the authority issued 87 penalties totaling more than 55 million euros in fines (source: CNIL, 2024 Activity Report). This is not a reason to panic; it is a reason to take action.
The two key players: the data controller and the data processor
The GDPR is based on a fundamental distinction: the data controller and the data processor. As an organizer, you are the data controller: you decide why and how data is collected. The event platform you use is your data processor: it processes data on your behalf, according to your instructions. This distinction has a direct consequence: even if you delegate to a platform, you remain legally responsible for the practices of that data processor. We will return to this crucial point in the final section.
Key takeaways
As an organizer, you are the data controller.
The platform you choose is your data processor.
You are legally responsible for its practices.
B2B Events: Often Overlooked Requirements
A common misconception: “Business data is not covered by the GDPR.” This is incorrect. An employee’s contact information—their name, work email address, and job title—constitutes personal data under the regulation. Industry conferences, trade shows, and client seminars: all are covered. The legal basis of “legitimate interest” is often applicable in B2B contexts for sending invitations or conducting sales follow-ups, but it must be documented in your processing record. It does not exempt you from informing individuals.
B2C Events: Even Higher Standards
In the B2C sector, explicit consent is frequently required, particularly whenever data processing goes beyond the logistical organization of the event. Publicly shared photos and videos of the event, the collection of health data for a sporting event, and the processing of data pertaining to minors are all sensitive cases that require special attention. One point is frequently overlooked: post-event communication— sending a replay, a satisfaction survey, or a follow-up newsletter—requires a legal basis distinct from simple registration. Consent obtained for registration does not constitute consent for subsequent communications.
B2B2C Event
Some B2B events may also involve accompanying guests, such as spouses or even children. For example, at“family days”where the company, factory, or manufacturing facility opens its doors to family members so they can learn about the job of an employee who works there.
Some companies that are part of our industrial heritage may also open their doors during Heritage Days.
The event attracts a mix of employees and members of the general public
What must a compliant information sheet include?
Article 13 of the GDPR requires that all privacy notices include specific information: the identity and contact details of the data controller, the purposes and legal basis of each processing activity, the recipients or categories of recipients of the data, the retention period, the rights of data subjects and how to exercise them, the contact details of the DPO if your organization has appointed one, and the existence of any transfers outside the European Union. This notice must be written in clear and understandable language—legal jargon is not an excuse; it is an obstacle.
When should the information be provided?
The principle is simple but non-negotiable: information must be provided before data is collected. In practice, this means making it available on the online registration form (before submission), in the registration confirmation email, on the accreditation management application, and at the on-site check-in kiosk. Placing a link to the privacy policy in the footer of an email is not sufficient. The information must be visible, accessible, and presented before the person provides their data.
Identify the appropriate legal basis based on the type of event
Every processing operation must be based on one of the legal grounds provided for in the GDPR.
The most common legal bases in the events industry are as follows:
• Consent: used in particular for sending a post-event newsletter, as well as for the use of photos and videos. It must be freely given, specific, informed, and revocable at any time.
• Legitimate interest: often used for sending the program, B2B sales follow-ups, or certain communications related to the event. Its use requires a documented balancing of interests between the organizer’s needs and the rights of the individuals concerned.
• Performance of a contract: applies, for example, to a paid registration or the issuance of a badge required for participation. This legal basis must be limited to the data strictly necessary for the performance of the requested service.
A common mistake is to use consent as the default legal basis, even though the performance of the contract or legitimate interests are often more appropriate—and easier to manage. The key is to determine the legal basis in advance and document it.
Data minimization: collect only what is necessary
The principle of data minimization is one of the cornerstones of the GDPR: only data that is strictly necessary for the stated purposes should be collected. When applied to event management, this raises practical questions: Is a date of birth really necessary for a professional conference? Is a phone number essential if all communication is conducted via email? Answering these questions before each event is more effective than an annual audit.
Registration Form: Best Practices
Compliance also comes down to the details of the form. Unchecked checkboxes, clear and distinct consent labels for each purpose (one box for registration, another for the newsletter), a link to the privacy policy visible before submission, and no unjustified required fields: every element counts. A compliant event platform should allow you to configure these settings without technical workarounds. If your tool doesn’t allow this, it’s a red flag.
Set appropriate timeframes for each objective
There is no universal retention period: it depends on the purpose of each data processing activity. Here are some reasonable guidelines: billing data must be retained for 10 years in accordance with legal accounting requirements; contact data for marketing purposes must be retained for 3 years from the last contact, as recommended by the CNIL; and event participation data must be retained for a maximum of 12 months for statistical purposes. These retention periods must be documented in your processing register. Many organizers retain data indefinitely due to a lack of procedures: this constitutes non-compliance in itself.
At Appcraft, we recommend keeping the data for three months after the event. In 90% of cases, that’s more than enough.
Credentials, badges, and attendance data: a special case
The data collected during badge scanning warrants special attention. Time of entry, sessions attended, interactions with exhibitors: these are behavioral data in their own right. They must be covered by an explicit legal basis, mentioned in the privacy notice, and deleted after a specified period. This point is frequently overlooked at professional events, even by organizations that otherwise consider their GDPR compliance to be well managed.
Right of access, rectification, and erasure
Articles 15, 16, and 17 of the GDPR guarantee participants the right to access their data, have it corrected, and request its deletion. You generally have one month to respond to a request (extendable to three months for complex requests). Real-life scenario: A participant requests the deletion of their data after the event. You must be able to delete their profile from your platform, associated email lists, and any third-party databases to which you may have transmitted their information. If your platform does not allow for this deletion upon request, that is a problem.
Right to object and withdrawal of consent
The right to object applies to processing based on legitimate interests: the data subject may object at any time, and you must cease such processing unless there are compelling legitimate grounds. Withdrawal of consent applies to processing based on consent: it must be as simple as giving consent. An unsubscribe link in every email is not sufficient if other processing activities based on consent are ongoing. The exercise of these rights must apply to all relevant processing activities, not just the sending of emails.
How should these requests be handled in practice?
You don’t need a full-time DPO to effectively handle data subject requests. In most cases, a streamlined governance structure is sufficient: appoint an internal GDPR contact person (even on a part-time basis), set up a dedicated email address for requests (such as privacy@votreentreprise.fr), document each request and its response in a simple log, and ensure that your platform allows for the export and deletion of data upon request. For medium-sized organizations, an outsourced DPO can provide the necessary legal advice without the constraints of hiring a dedicated staff member.
The DPA (Data Processing Agreement): the first document to request
Article 28 of the GDPR requires the signing of a Data Processing Agreement (DPA) between the organizer and any platform that processes personal data on its behalf. This document must specify the purpose and duration of the processing, its nature and purpose, the type of data processed, the processor’s obligations regarding security and confidentiality, the conditions for further subcontracting, and the audit procedures. The absence of a DPA constitutes non-compliance in itself—it leaves you vulnerable in the event of an audit, regardless of the quality of the technical measures in place. A platform that does not offer a DPA cannot be considered compliant.
European hosting and technical security: non-negotiable criteria
In addition to the DPA, several technical criteria must be verified. Hosting data on servers located within the European Union is an essential prerequisite. Transfers outside the EU—particularly to U.S. processors subject to the Cloud Act—pose real legal risks that must be addressed through standard contractual clauses (SCCs) or other mechanisms.
As such, even hosting data on servers in Europe—or even in France—with a U.S. provider such as AWS (for Amazon) or Azure (for Microsoft) exposes you to the U.S. Cloud Act. Data encryption in transit and at rest, access rights management, traceability via audit logs, an incident response plan (with notification to the CNIL within 72 hours in the event of a breach), and recognized certifications such as ISO 27001 are serious indicators of security maturity.
At AppCraft, these requirements are built into the platform’s architecture: hosting in France on OVH servers (a French company), participant data inaccessible to the AI engine, anonymization guaranteed by the architecture, and a Data Processing Agreement available for each client.
Checklist for Choosing a Platform That Is Truly GDPR-Compliant
Before signing a contract with a service provider, check each item carefully:
1. Does the service provider offer a signed and up-to-date DPA (GDPR data processing agreement)?
2. Isthe data hosted exclusively within the European Union?
3. Is the hosting company subject to legislation incompatible with European law, such as the U.S. Cloud Act, for example?
4. Is data encryption ensured in transit (TLS) and at rest?
5. Doesthe platform offer audit logs and access traceability?
6. Does it have a data breach notification procedure (72-hour CNIL requirement)?
7. Is the registration form configurable to comply with data minimization and consent requirements?
8. Cana participant’s data bedeleted quickly upon request?
9. Doesthe platform hold a recognized certification (ISO 27001 or equivalent)?
10. Are the platform’s subcontractors identified and covered by contractual guarantees?
11. Canthe sales or legalteam answer your GDPR questions without undue delay?
GDPR compliance in the events industry isn’t just a matter for lawyers—it’s a matter for event organizers. The obligations are clear, the risks are real, and solutions exist—even for organizations without a dedicated DPO. The key is to structure your approach: document your data processing activities, choose a platform that is truly compliant, inform participants, and ensure you have the resources to address their rights.
Beyond strict compliance, data protection is also a key factor in building trust. Participants who know their data is handled responsibly are more likely to sign up, share more relevant information, and return for future events. When implemented effectively, GDPR compliance is as much a competitive advantage as it is a legal obligation.
Further reading: GDPR compliance naturally raises other related questions, such as managing cookies on your event website, data retention policies for CRM data between editions of the same event, and the specific challenges of hybrid events where online and in-person participants are not subject to the same data processing procedures. These are all topics we will continue to explore.
