GDPR: my duties as an event planner
The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, is a new legal framework for the protection of personal data in the European Union. It shall apply to any data-controller or processor established in a Member State or where their processing activities concern the supply of goods or services to persons within the territory of the Union or the monitoring of the conduct of persons in so far as such conduct takes place within the EU.
As part of our business, Weezevent collects personal data from attendees for our own purposes, in order to ensure correct execution of transactions, and as subcontractor, on your behalf as event organiser. Attendee data, in the context of our business, is collected in order to provide the following services:
- Attendee identification
- Checking that the attendee is authorised to attend the event
- Checking that the specific conditions set-up for your event’s ticket types are met
- Interoperability with third party access control solutions
- Disseminate practical information about the event
- Archive proof of transaction between Weezevent, the attendee and yourself.
Any other information you ask from the attendee is therefore your responsibility.
To find out more, read our article on Data protection: scope and definitions.
OUR ADVICE TO COMPLY WITH THE REGULATION
1. Meet the requirements
As an organisation processing personal data, you have several duties:
- Inform: communicate on your compliance, the purposes and duration of the processing, the recipients of the data, the rights users have over their data, the identity of the DPO (Data Protection Officer) if necessary.
- Collect consent: as of now, the user's consent must be actively given, i.e. the buyer accepts the collection and use of their data. It is also necessary that they retain the option to withdraw at any time by unsubscribing.
- Respect user’s rights:
- to access the data held by your organisation
- to portability - the user has the right to recover the data you hold on them in order to reuse it for their own purposes or to transmit it to another data controller
- to be de-listed, by deleting data
- to object - the right not to be solicited or to stop their data being processed by the organisation.
2. Two different types of data collection
2.1 Legitimate and necessary collection
- Contractual data collected for the purpose of performing event services. As an organiser you need to know your attendees for the proper execution of your event (age to differentiate between minors and adults, physical condition for a race, profession in the case of a conference,...). It is your responsibility as the organiser to assess whether the data requested is legitimate and to make only this data mandatory when creating your form.
2.2 Collection requiring consent
- Statistical data. Ticketing and cashless widget systems are equipped with trackers whose data is accessible to you as the owner of the event in question. You can activate it and, in this context, it is up to you to inform on your website about the use of tracking in order to obtain the consent of the Internet users. Please note: When using Weezevent’s minisite, the banner to obtain the Internet user's consent is automatically added.
- Additional data collected for marketing purposes. When registering for an event or topping up a cashless account for example, you can use Weezevent’s solution to request data for marketing purposes. It is your responsibility to comply with the regulations in terms of form content and to obtain the participant’s explicit permission.
3. How to obtain explicit consent?
Any person whose data is collected must:
- be informed of the process, and the purpose of use of the data
- have given their consent. This consent must be “active”, i.e. given explicitly through a ticked box or a clicked button. For example: "I give permission to the organiser to contact me for more information about the event and everything related to cashless", "I agree to receive personalised offers from the organiser",...
4. What should I do with my existing database?
In order to keep storing and using your data, you need to justify:
- the purposes of the database
- the legal basis explaining why you have this database
- the data of collection of the consent and explicit permission from the internet user