Back to blog
Legal8 min12 de enero de 2025

GDPR guide for event organizers

Everything you need to know about data protection and legal compliance when managing attendees.

The General Data Protection Regulation (GDPR) directly affects any organizer who collects attendee data. Emails, names, phones, purchase preferences... all of this is personal data that must be treated in accordance with regulations. Non-compliance can result in fines of up to 20 million euros or 4% of annual turnover. This guide explains the essentials.

Data you collect (and maybe didn't know)

As an event organizer, you collect more data than you probably think. It's important to identify all of it to manage it correctly.

  • Purchase data: name, email, phone, billing address
  • Access data: entry time, zone, validation attempts
  • Behavior data: pages visited, abandoned carts
  • Device data: IP, browser, operating system
  • Optional data: preferences, date of birth, gender

Legal bases for processing

GDPR requires that each data processing has a legal basis. For event organizers, the most relevant are:

  • Contract execution: you need the data to sell and deliver the ticket
  • Consent: to send newsletters or commercial communications
  • Legitimate interest: to prevent fraud or improve service
  • Legal obligation: tax data you must keep by law

Consent: how to obtain it correctly

Consent must be freely given, specific, informed, and unambiguous. This means you can't use pre-checked boxes, or condition the purchase on accepting marketing, or hide consent in generic terms and conditions.

  • Separate checkboxes for each purpose (one for marketing, another for third parties)
  • Clear and understandable language, without legal jargon
  • As easy to withdraw consent as to give it
  • Record of when and how each consent was obtained

Attendee rights

Attendees have rights over their data that you must be able to handle. You have one month to respond to any request.

  • Access: know what data you have about them
  • Rectification: correct incorrect data
  • Erasure: delete their data (with legal exceptions)
  • Portability: receive their data in structured format
  • Objection: refuse certain processing

Vendors and data processors

When you use a ticketing platform, an email marketing service, or any other vendor that accesses your attendees' data, you need a data processing agreement. This contract defines what the vendor can do with the data and their security obligations.

  • Verify that your vendors comply with GDPR
  • Sign data processing agreements
  • Check where they store data (international transfers)
  • Maintain a registry of all vendors with data access

Security breaches

If you suffer a security breach affecting personal data, you have 72 hours to notify the Data Protection Authority. If the risk is high, you must also inform those affected. Having a protocol prepared before it happens is essential.

Conclusion

GDPR is not just a legal obligation, it's an opportunity to build trust with your attendees. Managing data transparently and responsibly improves your reputation and reduces risks. Invest time in implementing the basics correctly and update them when your processes change.

Ready to protect your event?

Discover how Futura Tickets can help you eliminate ticket fraud.

Request free demo