Event organisers are under pressure to deliver delegate data to sponsors. This is particularly true at the moment to make up for what is often seen as ‘lost value’ from events being virtual.

But what is actually allowed under privacy regulation like the GDPR and PECR?

NOTE 1: this article is written from the perspective of a UK-based event organiser, although the guidance is relevant for EU event organisers or any event organiser who handles the data of UK or EU citizens.

NOTE 2: the guidance refers to content and recommendations from the UK’s ICO (Information Commissioner’s Office) and more detail is included in those guides.  You should not take the guidance in this article as legal advice but seek your own particularly if you wish to assume some data protection risk and consider some of the techniques described.

1. Does the GDPR apply outside Europe if you’re not an EEA-based event organiser?

Yes, if you handle data belonging to individuals located in the EEA. The GDPR applies to organizations that handle such data whether they are EEA-based organizations or not.

Article 3 of the GDPR covers territorial scope. Article 3.2 applies the GDPR to organizations that are not in the EEA if either of two conditions are met: the organization offers goods or services to people in the EEA, or the organization monitors their online behaviour.

2. What about British event organisers and GDPR post Brexit?

The EU GDPR is an EU Regulation and is no longer part of UK law.  However, a version of the EU GDPR has been incorporated into UK data protection law and sits alongside the Data Protection Act 2018 (DPA 2018) to form the UK equivalent of the GDPR, called the UK GDPR.

The UK GDPR is essentially the same as the EU GDPR, with some technical amendments to remove references to EU institutions. There is little change to the core data protection principles, rights and obligations.  Where we refer to “GDPR” in this note, we mean both UK GDPR and EU GDPR.

British based event organisers now need to comply with the UK GDPR for all of their activities, including for overseas delegates.

However, the EU GDPR still has effect outside of the EEA and consequently a British event organiser will need to comply with the EU GDPR in respect of its EU based marketing and delegates.  In most cases the steps to comply with each law are the same but if, for example, you were to suffer a data breach you would need to notify both the ICO and one or more EU data protection regulators.

One further rule to be aware of is that the EU GDPR restricts the transfer of personal data out of the EEA or the UK and similarly the UK GDPR restricts the transfer of personal data out of the UK to the EEA.  The UK government has said that exports of personal data out of the UK to the EEA are permitted.  However, the EU has yet to grant an equivalent permission, or “adequacy decision”.  A draft has been published and hopefully it will be made final by the European Commission before the end of June.  If not, other legal measures will need to be put in place.  See information rights after the end of the transition period.

3. What about the UK’s PECR and does that change with Brexit?

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act (DPA) and the UK GDPR, amongst other things they regulate email marketing, cookies and electronic communications. They derive from EU law, the ePrivacy Directive, which is currently being updated and so we may expect to see a new version of PECR in the future.

Under PECR, the base rule is that a company may only send marketing material to individuals which that individual has specifically requested or provided their “consent” for.  The definition for “consent” is set out in the UK GDPR (see below).

In addition, PECR allows a company to send unsolicited marketing if they have a “soft opt in”, this means:

  • they have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person;
  • they are only marketing their own similar products or services; and
  • they gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.

If you have details of your attendees from a prior event and wish to market a new event to them then this is permissible provided that: they have not unsubscribed from your company, the new event is similar to the prior event, and you provide them with an opt out or unsubscribe option with your new marketing material.  Good practice is also to ensure that not too much time has elapsed between the prior conference and this marketing.  The precise circumstances should always be evaluated before using “soft opt in”.

Note, this “soft opt in” only applies to your own customers, you cannot use this for customers of events you have not provided and Sponsors cannot use it for events that they did not help organise.

However, the nature and means of that consent (see further below) is very important. See full details in this guide on direct marketing and PECR.

4. As an event organiser, am I collecting ‘personal data’ under GDPR?

Almost certainly yes. And if you are collecting it with a view to passing it to sponsors then it will be personal data in the hands of the sponsors as well.

UK GDPR defines personal data as “information relating to natural persons who can be identified or who are identifiable, directly from the information in question, or who can be indirectly identified from that information in combination with other information.”

NOTE on data categories: you are probably not collecting “special category” data or “criminal offence” data but you should check if you areas there are additional measures required and protections afforded due to its sensitivity that we do not cover here. Whilst it is not unusual for event organisers to require photos for profiles and ID cards, extra care should be taken and specific advice sought.

5. What data can I collect as an event organiser?

As well as being aware of the different categories of personal data (see note above) that carry different obligations, you should also consider the GDPR principles around data including: purpose limitation, data minimisation, and storage limitation. Essentially, you should not be asking for any data you don’t genuinely need, nor using it beyond the purposes of the event, nor storing it for longer than you need to.

All the different categories of personal data that you collect must be described in your privacy notice, which will commonly be found on your website. It is important to ensure that this privacy notice is up to date.

6. As an event organiser am I a data controller or data processor?

For your event, do you decide the purposes for which the personal data are processed and the means of processing? If so, and that seems highly likely for an event owner/organiser, then you are a data controller.

Organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services.  As a general rule of thumb, if you are contacting sponsors or delegates in your own name then you are a controller.

As a controller you shoulder the highest level of compliance responsibility – you must comply with, and demonstrate compliance with, all the data protection principles as well as other GDPR requirements.  This includes having a data protection notice, keeping records of your processing, appointing a Data Protection Officer, if required, and responding to any requests or complaints from individuals (data subjects).

Typically, as an event organiser, you’ll use event platforms to manage the event, including attendees’ data. These platforms are acting as data processors, processing data on behalf of both you, the event owners, and potentially attendees who sign up through the platform.

You are also responsible for the compliance of your processor(s) processing of personal data. As a controller you must always have a contract in place with each processor, and the UK GDPR specifies that certain legal terms must be in that contract.

See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/contracts-and-liabilities-between-controllers-and-processors-multi/

The GDPR has introduced the concept of “Joint Controller” and so if you and one or more other parties organise an event, then it is possible that you are all “Joint Controllers”.  See below.

Finally, controllers in the UK must pay the data protection fee, unless they are exempt.

7. So, UK based event organisers are almost certainly data controllers and must almost certainly comply with both PECR and the UK and EU GDPR?

Yes.

8. Ok. So what do event organisers need to do to be able to pass on delegate data to sponsors?

Delegate data will be personal data, and passing on delegate data to sponsors can only be done in compliance with the GDPR.

First, you need to make sure that your privacy notice clearly explains that the personal data can be transferred to the sponsors.

Second, you need a reason, or “basis”, under the UK GDPR to permit the transfer.  The three most common options here:

(i) the delegate has given their consent;

(ii) the transfer is necessary for the performance of a contract with the delegate; or

(iii) the transfer is necessary and in your “legitimate interest” and does not prejudice the rights of the delegate.

In practice, (i) and (ii) are very similar and in practice you will need the delegate to tick a box or sign a contract.

To be valid, consent must be “knowingly and freely given, clear and specific”. Organisations should keep clear records of what an individual has consented to, and when and how this consent was obtained, so that they can demonstrate compliance in the event of a complaint.

For option (iii), in order to use “legitimate interest” then there is a complex assessment you must do first.  This is called a Legitimate Interest Assessment (LIA) and is a balancing test between your commercial interest in transferring the data and the data subjects’ rights.

The test is complex, but key features include:

  • It must be absolutely clear to the delegate who the data is going to, i.e. who the sponsor is.  You should check that the delegate has the right information in their privacy notice.
  • It must also be absolutely clear, what data is being transferred.
  • The delegates should get the opportunity to opt out from the transfer.
  • In addition, the delegates must get easy access to their other rights, including withdrawing any consent and deleting their personal data entirely.
  • Finally, any transfer of delegate personal data to a Sponsor is done in accordance with a contract which follows the ICO Data Sharing Code.

Remember, PECR will still likely apply to the Sponsor so the disadvantage of using legitimate interest is that without any delegate consent the Sponsor will not be able to email the delegates.

See Legitimate Interests https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/

See Data Sharing Code https://ico.org.uk/for-organisations/data-sharing-a-code-of-practice/

9. What does this mean in practice for any online forms or other data collection by event organisers if we want to be able to pass on the delegate data to sponsors?

Based on the above, if an event organiser intends to pass delegate registration, or other, data on to sponsors using consent as the lawful basis for processing under GDPR then the following practical steps should be taken:

  • It must be clear and explicit that you are passing on data and the sponsors to whom the data will be given named or at least a clear description given of the companies it will go to (e.g. sponsors and partners of the event)
  • If the Sponsors will want to contact the delegates by email or SMS, then they will need consent for that, and they may ask you to collect the consent for them.
  • You cannot have pre-ticked boxes or any other method of default consent
  • You should separate the consent for transfer of personal data to a Sponsor, from any consent you might ask for your own marketing
  • You cannot ‘bury’ or ‘hide’ consent to delegate data being passed on in any contract or other ‘small print’.
  • You must keep a record of what consent was given by whom and when
  • The delegate must be able to withdraw their consent.
  • You must have a contract in place with the Sponsor; and
  • If your sponsors are not in the UK/EU, or use systems that are not based there, then you will be sending data outside the UK/EU zone and are making a restricted transfer and further requirements apply (see below).

10. What about data passed to sponsors and exhibitors via a (virtual) booth visit?

If a sponsor or exhibitor is operating a (virtual) booth, then they are free to collect personal data from the delegates who attend the virtual booth in the usual way.  If they want to email the visiting delegates, then they should ask for the delegates consent when they collect their personal data.  It is important to remember that the sponsor or exhibitor should have a privacy policy for their booth that covers this collection of personal data.

They will not be able to pass that personal data to you, unless it is permitted in their privacy notice, you have a contract with them that permits this, and that – if necessary, they have obtained a necessary consent.  Essentially, this is the same question as the one above in reverse.

Finally, in your contract with the sponsor or exhibitor, you should ensure that they commit to using and following a lawful privacy notice, and commit to complying with data protection law.

11. What if our sponsors are based outside the UK/EU and we want to send them delegate data?

In order to transfer personal data out of the EEA or outside of the UK, then you need to comply with the transfer provisions of the EU GDPR and UK GDPR.

If the sponsor is based in a country where the data protection law is deemed “adequate” by the ICO, then there are no additional steps required to transfer personal data to them.

However, in all other cases then you need to satisfy the requirements of the GDPR.  Common ways of doing this include: signing the EU Standard Contractual Clauses (SCCs), ensuring that the transfer is necessary for the performance of a contract with the individual or entering into a compliance scheme called Binding Corporate Rules.

Whilst it is possible to transfer personal data out of the EEA or the UK without the express consent of the individual, you should only take this option as a last resort.

See more detailed guidance from the ICO on international transfers after the UK exit from the EU Implementation Period.

12. Is it different for B2B?

The rules in the UK and the EEA which requires companies to have the consent of an individual before sending them direct mail, or which allows the sending of mail on a “soft opt in” only applies to direct mail and SMS to individuals.

It does not apply to direct mail to companies.  However, the distinction between direct mail to individuals and direct mail to companies can be hard to make, particularly if you are emailing individuals that are sole proprietors, the self-employed or unlimited partnerships.

However, the GDPR will apply equally between B2B and B2C marketing, particularly if an individual is named or identified in the email address.

Therefore, best practice is to always ensure that your mailings have an opt out or unsubscribe and to ensure that if are at risk of emailing individuals (and not companies) then you should ensure that you have consent or a “soft opt in” There is further ICO guidance on the rules around business to business marketing, the UK GDPR and PECR and https://ico.org.uk/media/for-organisations/documents/1551/direct-marketing-checklist.pdf

13. Can we make it a condition of event attendance that a delegate agrees to their data being passed to sponsors?

Generally, no. Under the GDPR and PECR consent cannot be a precondition for accessing a service.  In addition, any tick box that you include for that consent cannot be pre-ticked.

However, consent is not the only basis for processing or transferring personal data.

The GDPR permits the processing of personal data where it is necessary for the purposes of performing a contract, so if the event is jointly organised by two or more entities, and they are all party to the contract with the delegate for attendance, then each of those entities can receive the personal data from the delegate.  Technically, the organising entitles are “Joint Controllers” under the GDPR.  In order to arrange the event in this way, care should be taken over both the privacy notice that the Joint Controllers issue and the contract between the organising entities.  Specialist legal advice is required.

The UK GDPR also permits the processing of personal data where it is in the “legitimate interests” of the organiser and where is does not adversely affect the individual.  Legitimate interest is “likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”

In the case of an event that is free to attend for delegates only because it is supported by sponsors then you might be able to argue a legitimate interest. You will need to satisfy further tests (Purpose, Necessity, Balancing) to show how your use of data is necessary and how you have balanced it against the individual’s interests, rights and freedoms.

There is a specific balancing test which must be undertaken before this “legitimate interest” test can be used.  See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/and https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf.

It is not easy to satisfy this test here and so specialist legal advice is again required.

Finally, don’t forget that if you anonymise the personal data, i.e. you take out names, email addresses and other identifiers then there are no restrictions under the GDPR in providing that information to Sponsors.

14. In what ways can sponsors use the delegate data they receive from event organisers?

It is important to ensure that you have a legal agreement with the Sponsors so that there is certainty as to the ways in which they are permitted and are not permitted to use delegate data.  This legal agreement should follow the recently released ICO Data Sharing Code.

Often Sponsors will want to use delegate data to email the delegates.  Particular care should be taken.  In the ICO guidance on direct marketing under PECR it states:

“…the person must notify consent to the organisation actually sending the marketing. An organisation must therefore be very careful when relying on indirect (third party) consent which was originally given to another organisation. The person must have intended for their consent to be passed on to the organisation doing the marketing.”

This means that a sponsor has to be very sure that it was clear to the delegate, in the third-party consent obtained from them by the event organiser, that their data would be passed to the sponsor and would be used for direct marketing purposes.

As an event organiser, even if you can argue legitimate interest under GDPR for passing delegate data on to sponsors as necessary to make an event possible for those delegates, it does not mean the sponsors can then use that data for direct marketing purposes under PECR unless the right consent was obtained.

Furthermore, under PECR, the consent does not last forever, and this time factor is even more important with indirect consent – as when an event organiser gathers the consent on behalf of a sponsor.

According to the ICO “As a general rule of thumb, if an organisation is making contact by phone, text or email for the first time, we recommend that it does not to rely on any indirect consent given more than six months ago – even if the consent did clearly cover that organisation.”

It is very important that sponsors trust the event organisers they get data from using indirect consent and similarly that the event organisers trust the Sponsors not to use email addresses for direct marketing where they are not permitted to.  A contract and appropriate due diligence should always be used.

Generally, no. The same logic as set out in the answer to question 14 applies here, however, it is now very difficult to satisfy the legitimate interest assessment.  In addition, any consent given would need to be specific about the further transfer to these third parties.  Even if, the delegate gives consent to the event organiser to pass their details on to a sponsor, the original/same consent cannot be used by the sponsor to pass the delegate’s data on to further organisations.

16. Are there other ways for a sponsor to get delegate data they can use for marketing purposes from an event?

Yes. Sponsors can engage with delegates and ask for their permission and details to follow up with direct, both through face-to-face encounters and also in breakout rooms, chats, and virtual booths and exhibition stands at virtual events.

Checklist for compliance:

  • Ensure that your Privacy Notice is up to date and contemplates all the processing and data transfers that you wish to make.
  • Ensure that you have a contract with each Sponsor that: (i) complies with the ICO Data Sharing Code; (ii) sets out whether you are going to collect consent for the Sponsor or not; (iii) specifies what the Sponsor is permitted to do with the data; and (iv) includes provisions to deal with the international transfer of data if the Sponsor is not based in the UK/EEA.
  • If you are going to use the “legitimate interest” basis for processing personal data, then you should complete a Legitimate Interest Assessment (LIA).
  • If you are going down the “Joint Controller” with the Sponsor route – take legal advice.
  • Always make sure that delegates have an option to unsubscribe, and if they do unsubscribe then make sure that they don’t get further email or text messages.
  • Keep good records of the mailing and marketing preferences of all your delegates.  If they give you consent, keep good records of those consents and precisely what they were for.
  • If there is going to be international transfer of personal data, keep in mind that further legal steps may be required.
  • Finally, don’t forget the other good compliance steps that you need to have to comply with the GDPR and PECR.  If there is a complaint or investigation by the ICO, they will want to make sure that all of your notices, policies, procedures, contracts and records are up to date.

About the authors

This article was created by Ashley Friedlein at Guild, Ashley Winton, Solicitor, and with input from the Privtech Nation community of privacy and data specialists.

Join Guild 🤝

See for yourself how the Guild experience is different to WhatsApp, Slack, LinkedIn or Facebook Groups. Guild is a safe space to connect, communicate and collaborate with others.

Join us on a platform that is purpose-built for professionals and businesses.

Contact us if you want to know more or have any questions.