Events and GDPR

Organising events under the General Data Protection Regulation (GDPR) framework requires careful planning and responsible data handling. Whether you're hosting an in-person conference or webinar, if you're collecting personal data from EU citizens, GDPR applies. 

When organising events, there are key points to bear in mind:

  • Explicit, informed consent must be obtained for collecting data - Use unticked checkboxes for consent (separate consents for different purposes e.g., event updates vs. marketing), for example:
    ✅ “I agree to receive updates about this event.”
    ✅ “I agree to receive marketing emails from the University of Oxford.”
  • Create a clear privacy notice - It is essential to state on the registration form or event website that data is to be collected, why, how long it will be kept for, and who it will be shared with. This link to the University's data protection policy can be included in the registration form/event website. Further details can be found in the University's data protection policy page. 
  • Collect only necessary data - Don’t ask for more than is needed (e.g., dietary needs only if catering is provided).
  • Use secure systems - Choose GDPR-compliant platforms for event registrations, payments, email marketing, and surveys. We recommend using Microsoft platforms and Cvent. 
  • Limit access to personal data - Only authorised staff should access attendee data and where possible, use password protection and encryption.
  • Be transparent - If the event will be photographed or recorded (Teams/Zoom/Panopto), attendees must be given the option on the registration form to opt in or out of giving consent. If the attendee consents to being photographed and/or recorded, they must complete and return the  photography/filming/interview consent form before the event. It is also advisable to display signs at the venue about data collection - for example, a sign can be placed on the door, specifying that the event will be recorded. This will allow attendees to choose their seats if they do not wish to be captured in the recording. 
  • Handle data responsibly - Don’t share attendee lists with sponsors without explicit consent and avoid printing full attendee lists unless necessary.
  • Respect data retention limits - Set a clear policy for how long attendee data needs to be kept. Consider deleting or anonymising data when it’s no longer needed.
  • Honour data subject rights - Be ready to respond to requests for access, correction, or deletion of personal data.

 

 

On this page