GDPR + Event Marketing Compliance: Survey, Email, Lead-Gen Reference (2026)
Practical GDPR reference for European event marketing. Covers invitations, attendee data collection, post-event follow-up, surveys, lead-gen, and sponsor data sharing. Not legal advice — but the operational rules every event marketer should know.
GDPR has been law since 2018, but European event marketing still has more compliance gaps than any other marketing discipline. Common reason: event-marketing tactics straddle attendee-management (high legitimate-interest basis) and lead-generation (consent-heavy). Knowing the difference saves your team from 4-figure fines + brand damage.
TL;DR — the 6 things to get right
- Invitation emails to existing contacts: legitimate interest is usually fine
- Invitation emails to NEW contacts: consent or opt-in required (rented lists, sponsor lists)
- Attendee data: legitimate interest covers event execution; consent required for post-event marketing
- Lead-gen at events (booth scans): explicit opt-in required (a badge scan ≠ consent)
- Surveys: can be sent under legitimate interest if framed as event-related (not marketing)
- Sponsor data sharing: explicit opt-in required at registration (not buried in T&Cs)
1. Invitations — when can you email someone?
GDPR allows email to people based on: - Consent (explicit opt-in — the safest) - Legitimate interest (you can show clear business reason + no override of subject's interests) - Existing contract (they're already a customer or contracted contact)
For event invitations:
Existing customers + qualified leads in your CRM
Allowed under legitimate interest. Document the legitimate interest assessment (why you believe this person wants the invitation). Honour opt-outs immediately.
Cold prospects (rented lists, scraped emails, sponsor lists)
Consent required. Even if the list was legally obtained, sending event invitations without prior consent is GDPR violation in most EU jurisdictions. Many event teams treat this as grey area; regulators increasingly aren't.
Attendees of previous events
Legitimate interest applies if you're inviting to a similar event from the same brand. Document the connection. Honour opt-outs immediately.
Sponsor's customers (data-share arrangements)
Explicit opt-in required at the original collection point. The sponsor must have collected consent specifically for sharing with you. Don't accept "they consented to marketing emails" as sufficient — it needs to name your brand or the event category.
2. Attendee registration data — what you can collect
At registration, you can collect: - Name, email, job title, company — for event execution (legitimate interest) - Dietary requirements — special category (health) data; needs consent. Frame as opt-in question. - Accessibility requirements — special category; same rules - Travel data — if event includes travel coordination, legitimate interest. If for marketing analytics, consent. - Photo / video consent — explicit opt-in at registration. Allow opt-out at event signage.
What requires explicit consent (NOT legitimate interest): - Marketing emails AFTER the event (separate from event-related comms) - Sharing data with sponsors - Sharing data with PR / press - Using attendee data for lookalike modelling or audience expansion - Storing attendee data beyond the documented retention period
3. Lead generation at events — the booth scan myth
Common mistake: sales reps scan badges at trade-show booths and treat the scan as marketing consent.
Reality: in most EU jurisdictions, a badge scan is NOT marketing consent. The scan is "attendee data captured by event organiser, shared with sponsor under event T&Cs" — which doesn't authorise the sponsor to send marketing.
What to do instead: 1. At booth, explicitly ask: "Would you like to receive product information from us after the event?" Get a verbal or written yes. 2. Capture the consent in your CRM with timestamp + method (e.g., "verbal consent at IMEX 2026 booth"). 3. First email after the event: short, references the conversation, includes one-click unsubscribe.
If you can't show consent for a contact, treat them as cold and don't email.
4. Post-event surveys — under what basis?
Surveys about the event itself (NPS, feedback, content ratings): - Legitimate interest is usually fine - Document why you're collecting (improving event experience) - 1-question surveys at session-end work without explicit consent
Surveys for market research / lead-gen (industry trends, product feedback unrelated to event): - Consent required - Frame the opt-in at registration: "We may invite you to participate in research surveys" - Honour declined opt-ins
Voice-of-Market / industry research surveys (broader research using event attendees): - Consent required (the survey isn't about THIS event) - Best practice: separate opt-in at registration, not bundled with event T&Cs
5. Sponsor data sharing — the highest-risk area
If sponsors pay for "lead access":
The right way: 1. At registration, explicit opt-in: "I would like Sponsor A, B, C to receive my contact details for product information." 2. Sponsor-specific opt-ins (not blanket "all sponsors") 3. Honour opt-outs after the event 4. Don't share data of attendees who didn't opt in (even if sponsor paid for "all leads")
The common-but-wrong way: - Bundling sponsor data sharing into general event T&Cs ("by registering, you consent to data sharing with sponsors") - Sharing badge-scan data without consent - Including sponsors in "industry partners" language without naming them
If you're caught doing the wrong way, the regulator's standard fine is 2-4% of global annual revenue OR €10-20M (lower of those numbers). Even small companies have been fined €5,000-€50,000 for this specifically.
6. Retention periods — how long can you hold data?
You must document retention periods for each data type:
| Data type | Typical retention |
|---|---|
| Event registration data (name, email, attendance) | 3 years (re-engage with future events) |
| Dietary requirements | Delete 90 days post-event |
| Accessibility data | Delete 90 days post-event |
| Survey responses (aggregated) | Indefinite (anonymised) |
| Survey responses (identifiable) | 12 months |
| Lead-gen data (with consent) | 3 years or until opt-out |
| Sponsor-shared data | Sponsor responsible; you delete 90 days post-event |
| Financial / billing data | 6-10 years (regulatory) |
Document these in your privacy policy + event-specific T&Cs.
7. The 5 most-common GDPR violations at European events
- Sponsor data sharing without explicit opt-in. Highest enforcement priority for EU DPAs.
- Vague legitimate-interest basis for cold-list invitations. "B2B contacts" isn't a basis.
- Photo/video without opt-in OR opt-out signage. Now common enforcement target.
- No documented retention periods. Audit findings even for low-volume events.
- Sharing data across borders without SCCs / adequacy decisions. Especially with US-based event tech vendors.
What to put in your event privacy notice
Every event registration form needs a link to a privacy notice covering:
- Who you are (legal entity name + DPO contact)
- What data you collect (be specific — not "various data")
- Why you collect each type (legal basis per data type)
- How long you retain each type
- Who you share with (specific sponsors, processors, sub-processors)
- Cross-border transfer mechanism (if data leaves EU/EEA)
- Subject rights (access, correction, deletion, portability, objection)
- How to exercise rights (DPO email + response timeline)
Don't reuse your generic corporate privacy notice — event-specific data flows require event-specific disclosures.
Frequently Asked Questions
Can I send "save the date" emails to my existing CRM list? Yes, if those contacts are existing customers, qualified leads in your sales pipeline, or attendees of previous similar events. Document the legitimate-interest basis. Honour opt-outs immediately.
Is a checkbox at registration "I consent to marketing" enough for sponsor data sharing? No — sponsors need to be named, or the data-sharing purpose must be specific enough. "Marketing partners" or "industry sponsors" generally fails the GDPR specificity test.
What about WhatsApp or LinkedIn for invitations? Same rules apply. Channel doesn't change consent requirements. LinkedIn InMail to first-degree connections is legitimate interest territory; to 2nd+ degree is consent territory.
Do I need a DPO (Data Protection Officer) for event marketing? Required if your event involves >5,000 attendees OR processes special-category data at scale (health, ethnicity). Many corporate event teams use a fractional DPO or the corporate DPO.
What happens if my event vendor (registration platform, AV) loses my attendee data? You're still liable as data controller. The vendor (data processor) is liable too. Have DPA (Data Processing Agreement) signed with every vendor that touches attendee data. Notify ICO/regulator within 72 hours of breach awareness.
Are there country-specific GDPR variations? Yes. France (CNIL) is strictest on marketing consent. Germany requires explicit opt-in for tracking cookies. Spain requires Spanish-language privacy notices for Spain-domiciled events. UK (post-Brexit) follows similar but not identical rules.