GDPR Event Data Audit

⚡ Live calculator Free · No signup Target: gdpr event registration

By Easy RFP Team · Last reviewed: 2026-05-27

Your event registration form asks for full name, work email, dietary requirements, accessibility needs, passport details for visa letters, and a photo for the badge. Some of that is GDPR "special category" data (health, religion-implied). The registration platform is US

Quick answer: A GDPR-compliant event collects only the minimum personal data needed, has a signed Data Processing Agreement (DPA) with every processor (registration platform, hotel, transport), names a controller, gives attendees retention timelines and deletion rights, and never exports outside the EEA without Standard Contractual Clauses.

-hosted. The hotel asks for the rooming list. The bus company needs passport numbers. By the time the event runs, your personal data has touched 6 processors — and if any one of them is non-compliant, your DPO is liable. This audit walks through the 10 questions a DPO will ask after a complaint.

Live calculator

Inputs

Results

GDPR risk
Toggle items to audit
Compliant items
High-risk gaps
Top 3 remediations: —

How to read your result

Risk under 10 means clean audit — keep records. 10-30 — fix the top 2 gaps before event opens registration. 30-55 — material exposure; bring your DPO in. Above 55, the event has multiple critical gaps (DPA, lawful basis, special category, EEA transfer) and registration shouldn't go live until they're closed.

3 next steps

  1. Sign DPAs with every processor (registration, hotel, transport, badge printer).
  2. Read full GDPR event compliance guide.
  3. Loop in your DPO 4 weeks before registration opens.
Note: Not legal advice. This audit is a structured GDPR readiness check, not a substitute for a Data Protection Officer (DPO) review or legal counsel. Always confirm with your DPO and review the specific contracts of your registration platform, hotel, and other processors before opening event registration.

Related reading on Easy RFP

Frequently asked questions

Is this audit a legal opinion?

No — it's a structured DPO interview based on GDPR articles 5, 6, 9, 28, 30, and 44-49. Always get DPO sign-off before opening registration.

What counts as 'special category' data at events?

Health (dietary tied to medical condition, accessibility needs), religion (dietary or prayer requests), biometric (photo with facial recognition), trade union membership. Needs explicit consent.

Do I need a DPA with the hotel?

If the hotel processes attendee personal data (rooming list, dietary, accessibility), yes — Article 28 applies. Get a DPA or written instructions.

What about a US-hosted registration platform?

Article 44+ applies. Use Standard Contractual Clauses (SCCs), a Data Privacy Framework (DPF) certified vendor, or move to an EEA-hosted alternative.

How long can I keep registration data?

Only as long as necessary for the stated purpose. Most planners delete 90 days post-event, except invoicing data (6-7 years for tax).