GDPR for event organisers: What you need to know

by | May 16, 2018

On May 25th this year the EU’s General Data Protection Regulation (GDPR) will come into force throughout the EU. We have taken the opportunity to ask David Kenny, UK Country Manager at TicketCo, about what the new legislation will mean for event organisers.

The purpose of this act is to strengthen privacy and ensure each individual’s right to “be forgotten”. The law replaces the EU Data Protection Directive, which dates back to 1995, and given the amount of digitalisation that has taken place since the adoption of the Act, it is high time that there is a new legislation that reflects reality, David says.

TicketCo has spent a lot of time in the past six months preparing for the new legislation and promises to be ready for the initial deadline and will have introduced GDPR in its system system by May 25th.

So it’s all about personal information – what does it really mean?

David suggests we firstly need to clarify a few basic concepts;

Personal information – “Information or assessments that can be linked to you as an individual, such as name, address, phone number, email address, IP address, car number, photo, fingerprint, iris pattern, head shape (for face recognition), and personal identification number.”

David points out that the term is very wide and stresses that it must be evaluated concretely in relation to the data being stored.

At TicketCo, we currently register name, phone number, email address and other technical information from ticket buyers. This is necessary in order to send tickets to the ticket buyers, he says.

Sensitive personal information – “Information about racial or ethnic background, political, philosophical or religious opinion, that a person has been suspected, charged, accused or convicted of a criminal offence, health, sexual relations or union membership.”

There need to be legitimate reasons for businesses when processing this type of information, as set out by the Data Protection Act. TicketCo is not allowed to ask customers about sensitive personal information, David explains.

About giving explicit consent

The main condition of the new legislation is that the storage of personal data can only be done when the individual whom the sensitive personal data is about has given explicit consent to the processing. This means that we must offer a very clear and specific statement of consent both online and in-app, such as tapping or clicking a consent box.

A pre-ticked box is not an explicit consent and does not adhere to the new GDPR directive, David explains.

TicketCo collects personal information through cookies, as well as from every user who registers data in connection with purchases through TicketCo.

We provide information about our cookie policy for first-time visitors to our web pages. Furthermore, users agree to the storage of data through registration in the app and when buying tickets and goods with TicketCo, he adds.

Three basic concepts for event organisers

With the new legislation there are three basic concepts that are important for all organisers to understand.

The individual/data subjects

Within our industry, this is every single ticket buyer. This is what the new legislation is designed to protect.

Data Controller

At TicketCo, this constitutes the event organiser.

Data Processor

In our case, TicketCo is the data processor.

The event organiser owns the customer data

It’s the event organiser who owns the data in TicketCo, David says. This has the following consequences for you as event organiser:

  • The data which is recorded in connection with the sales you make through TicketCo is your data. Therefore, in relation to the new GDPR rules, you are responsible for this data.
  • By law, you become the Data Controller.
  • As event organiser, you have several obligations as a data controller under the new GDPR directive. You can find more information regarding this from the Information Commissioner’s Office.

TicketCo as a Data Processor

TicketCo stores your customer data in the TicketCo system and is a Data Processor on behalf of you as event organiser/Data Controller.

The new law makes changes for TicketCo in this role on several areas, David explains:

  • TicketCo will enter into a data agreement with you as event organiser.
  • This will be carried out through an update of our legal terms for the use of TicketCo as a service.
  • Where TicketCo uses subcontractors and your data is stored it will be ensured that the subcontractor follows the GDPR regulations.

Here you can read more about the governance involved in the data processing agreement TicketCo will enter into with you as event organiser:

You must have an overview of where you store the personal data

You should make lists of the systems you use for storing personal data, warns David. He suggests the following:

  • Check that you have entered into a data processing agreement (DPA) with each system vendor.
  • If you export data from TicketCo, be aware that GDPR compliance will apply to the new storage locations.
  • When using TicketCo, you can use our TicketCo Zapier connector, our API or spreadsheet export function to transfer sales data. This data also contains personal data and thus subject to GDPR compliance. Make sure you’re in control of the destination of this data.

The obligation to remove identification

When you are a data controller, you are obliged to remove an individual’s identification if the person requests it. That is, you have to be able to either:

  • Delete personal information so that the person can not be identified (disidentification).
  • Anonymise personal information so that the person can not be identified.
  • Or pseudonymising personal information so that the person can not be identified.

What does TicketCo do with GDPR?

TicketCo will comply with the GDPR directive by May 25 in accordance with EU legislation, as following:

Our legal terms for event organisers will get updated to contain a data processor agreement, which will be applicable as of May 25, 2018. In addition, Legal Terms for End Users (“Ticket Buyers”) will be updated”, says David.

All subcontractors utilised by TicketCo and where data is stored will have data storage within the EU. All of these comply with the new GDPR directive, he adds.

Deletion of personal data

What does TicketCo do if someone requests for deletion of personal information?

TicketCo will not delete personal data as a data processor, but refer such requests to the Data Controller (i.e the event organiser), says David.

As of May 25, 2018, you as a Data Controller will be able to instruct TicketCo to delete personal data that identifies a person. This can be done through the form available on the TicketCo Administration pages, he adds.

When a request is made, TicketCo will carry out the disidentification of personal information that can identify a person (first name, last name, email address and telephone number).

Self-service masking of customer data coming soon

During 2018 TicketCo will introduce a self-service function for you as a Data Controller, where you can yourself carry out the disidentification personal information straight from TicketCo’s platform.

This method means that TicketCo will enable you to mask the first name, last name, email address and phone numbers of the person requesting deletion. Therefore, you will not lose other important sales information. Sales transactions are not deleted, ensures David.

Ticket buyer versus ticket holder

What about data from the different ticket holders? Will it be possible for the event organisers to store this information after GDPR come into force?

TicketCo will only collect and store personal information of the person who has purchased the tickets. This is because it is only this person who can give his explicit consent in connection with the purchase, David explains.

TicketCo will therefore not collect the other “ticket holder” information.

If you as event organiser wish to obtain such information, please do so through our Questions Module. Please note that if you collect and store personal information through such module, there will be no explicit consent of the person you register personal information about. Such registration must therefore fall under the Legitimate Interests exception rule. Do a balancing test for such registration versus the likely impact of the processing on the individual that this entails, he says.

If you are unsure, please contact our Customer Success team who will be able to support you on this, concludes David Kenny – TicketCo UK Country Manager.

Feel free to contact us

Email us on if you need more information regarding GDPR, and we will do our utmost to help you.