Does the GDPR Really Say That? – Attendee Lists and Name Tags
28th February 2020
The misunderstanding that conferences, workshops and events can’t share the details of attendees because of the GDPR is one that many people may have come across. Attendees of workshops, conferences, or events have been told that the organisers couldn’t share an attendance list, or that name plates or badges couldn’t be produced, because the organisers were worried about the GDPR.
These kinds of details – such as name, job title and employer – do generally constitute personal data, but the concerns here may arise out of misunderstandings about the obligation to have a justification for using or sharing someone’s personal data. This justification, also called a legal basis, is required by Article 6 the GDPR.
A common misconception is that consent is always needed to share someone’s personal data, such as their name or contact details. While it might be good manners and good practice to ask someone’s permission to share their details through name badges or an attendance list, it’s not true that this can only be done on the basis of the participant’s consent. In these situations, organisers may want to consider whether another legal basis is more appropriate to rely on other than consent.
For example, an organiser might have a legitimate interest in sharing the attendance list or creating name plates, such as to run the event in the most efficient and productive way. Under the GDPR, legitimate interests might serve as a justification for using personal data, but only where the organiser’s interest is not outweighed by the interests or rights of the attendees. At events such as networking events, attendees may expect an attendance list to be shared with them and may find name badges useful. In this situation, the legitimate interest of the attendees may even provide a basis to use their personal data in this way.
Before taking any action, organisations should ask themselves whether attendees would expect this kind of use of their personal data. If using personal data in a particular way would come as a surprise to the attendees, it might be best to rethink whether that particular course of action is necessary or appropriate, taking into account the principles of fairness and transparency.
Another important way of mitigating any data protection concerns about attendee information is for organisers to ensure they are open and transparent about how they intend to use this personal data. Where attendees have been clearly warned in advance that, for example, badges are going to be produced with the attendees’ names and employer details, then the attendees will not be taken by surprise, and can request that their personal data not be used in that way should they so wish. However, this should not be confused with obtaining consent, which would have to be through a clear act, and could be withdrawn at any time. Even so, if organisers are relying on a different legal basis than consent, they should accommodate attendees who don’t want their personal data used in this way.