The legal basis for processing personal data for events
For all personal data processing you need to ensure you have a legal basis and are aware of which legal basis is applicable. One of the legal bases is consent which is common within external engagement and communication.
Read more about the legal basis and consent on the following pages:
What information do I need to provide to external participants?
Pursuant to Articles 13 and 14 of the GDPR, you have an obligation to inform data subjects, in this case registered external participants, about a number of points.
Practical processing of personal data
Registrations for events
Registration data for events is deemed to be personal data and you need to consider how you are going to collect it and what information you need to provide to the data subject. It is recommended that you use approved suppliers for event registrations, for example:
- Sunet Survey (instead of Google forms)
- Create registration forms using an approved web publishing tool
- Create a shared email inbox in Epic to receive registrations or use your email address
Documenting with photography and filming
If you wish to film or take photographs during the event you need to consider if you need to ask for consent.
Read more about consent on the Photography and filming page
You may also consider the possibility of offering a photography- and film-free area for participants who do not wish to be photographed or filmed during the event.
Checklist for public events
- Have you used an approved supplier to create the registration forms?
- Have you provided the data subjects with information on the registration form about the processing of personal data?
- Have you asked for the data subject’s consent for the processing of personal data on the registration form?
- Do you have a plan for how you are going to store and delete the personal data?
- Have you considered whether or not you require consent for photography and filming? Consent is not always required, but if it is:
- Have you prepared consent forms for photography and/or filming?
- Have you prepared general information for participants about photography and filming at the event?
- Is it possible for you to create a photography- and film-free area during the event?
dataskyddsombud [at] lu [dot] se
- Personal data controller – the organisation responsible for processing your personal data. In all but a few cases, Lund University is always the personal data controller.
- Data subject – the person whose personal data you collect and/or process.
- Data protection officer – the role and function responsible for Lund University’s compliance with the GDPR.
- The EU’s General Data Protection Regulation (GDPR) - The Swedish translation of GDPR is “Dataskyddsförordningen”.
- Data Protection Act – the Swedish national complement to the EU’s GDPR.