GDPR for events: checklist for clubs and federations

What you really need to know about attendee data management — DPO, DPA, EU hosting.

GDPR for events in 4 key points

1. Legal basis for processing

To collect registration data, you need a legal basis. For your members: contract execution (membership fees). For invited guests: explicit consent. For contacts made during the event: legitimate interest, to be documented.

2. Data hosting

Since Schrems II, hosting on US servers (Mailchimp, AWS US, Eventbrite US) creates real legal risk. Favor EU-hosted platforms — Brussels, Frankfurt, Amsterdam. It's now a buying criterion in most serious chambers and pro associations.

3. Sub-processors

Any event platform relies on other services (payments, calendar sync, monitoring). Ask for the public list of sub-processors before signing. A platform that doesn't publish it has something to hide.

4. Signable DPA

The Data Processing Agreement is mandatory as soon as you process more than a few dozen profiles. A platform that doesn't offer a standard DPA is not GDPR-ready, period.

Practical checklist

• Granular consent banner at registration · no pre-checked boxes
• Privacy center accessible in 1 click from attendee profile
• Effective right to be forgotten within 30 days · documented process
• Personal data export in CSV/JSON on request
• Audit logs on sensitive operations · kept 12 months minimum
• "EU-hosted data" mention visible on registration page
• 30 days notification before any new sub-processor added

For federations and chambers

Your DPO must validate the platform. Prepare ahead: signable DPA, GDPR processing record, documented EU hosting, possible certifications. The best platforms have these documents public — no need to ask.

An attendee who sees "data hosted in Liège" on the registration page is reassured. It's free to display, and it changes everything.