Very Important Notice:

The information provided in this guidance represents the views of Expo Logic. It does not constitute legal advice and cannot be construed as offering comprehensive guidance to the General Data Protection Regulation (Regulation (EU) 2016/679) or other statutory measures referred to in the document. 

1. Introduction

To comply with the European GDPR regulations means it is time to rethink how consent is gained from your attendees. Marketing practices used without clear consent from each individual under the Directive 95/46/CE are no longer allowed according to EU GDPR.

This raises a lot of questions for all stakeholders in the event industry. What does the event organizer need to know? How to inform attendees? How to inform the exhibitors?

At Expo Logic, we take the GDPR laws very seriously. As your service provider, we’ve made sure that all necessary measures have been taken in order to make our services compliant with the legislation. In order to prepare all stakeholders to make their event GDPR compliant, we wanted to share our knowledge and our suggestions on how to setup your event’s lead retrieval service.

2. What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework setting guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation applies to all companies that deal with data of EU citizens.

Due to this update in the privacy legislation, a lot of questions have arisen on what to do to be GDPR compliant when organizing an event.

3. Who are the stakeholders?

The event organizer is seen as the Data Controller of the event. As the data controller, you determine the purposes and means of processing personal data for an event. In other words, you, as an event organizer, choose whether or not to use lead retrieval, how to use it, what solution to use, etc. Other stakeholders include the service provider (Expo Logic), the exhibitors and the attendees.

4. What does the lead retrieval process look like?

Before going any deeper into the legislation of GDPR, let’s first recap the steps to set up lead retrieval for your event.

  • The event organizer asks the service provider to supply lead retrieval for their event.
  • The event organizer or the service provider supplies a way for exhibitors to order lead retrieval equipment and/or software. In most cases, Expo Logic provides an online system for exhibitors to order lead retrieval services.
  • The exhibitor goes to the online system to place their order for lead retrieval and provides payment.
  • The exhibitor receives a confirmation email of their order.
  • The exhibitor downloads and installs a mobile app or the service provider delivers hardware and provides on-site support at the event.
  • The exhibitor collects leads during the event by scanning barcodes on the badges of the attendees and other exhibitors.
  • The service provider provides an online portal for each exhibitor to view and download their leads from the event.

5. Which legal ground to use for lead retrieval?

Based on Article (6) (1) f, private-sector organizations can process individual's data without their consent if they have a legitimate and genuine reason to do so, and such act must not be outweighed by unwarranted impact on the individuals. The subject’s fundamental rights and freedom should not be harmed.

Therefore, the existence of a legitimate interest would need careful assessment to demonstrate that there is a balance of interests between the legitimate interests of the controller (event organizer) and the interests or fundamental rights and freedoms of the data subject (attendee). The Working Party 29 cautions that the balancing test should be documented in such a way that all parties (data subjects, data authorities, and the courts) can examine.

Expo Logic believes that event organizers should use legitimate interest as a legal ground of processing, keeping in mind that you, as an event organizer, need to prepare a balancing test and document this clearly.

It is important to know that you, as the controller, have the obligation to inform the attendee about the lawful basis of processing. Under the GDPR, controllers (event organizers) must be clear and transparent about which lawful basis they are using, because different lawful bases rise to different obligations under the GDPR. Controllers should record which lawful basis they are choosing for their different processing activities and their reason for choosing that lawful basis.

In other words, even when you are using the legitimate interest legal ground, as an organizer you are still responsible to inform the attendee at the time of registration on the do’s and don’ts while attending the event, what will happen with their data, how you instruct exhibitors on how to handle their data, etc.


1. How to communicate with the attendee?

The ideal way to inform your attendees of how you will use their data is during the registration process. Provide your attendees with a clear view on what you, as an organizer, would like to do with their data. Most importantly, state that allowing an exhibitor to scan their badge will lead to sharing their personal information with that exhibitor. You could also state that refusing to share their badge, is a (physical) way of opting out.

Be sure that while you are sharing this information with attendees, you are being transparent, communicate in a clear language, and mention all purposes of collecting their data.

2. What does the exhibitor need to know?

  • When contacting leads for marketing reasons, Expo Logic believes consent is the legal ground to use. In some cases, you could use the legitimate interest as well, but be careful when doing so.
  • Be aware that Article 4(11) of GDPR sets a high bar for opt-in consent. Specifically, it states: ‘any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.’
  • The GDPR also clarifies the meaning of an affirmative action in Recital 25: ‘…Silence, pre-ticked boxes or inactivity should therefore not constitute consent.’
  • Remember that, under GDPR, you need to keep a record of how you obtained the express consent of the data subject. That includes: the data subject who gave the consent, when the consent was obtained (data and time stamp, for example), and the specific purpose for which the consent was given. For example; the record of the IP address, location and time at which someone submitted a consent form is insufficient without a screen capture of the form itself. It is recommended that the registration confirmation email contain the same statement that was used during registration to obtain consent from the registrant.

3. How to communicate to the exhibitor?

The event organizer must inform the exhibitor of certain criteria to keep in mind (keep your data safe, don’t share with third parties without receiving the attendees consent, respond to participants access request as stated in the GDPR, etc..) and reminds the exhibitor that collecting leads during an event does not mean that they automatically have the attendee’s full consent. It is important to know that the exhibitor received the leads under the lawful ground of legitimate interest. Exhibitors need to receive the attendee’s post-event consent for every other purpose they want to use that data for; sharing with third parties, business intelligence, profiling, marketing, etc.

Furthermore, a consent message needs to be easily understandable to individuals. Practices such as pre-ticked opt-in boxes, confusing or vague language (double negatives or inconsistent language), and disruptive mechanisms are banned by the Regulation.

Here is an example of a clear and concise post-event consent message:

“Dear receiver,

It was a pleasure meeting you at {name of event}


You agree that {your organization name} may collect, use and disclose your personal data which you have provided during {name of event}, for providing marketing material and proposals that you have agreed to receive, in accordance with our data protection policy {available at link}.

Please check the relevant boxes below if you agree to receive: {boxes}”.


The example seen below, from the Data Protection Network’s website, gives a clear view of the fact that the Terms and Conditions need to be separated/unbundled from the actual consent. Also notice the clear and transparent red-to-green sliders. This is a great example for asking consent.


And finally, remember that you always need explicit consent from the attendee/lead. Silence does not mean that the data subject agrees with your means and purposes of processing his/her data.


1. What if an attendee asks for their right to be forgotten?

  • Your legal obligation is to respond within 30 days of receipt of the request for the subject’s data to be deleted or their request of their right to be forgotten and prove to the attendee that his/her data is removed. You also have the responsibility to inform the exhibitors that this specific attendee has asked for his/her right to be forgotten and that they should do the same in their systems.

  • You can extend the time to respond by a further two months if the request is complex or you have received several requests from the individual. You must let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary.

2. What if I can’t prove the right to be forgotten to the attendee?

  • The first question is: why can’t you prove it?
  • Is it because your technology does not allow you to search all databases? Is there a different technical or other reason? Answering ‘yes’ to one of the questions above means that you are not GDPR compliant and the right of the subject could not be answered, which is a legal infringement of the GDPR.
  • Is it because you anonymize all data after a period of time post event (stated in your privacy policy) and you can’t find that specific person? Article 11 in the legislation states that “if the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation” except where the data subject, for the purpose of exercising his or his/her rights, provides additional information enabling his or her identification. Be aware that you still need to prove that you anonymize the records and that you don’t keep other data hanging around. A good and understandable privacy policy is key.


If you have any questions about GDPR Compliance, please contact as at:

Address: 553 Foundry Road, East Norriton, PA 

Phone: 484-751-5100