We're here to arm you with the information you need to comply with this game-changing regulation.

Back to Home
  • Are contact details that are considered B2B e.g. Business emails, billing information etc… considered PII?
  • Yes, business and personal email addresses would be considered personal data and is covered under the GDPR. Any individual piece of personal data or combination of data that could be used to identify an individual is considered personal data and is covered under GDPR.
  • Why is dietary requirements classed as PII?
  • Dietary information is considered personal information and therefore is regulated within GDPR. This could also indicate health (eg. lactose intolerant) or religious beliefs (eg. Halal) and so should be considered sensitive data in some cases.

    Personal Information is defined as: Any information which relates to a living individual who can be identified either (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller". GDPR explicitly cites certain categories of online data as constituting Personal Data, for example, online identifiers and device identifiers.

    Sensitive personal data is defined as: Any "Personal Data consisting of information as to (a) the racial or ethnic origin of the Data Subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings."

    Genetic and biometric data are new forms of sensitive personal data. Genetic data means "personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question". Biometric data means "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

  • Are photographs PII?
  • Simply Yes, if there is a person in the photograph and they can be identified. How you deal with it depends on your legitimate business use.
  • Can you specifically ask if someone is male or female?
  • Gender is considered sensitive personal data under GDPR. If you have a legitimate business interest in requesting this information, our system will allow you to do that.
  • What exactly determines the location of the person? Listed address? Citizenship?
  • GDPR applies to EU citizens, not location. Interestingly, ones IP address is considered personal information under GDPR.
  • How are breaches discovered?
  • Regulators are able to walk into any business and request that they prove a business is handling requests and that systems are compliant based on the regulations. We understand the two most common ways - regulators can knock on your door or someone can complain about your processes.

  • How would this be imposed outside the EU?
  • The company may have assets in the EU. Or the DPAs can set up blocks.

    Depending on your scope of business in Europe, you may need to appoint a representative in Europe, this is who a regulator may contact if there is a breach.

    The regulations are based on EU Citizens, not just businesses in the EU. You may have EU citizens coming to your events or hotel and you wouldn't even know it. This regulation is meant to protect the rights of EU citizens.

While GDPR may look like a daunting challenge, you can turn it into an opportunity. By ensuring you have the right event management technology in place to adhere to the new regulations, you can be a standard bearer in your industry for the protection of personal information. That's something to be proud of - and something that will set your brand apart!


Cvent provides this material for informational purposes only. The material provided herein is general and in summary form and is not intended to be comprehensive. Further, it is not intended to be legal advice and should not be construed as such. Nothing herein should be relied upon or used without consulting a lawyer, data protection officer or other professional advisor who will consider your specific circumstances, possible changes to applicable laws, rules and regulations, and other legal and privacy issues. Receipt of this material does not establish an attorney-client relationship.