GDPR FAQs


We're here to arm you with the information you need to comply with this game-changing regulation.

Back to Home
  • Are contact details that are considered B2B e.g. Business emails, billing information etc… considered PII?
  • Yes, business and personal email addresses would be considered personal data and is covered under the GDPR. Any individual piece of personal data or combination of data that could be used to identify an individual is considered personal data and is covered under GDPR.
  • Why is dietary requirements classed as PII?
  • Dietary information is considered personal information and therefore is regulated within GDPR. This could also indicate health (eg. lactose intolerant) or religious beliefs (eg. Halal) and so should be considered sensitive data in some cases.

    Personal Information is defined as: Any information which relates to a living individual who can be identified either (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller". GDPR explicitly cites certain categories of online data as constituting Personal Data, for example, online identifiers and device identifiers.

    Sensitive personal data is defined as: Any "Personal Data consisting of information as to (a) the racial or ethnic origin of the Data Subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings."

    Genetic and biometric data are new forms of sensitive personal data. Genetic data means "personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question". Biometric data means "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

  • Are photographs PII?
  • Simply Yes, if there is a person in the photograph and they can be identified. How you deal with it depends on your legitimate business use.
  • Can you specifically ask if someone is male or female?
  • Gender is considered sensitive personal data under GDPR. If you have a legitimate business interest in requesting this information, our system will allow you to do that.
  • What exactly determines the location of the person? Listed address? Citizenship?
  • GDPR applies to EU citizens, not location. Interestingly, ones IP address is considered personal information under GDPR.
  • How are breaches discovered?
  • Regulators are able to walk into any business and request that they prove a business is handling requests and that systems are compliant based on the regulations. We understand the two most common ways - regulators can knock on your door or someone can complain about your processes.

  • How will Cvent handle any Breaches?
  • In the event of a confirmed data breach pertaining to your personal information, Cvent will contact the individual outlined in your contract or by email to the Administrator identified within your account within 72 hours.

  • How would this be imposed outside the EU?
  • The company may have assets in the EU. Or the DPAs can set up blocks.

    Depending on your scope of business in Europe, you may need to appoint a representative in Europe, this is who a regulator may contact if there is a breach.

    The regulations are based on EU Citizens, not just businesses in the EU. You may have EU citizens coming to your events or hotel and you wouldn't even know it. This regulation is meant to protect the rights of EU citizens.

  • Do I have to get consent for previous attendees in my address book?
  • Storing data is equivalent to processing someone's data. Under GDPR there are 6 reasons to process an individual personal data. The three relevant to storing that information in your marketing database are; 1) Contractual relationship, 2) legitimate business purposes, or 3) consent. Obviously if you have a contractual relationship with someone, you can keep it. If you have recorded consent, you can keep it. Legitimate business interest varies by specific member state in the EU. For instance, in the UK, direct marketing is a legitimate business interest so you should be able to keep the contact info for a UK resident if you are marketing to them and providing them an opportunity to opt-out from your marketing. For all other countries you should check their specific definitions of legitimate business interest.

  • We send out a monthly e-newsletter to everyone in our database, including members and past conference attendees. Do we need to go back to them all and ask them now and ask them explicitly for consent to send them our newsletter, or are they "grandfathered" in?
  • Storing data is equivalent to processing someone's data. Under GDPR there are 6 reasons to process an individual personal data. The three relevant to storing that information in your marketing database are; 1) Contractual relationship, 2) legitimate business purposes, or 3) consent. Obviously if you have a contractual relationship with someone, you can keep it. If you have recorded consent, you can keep it. Legitimate business interest varies by specific member state in the EU. For instance, in the UK, direct marketing is a legitimate business interest so you should be able to keep the contact info for a UK resident if you are marketing to them and providing them an opportunity to opt-out from your marketing. For all other countries you should check their specific definitions of legitimate business interest.

  • Do I have to display my own privacy policy? Does Cvent have to display their privacy policy?
  • GDPR and the Privacy Shield principals require that Controllers and Processors are transparent on how they are processing personal information. The most common method to provide this transparency is to link your Privacy Policy, which describes how personal information is processed. Our system is configured to permit our clients to display their Privacy Policy in addition to ours (if required). Since both you, the data controller, and Cvent the data processor, are processing attendee data, we believe it is the best practice to provide both Privacy Policies.

  • With all the data privacy concerns, can you recommend a safe and secure way to check people into an event?
  • We believe one of the safest ways to check people in is via Cvent's OnArrival product solution. Cvent leverages industry leading security measures to ensure personal data is processed and stored in the safest and most secure manner, including encrypting data in transport and at rest. Leveraging technologies solutions such as OnArrival we believe is much superior to traditional methodologies such as leaving name badges with personal data on tables or sheets of paper with personal data on them.

While GDPR may look like a daunting challenge, you can turn it into an opportunity. By ensuring you have the right event management technology in place to adhere to the new regulations, you can be a standard bearer in your industry for the protection of personal information. That's something to be proud of - and something that will set your brand apart!

ASK US A GDPR QUESTION

Cvent provides this material for informational purposes only. The material provided herein is general and in summary form and is not intended to be comprehensive. Further, it is not intended to be legal advice and should not be construed as such. Nothing herein should be relied upon or used without consulting a lawyer, data protection officer or other professional advisor who will consider your specific circumstances, possible changes to applicable laws, rules and regulations, and other legal and privacy issues. Receipt of this material does not establish an attorney-client relationship.