2 Years GDPR

A Well-Intended Review

Hardly any other EU regulation has affected German and European companies as profoundly as the GDPR. Whether a company or a start-up, organisations have been obliged to implement the rules for the protection of personal data since 25th May 2018. This results in a change of workflow for everyone who stores or processes personal data. According to the GDPR, violations of data that could harm those affected must be reported to the authorities. While this can e.g. help to reduce cybercrime, the new rules continue to pose risks for companies that have not implemented the regulation satisfactorily. In this article you will find a well-intended review of the first two years.

Eine erste Bestandsanalyse

Let's start with the record holders: "Deutsche Wohnen" was fined with the highest fine ever by the Berlin data protection authorities: 14.5 million euros for using an archive system that does not assure the deletion of personal data. A painful fine of 9.55 million euros was imposed on the German telecommunication company 1&1. Callers to the hotline had to give their name and date of birth to establish their identity - data that was not protected well enough by the company. Internationally, other well-known names such as the hotel chain Marriot, Google and British Airways were affected.

A reliable source is the website enforcementtracker.com where, accessible to all, numerous infringements are documented throughout Europe. Between May 2018 and December 2019, a total of 168 offences with a volume of 420 million euros were documented here. But how did it come to this?

Back to the start

Back in the year 2018, specifically May 25th. On this day the GDPR was put into place. It already was described as the "best data protection law" in the world. This has remained until today. Data protection and privacy have moved into the focus of the general public. Companies have been forced to review data protection law processes and make them secure, often at a considerable cost. The aim of the GDPR was to give every person extensive rights, such as information about stored data and the deletion of such data.

There was a lot of confusion in the weeks before the deadline - many data protection experts were overwhelmed by customers searching for help. Horrendous penalties were threatened and many companies gradually realised that a privacy statement on their website would not be sufficient to circumvent these penalties.

History of messages and penalties

One question has been around for a very long time: how are infringements reported? Who is the "data protection police"? The answer is quite simple: On the one hand, violations can be reported to the relevant competent data protection authority by individual persons, whose data is not handled in accordance with the GDPR. This was the case for 66% of the infringements. 22% of the cases were uncovered by the data protection authorities. Alternatively, however, the company handling data can report itself. This is done either by the employees (6%) or by management (3%) - as in the case of Marriot International, Inc and British Airways. Although the penalty for voluntary disclosure has been significantly reduced, it has so far totaled 315 million euros - the largest share of the cake. NGOs also informed the authorities in three cases. At first glance this does not sound like a significant number, but the penalty for this was 68 million euros.

The reasons for the penalties vary. More than half of the punished companies did not handle customer data correctly (e.g. poorly protected storage, no deletion, etc.), one third collected the data without permission and the remaining 20% did not ensure sufficient protection of the data.

GDPR in the event industry

Especially in the event industry, a lot of companies handle sensitive guest data. Participant management systems, e.g. Sweap, vprocess information such as guest name, e-mail address and, for example, employers at networking events. This requires special caution. The development of future technologies also holds many dangers, e.g. in the field of face recognition. The collection of biometric data using facial recognition technology is generally prohibited for the time being.

However, as so often, exceptions confirm the rule. This is the case when the collection of data is in the public interest, e.g. when fighting crime. Here it is often difficult to weigh up, which interests (e.g. police vs. visitors) have a higher priority. It is important here that the exception remains the exception and does not become the rule.

What can a company do to work GDPR-friendly?

Our data protection expert Sven Frauen answers these and other questions about the GDPR in the following interview (in German).


The GDPR can definitely be seen as a milestone on the road to better protection of personal data. The first two years have shown that many measures have already been successfully implemented. Companies have already had to pay painful penalties for their inadequate handling of data. But we are only at the beginning of the regulation.

GDPR also creates a big challenge for the event industry. The need to pay particular attention to the way data is handled when working with third-party providers is real.

Find out here how Sweap handles your data and how we can make your event GDPR-safe.


The latest developments in the event industry!
We keep you up to date with the latest developments in digital and analogue event trends. Register now and receive the 2022 State of Event Management Report!

  • Guide to the Perfect Registration Form

    • Guest Management

    Registration forms are the easiest way for customers and companies to get in touch. How to perfect your forms and what you need to consider when creating them? Find out here! …