Online events, also known as virtual events, are the event format of the moment. Webinars, online seminars and after-work parties in online format have been booming since Corona made face-to-face meetings impossible. If the Corona regulations do allow it, hybrid events can also be held. In this event format, both guests at the venue and virtual visitors are present.
Above all, the aspect of interactivity is emphasized here and entertains the guests - present in analogue or digital form. With both event formats - online events and hybrid events - data protection must be considered from the outset to ensure that the events are safe (and) successful.
Virtual events and the GDPR
At the moment, many people are missing the chance to meet in person. However, online events do have their appeal: important meetings no longer have to be day-long events because there is no need to travel to and from the event. Event planners have also been quick to adapt and focus on virtual events. A study of event professionals conducted by Global Meeting Industry Day in mid-2020 clearly showed how much potential there is in digital formats: more than 60% of event organizers said they wanted to hold more hybrid events, even after Corona. Even international trade fairs are now being held online or in hybrid formats.
However, it is important to plan such formats well, not only for organizational reasons, but also to take data protection into account right from the start. The Internet forgets nothing - unfortunately, this applies not only to embarrassing videos, but also to possible data leaks that can quickly occur due to organizationally faulty preparation for online events. So smart planning in advance is a must here. We give you an overview of the absolute basic steps of every online event - whether purely virtual or hybrid.
Virtual events connect with a click - but here, too, the rules of the DSGVO must be observed.
Data protection and virtual events: The most important points
Virtual events offer many advantages - from reach and increased interaction to optimal evaluation of the data obtained. However, systematic preparation is required to ensure that the data required and collected is secure and can also be used on the marketing side afterwards. The most important points to remember here are:
Basic principles of the GDPR:
According to Art. 5 GDPR, one of the most important basic principles of the GDPR is the so-called data economy. This states that only those data may be collected that it really needs. Especially when collecting subscriber data, for example via contact form, you should keep this in mind. For example, it is usually irrelevant where the participants live. Basically, you don't even need a name - an e-mail address and possibly the company name are already sufficient for registration.
Encryption:
Personal data is collected during registration. These must be protected (principles of integrity and confidentiality according to Art. 5 DSGVO), which is why sufficient encryption of the website and data transmission is mandatory. Always follow the current standards here.
The used tool:
The event stands and falls with the video conferencing tool or online event tool used. Here it is essential to look for a tool that not only meets the technical requirements (such as the unlimited number of participants or streaming without a time limit), but above all also the data protection requirements. Here it is important to check whether personal data is processed via the tool (the answer is yes in 99% of cases, because the participants usually register by name / cell phone number or e-mail address and are present in image and / or sound) and where this data is stored or processed. As a rule, you need an order processing contract with the provider of the tool. If it is a non-European tool that also processes the data outside the EU, remember that the EU-U.S. Privacy Shield has been overturned and you must therefore agree additional contractual provisions with the tool provider.
Privacy Policy:
Which data is collected for which purposes and how is it processed? Which tools are used when and why? You must make all these questions available to participants in simple and understandable language with just one click - even before the event. The privacy policy must therefore always be kept up to date, depending on the tools used. If you also want to use the data for marketing purposes, then these purposes must also be explained in the privacy policy and the participants must be given the opportunity to object at any time. In addition, a so-called double opt-in is required in this case.
Double Opt-In:
In order to protect the interested parties from unwanted information, the use of data for further advertising purposes generally requires consent pursuant to Art. 6 (1) a) DSGVO and § 7 (2) and (3) UWGIn this case, a confirmation email must be sent after registration, which contains a confirmation link. Only when this link is confirmed is the data processing for advertising purposes lawful. Important: If interested parties register for the digital event but do not perform a double opt-in, the e-mail address may not be used for further advertising (see also Section 7 (2) Nos. 2 and 3 UWG).
Privacy of participant data:
Before, during and after the event, the data of the participants must be protected as best as possible by you as the person responsible. This means, for example, that no list of participants may be published unless they have given their express consent, that the names of those present may not be shown online unless they request it, or that no images or sound recordings may be made unless consent has been given in advance. In addition, you also need a concrete concept of how to proceed internally if a data protection breach occurs.Double Opt-In:
Um die Interessent*innen vor ungewünschten Informationen zu schützen, bedarf es zur Nutzung der Daten für weitergehende Werbezwecke grundsätzlich einer Einwilligung gem. Art. 6 Abs. 1 a) DSGVO und § 7 Abs. 2 und 3 UWGIn diesem Fall muss nach der Anmeldung eine Bestätigungsmail verschickt werden, in der sich ein Bestätigungslink befindet. Erst, wenn dieser Link bestätigt wird, ist die Datenverarbeitung für Werbezwecke rechtmäßig. Wichtig: Melden sich Interessent:innen zwar zum digitalen Event an, führen aber kein Double Opt-In durch, dann darf die E-Mail-Adresse auch nicht für weiterführende Werbung verwendet werden (vgl. auch § 7 Abs. 2 Nr. 2 und 3 UWG).
Conclusion:
These are the basic points that need to be taken into account for a digital event - whether hybrid or purely virtual. This checklist on the subject of data privacy at events provides you with further important points. If you have any doubts about a data protection measure to be taken, be sure to clarify them with your data protection officer, because the Internet is rarely forgiving of mistakes and the number of DSGVO fines rose rapidly in 2020 - despite Corona. Or precisely because of it.