GDPR Compliance for Event Ticketing: What Organisers Need to Know
If you sell tickets to anyone in the European Union, GDPR applies to you -- regardless of where your business is based. The General Data Protection Regulation governs how you collect, store, and use personal data. For event organisers, this covers everything from the email address collected at checkout to the scanning data captured at the door. In this guide, we break down what you need to know in plain language.
What Data Do You Collect?
When someone buys an event ticket, you typically collect:
- Full name and email address
- Phone number (if required)
- Payment information (handled by your payment processor)
- IP address and browser data (from your website)
- Check-in timestamps and location (from QR scanning)
Under GDPR, all of this is personal data and must be handled with appropriate care.
The Six Key Principles
1. Lawfulness, Fairness, and Transparency
You must have a legal basis for collecting data. For ticket sales, this is typically "contractual necessity" -- you need the buyer's name and email to fulfil the ticket purchase. For marketing emails, you need explicit consent (opt-in).
2. Purpose Limitation
Collect data only for specified, explicit purposes. If you collect an email for ticket delivery, you cannot automatically add it to your marketing list without separate consent.
3. Data Minimisation
Collect only what you need. Do you really need a phone number at checkout? If not, do not ask for it. Every unnecessary field is a GDPR liability and a friction point that reduces conversion rates.
4. Accuracy
Keep data up to date and correct. Allow customers to update their information through their ticket confirmation page or by contacting you directly.
5. Storage Limitation
Do not keep personal data longer than necessary. Define a retention period (e.g. 24 months after the event) and delete or anonymise data after that period expires.
6. Security
Protect personal data with appropriate technical and organisational measures. Use encrypted connections (HTTPS), secure your admin accounts with strong passwords and 2FA, and choose a ticketing platform that takes security seriously.
Consent for Marketing
This is where most event organisers get it wrong. Under GDPR, purchasing a ticket does not give you permission to send marketing emails. You need a separate, affirmative opt-in. Pre-ticked checkboxes do not count. The opt-in must be freely given, specific, informed, and unambiguous.
TicketWave includes GDPR-compliant consent checkboxes at checkout with customisable text. Marketing consent is stored alongside the order record so you always have an audit trail.
Attendee Rights
Under GDPR, your attendees have the right to:
- Access: Request a copy of all data you hold about them.
- Rectification: Correct inaccurate data.
- Erasure: Request deletion of their data (the "right to be forgotten").
- Portability: Receive their data in a machine-readable format.
- Object: Opt out of direct marketing at any time.
You must be able to fulfil these requests within 30 days. Your ticketing platform should make this straightforward through data export and deletion features.
Choosing a GDPR-Compliant Platform
When evaluating ticketing platforms, look for:
- Consent management built into checkout
- Data export capabilities for subject access requests
- Data deletion functionality
- Clear data processing agreements (DPA)
- EU or UK data hosting
- One-click unsubscribe in all marketing emails
TicketWave is designed with GDPR compliance as a core requirement, not an afterthought. Read our privacy policy for full details on how we handle data.
Practical Steps to Become Compliant
GDPR compliance can feel overwhelming, but the practical steps are manageable when broken down into an actionable checklist. Here is what to do, in order of priority:
- Audit your data collection. List every piece of personal data you collect at checkout and elsewhere. For each data point, ask: do we genuinely need this to deliver the service? Remove any fields that are not essential. Fewer data points means less compliance risk and higher checkout conversion rates.
- Add consent checkboxes. Separate your marketing consent from your terms acceptance. The marketing opt-in must be a distinct, unticked checkbox with clear language: "I agree to receive marketing emails about future events from [Venue Name]." Never bundle marketing consent with terms of service.
- Create a privacy notice. Publish a clear, accessible privacy policy that covers what data you collect, why you collect it, how long you keep it, who you share it with, and how customers can exercise their rights. Link to this notice from your ticket checkout page.
- Set up a data request process. Designate an email address (e.g. privacy@yourvenue.com) where customers can submit data access, rectification, or deletion requests. Document your process for handling these requests within the 30-day legal deadline.
- Review your data processors. Any third party that handles personal data on your behalf (ticketing platform, email provider, analytics tools) must have a Data Processing Agreement in place. Check that your ticketing platform offers a DPA -- TicketWave provides one as standard.
- Implement data retention limits. Decide how long you will keep customer data after an event. Set calendar reminders to review and purge data beyond your retention period.
- Train your team. Anyone who accesses customer data (box office staff, marketing team, door staff viewing scanner data) should understand the basics of GDPR. A 30-minute briefing covering the key principles and common pitfalls is sufficient for most teams.
What to Include in Your Privacy Notice for Ticket Buyers
Your privacy notice for ticket buyers should be written in plain language -- not legal jargon. Here are the sections to include:
Who you are: Your venue or company name, registered address, and the contact details of the person responsible for data protection (this does not need to be a formal Data Protection Officer for small organisations).
What data you collect: Be specific. "We collect your name, email address, and payment details when you purchase a ticket. We record your check-in time when your QR code is scanned at the door."
Why you collect it (legal basis): "We process your name and email to fulfil your ticket purchase (contractual necessity). We send marketing emails only if you have opted in (consent)."
Who you share it with: List your key processors: "Your payment is processed by Stripe. Your ticket is delivered through TicketWave. We do not sell your data to third parties."
How long you keep it: "We retain your purchase data for 24 months after the event for accounting and customer service purposes. After this period, your data is anonymised or deleted."
Your rights: "You have the right to access, correct, or delete your personal data. You can opt out of marketing emails at any time by clicking 'unsubscribe' or contacting us at privacy@yourvenue.com."
How to complain: "If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office (UK) or your local data protection authority (EU)."
Data Retention Policy Template
A data retention policy does not need to be a complex legal document. Here is a practical framework you can adapt:
Ticket purchase data (name, email, purchase details): Retain for 24 months after the event date. Justification: accounting records, customer service queries, and refund processing. After 24 months: delete or anonymise.
Marketing consent records: Retain for as long as the consent is active, plus 6 months after the customer unsubscribes. Justification: demonstrating that valid consent was obtained if challenged. After the retention period: delete.
Check-in/scanning data (timestamps, device IDs): Retain for 12 months after the event. Justification: attendance analytics and dispute resolution. After 12 months: anonymise (remove personal identifiers, retain aggregate statistics).
Financial transaction data: Retain for the period required by your local tax authority (typically 6-7 years). Justification: legal obligation for tax and accounting compliance. Note: this applies to financial records, not marketing data.
Inactive customer data: If a customer has not purchased a ticket or engaged with your emails in 24 months, suppress their record from active marketing lists. Send a re-engagement email before suppressing, giving them the option to remain subscribed.
Review your data retention policy annually and document each review. If a customer submits a deletion request, check whether any legal retention obligation (e.g. tax records) overrides the right to erasure before processing the deletion.
Related Reading
- TicketWave Privacy Policy
- Platform features including GDPR consent tools
- View pricing