In February of this year, the Data Protection Commission (DPC) released guidance on attendee lists and the fact that some organisations are refusing to release such lists on the basis of the GDPR. The DPC’s guidance makes clear that the GDPR does not forbid releasing such lists but nor is there a mandate to do so. As with all such situations, the answer as to whether to share a list of attendees is: “it depends!”
Attendee Lists and Personal Data:
First of all, where a list gathers information about the name of individuals and their role, function and/or the organisation they work for, this is personal data. Under Article 4 of the GDPR, the definition of personal data is quite wide:
Personal data means any information relating to an identified or identifiable natural person (‘data subject’)
This includes factors specific to the economic, cultural or social identity of the individual. Just because it is related to their commercial activities and not their personal life does not exempt it from Data Protection legislation as some may have thought. So if the standard content of an attendee list is personal data when can you share it?
Context
Before you can release such data, there are a few things to consider, including the purpose or nature of the event, expectations of the attendees and the information communicated to the attendees before they signed in.
As regards the purpose or nature of the event there is a very big difference between, say, a support event for people affected by certain social or medical problems and an event organised to promote a commercial activity or sector. For the former, the very fact that someone is attending means they, or someone close to them, is likely to be affected by the issue being discussed or communicated in public. Releasing a list of such attendees would likely pose a risk to the individuals’ privacy and may need to be considered as special category data as it may imply a health condition. For the latter, the very nature of the event may be the development of commercial contact networks and the building of cooperation for commercial advantage. Both are events but with very different attributes.
In each of these examples, it can be appreciated that attendees may also have very different expectations. Those attending the support event may want the organisers to follow up and provide additional materials and let them know of other relevant resources. Nonetheless, they may have no desire to have their private and personal details shared with others in or outside the room. In contract, those attending the promotional event may have come for the very purpose of having their details shared with the hope of developing a network with other attendees for commercial advantage.
Those expectations, as mentioned by the DPC, would likely be reflected in what the organisers communicated to potential attendees when invitations were sent out or when registration forms were made available (paper or digital). The organisers should have made clear, under the principle of transparency, what personal data would be gathered, how it would be used and why.
Different events may rely on different lawful bases to process that personal information. If the event was a promotional event for commercial purposes, it is likely the organisation can rely on legitimate interests or even contract as the primary lawful basis if there was a fee. For the support event, several lawful bases are available, including the legitimate interests of a charity, consent of attendees, or the public task of a state agency. Where legitimate interests are relied upon, this will need to be balanced against the data subjects’ interests, rights and freedoms, and the assessment documented. Fairness is the underlying principle for the balance of rights between the rights to privacy and data protection of the attendee and any legitimate interest of the organisers.
Communication:
Whatever lawful basis is chosen it must be communicated so that each attendee knows beforehand:
The Lawful Basis
+ The declared purpose(s) for processing their personal data
+ The necessity of the data processing to meet that purpose
Even where consent is not chosen as the lawful basis, it would be good practice, and a basic courtesy, to empower each attendee to opt-out of having their data shared with other attendees where this is intended to happen.
Conclusion
Each event is different. As an organiser and the Data Controller, it is essential to be clear and concise about how and why personal data will be used. GDPR does not forbid the sharing of attendee lists but nor does it give carte blanche for this personal data to be freely shared with whomever requests it. Context and attendee expectations are key and, wherever possible, attendees should be given the power to choose how their data will be used. Follow the ‘no surprises’ rule. If you are organising any events and are unsure about issues relating to privacy notices or how to handle personal data correctly, please feel free to make contact with one of our advisors in the Data Governance and Cyber-Risk Team.
