Personal Data - What constitutes personal data, at its simplest is anything that you can use to identify an individual, this includes but is not limited to
- Email address
- Medical conditions
- ID cards
- IP address and location data
Sensitive information - Personal data like medical information is classed as Special category data. Data regarded as such is heavily regulated and it is imperative you obtain explicit consent at the point of collection, along with a Privacy Notice explaining why you need the information and what you will do with it. You can also include a statement within your own Event Information/Terms & Conditions which advises customers with suggested prohibitive medical conditions that they should not take part in the event but if they choose to do so, they must contact you directly to discuss the condition. This route will not only ensure you have explicit consent but will also enable you to avoid collecting and being responsible for special category data.
The basis for implementing GDPR is to give control to individuals about who is collecting their data and how it can be used - these rights include being able to request data be erased. It’s important these rights are respected and you can find out more about them here.
Summary - Under GDPR regulations, it’s your responsibility to inform the customer of the following:
- What data you’re collecting - e.g. medical conditions, contact details.
- How it’s collected - e.g. through Helm Tickets.
- The legal basis for collection - There are six legal basis for collection, which are; consent, contract, legal obligations, vital interests, public task and legitimate interest. You can read more about the requirements for each one here. You must have a legal basis for collecting data and therefore, you should only collect data that is absolutely necessary.
- Why you need the data - e.g. if you must legally have medical conditions on record to gain event insurance or to protect attendees from allergens.