HomeKnowledge base › Event agencies and attendee lists
Events

Event agencies: destroying attendee lists

An event agency's attendee lists and badges ready for confidential destruction

An event agency processes the data of everyone who registers: name and contact details, job title and organisation, dietary and allergy needs, accessibility questions, badges with check-in data and often photos or video of the day itself. Part falls under the tax retention obligation, part is precisely sensitive and should be kept as briefly as possible. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.

The quick answer: the invoicing you keep for seven years for the tax retention obligation. The attendee list and badges you keep no longer than necessary for the event and its settlement. Dietary, allergy and accessibility needs you treat separately. If you work on assignment, you follow the processor agreement. What may go disappears confidentially and with a certificate.

Why an attendee list holds more than a name

An attendee list looks harmless, but often holds more than just names. Alongside contact details and the organisation, it lists dietary needs, allergies and accessibility questions, and those can touch on health data. That is special-category personal data under the GDPR, with stricter rules. At a large conference or festival it also involves thousands of people at once, which makes a data breach correspondingly damaging.

The GDPR requires storage limitation. Do not keep the data longer than necessary for the event and its settlement, and clear it out afterwards. Only the administration has a fixed period of seven years.

Retention periods by part

The period differs per type of data. The overview below gives the main line. Count the tax period from the end of the financial year and the other periods from the completion of the event.

PartStarting pointPeriod
Invoicing and administrationTax retention obligation7 years
Attendee list and contact detailsAs long as there is a purposeclear out after completion
Dietary, allergy and accessibility needsSpecial-category datadestroy finely
Badges and check-in dataOnly during the eventclear out at once
Photos and video of attendeesOnly with consentas long as consent applies
Correspondence and draftsNo retention obligationclear out at once

Use this as a guideline, not a final legal ruling. If you work on assignment for a client, you set the periods in a processor agreement. The tax side is in the 7-year tax retention obligation.

Dietary, allergy and accessibility needs separately

The most sensitive part of an attendee list is the needs around food and accessibility. A gluten-free diet for medical reasons, a note about a wheelchair or a medical condition is health data. Keep that information recognisably separate from the ordinary list, allow it only to whoever runs the event and destroy it at a fine level as soon as the event is over. That way you avoid a whole attendee list inheriting the longest period of its most sensitive part.

Photos of attendees and consent

Footage of the day itself is valuable for an aftermovie or the next edition, but a recognisable person in a photo is personal data and also touches on image rights. Use photos and video only with the attendees' consent and limit it to the agreed purpose. If someone withdraws consent, you remove the footage. That way the use of someone's portrait always stays tied to a valid ground.

The processor role: your client's data

You often organise an event on assignment for a company or institution. The attendee data is then that client's, and you are the processor. You record the arrangements about keeping and destroying in a processor agreement, so it is clear who is responsible for what. Match your periods to those arrangements. What such an agreement looks like is in the processor agreement checklist.

How to handle it in 6 steps

  1. Split the data into administration, attendee list, sensitive needs and footage.
  2. Treat dietary and accessibility needs separately and at a fine destruction level.
  3. Clear out badges and check-in data straight after the event.
  4. Use photos only with consent and clear them out on withdrawal.
  5. Collect what may go in sealed containers, not in the paper bin.
  6. Have it destroyed confidentially with a certificate and record it in your register.

Destroy confidentially with a certificate

Attendee lists, leftover badges and old data carriers you have destroyed confidentially, because they contain contact details and sometimes health data. The paper, the badges and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old registration computer or backup with attendee data belongs with it too.

Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR and your client that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.

Attendee lists and badges to be destroyed?

Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.

Request a quote

Common mistakes

  • Keeping attendee lists for the next edition. Without a ground the purpose lapses after the event.
  • Treating dietary and accessibility needs as ordinary paper. That is special data.
  • Using photos without consent. An aftermovie requires consent from the people involved.
  • Leaving leftover badges lying around. They contain names and sometimes a QR with data.
  • Keeping no proof. Without a certificate you cannot demonstrate the destruction to your client.

Frequently asked questions

How long does an event agency keep an attendee list?

The invoicing falls under the seven-year tax retention obligation. The attendee list itself you keep no longer than necessary for the event and its settlement, after which you clear it out. If you work on assignment, you follow the arrangements in the processor agreement.

Are dietary and accessibility needs special data?

Often yes. A diet for medical reasons or an accessibility need can touch on health data, which is special-category personal data. Treat it separately and destroy it at a fine level as soon as the event is over.

May I keep and use photos of attendees?

Only with consent. A recognisable person in a photo is personal data and also touches on image rights. Use footage only for the agreed purpose and clear it out as soon as that purpose lapses or consent is withdrawn.

How do I destroy attendee data in line with the GDPR?

Confidentially and with a certificate of destruction. Paper, badges and data carriers travel sealed and the destruction is recorded in the record of processing.

Conclusion

An event agency processes the data of sometimes thousands of attendees at once, right up to dietary and accessibility needs. Keep the administration seven years, keep the attendee list and badges no longer than necessary and treat sensitive needs separately. Use photos only with consent and follow the processor agreement if you work on assignment. What may go you have destroyed confidentially with a certificate as proof. That way you protect the attendees and show your client that you settled it tidily.

Read also: hotels: destroying guest registration data, campsites and holiday parks: destroying guest data, restaurants: destroying reservations and allergy data and the GDPR retention periods cheatsheet.


Have attendee data collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.

Also relevant: Trade associations: destroying member data.