• Home
  • Login
  • Welcome to the Staff Intranet

Data Protection considerations for Event Management (internal advice)

You will need to provide a secure way for attendees to provide their personal data for the purposes of registering for the event and to manage their personal data for the event thereafter. There are a number of systems that could be used. The University provides MS Forms, but a number of colleagues prefer to use Eventbrite (US data processing) or BookItBee (UK data processing)

If using Eventbrite, there is guidance online for using cloud services: https://napierstaff.napier.ac.uk/services/governance-compliance/governance/DataProtection/Pages/InternetServices.asp

You need to provide a disclaimer to the following effect: 

Please note that by registering for this event via [insert company name] [which will host your data outside the UK (in the USA) you will be supplying your personal data to the company/website and as such you are accepting and consenting to the practices in their Privacy Policy which can be accessed here [insert link]. Edinburgh Napier University is not affiliated with this company/website in any way, is using its services solely for the purposes of facilitating event ticketing and registration and does not accept any responsibility or liability for personal data which you have chosen to provide to such third party sites.’

This should be included on the email invitation and the Eventbrite registration page (just somewhere down the bottom).

You need to be providing your attendees with a Privacy Notice - a template is available on the "Privacy Notice" link in the left hand menu. Mandatory fields are:

1) Data Controller’s details

2) Legal Basis/es

3) Categories of recipients internally and externally (who personal data is shared with)

4) If personal data is transferred outside the UK

5) How long data will be retained or the rationale for retaining data

6) If any automated decision making or profiling is taking place

7) The following link: staff.napier.ac.uk/dpstatements for further information about processing and rights


You need to ask attendees to opt-in to the following (where necessary/relevant):

- sharing with external parties e.g. event organisers / sponsors (attendees must be advised of the purposes for this sharing)

- sharing delegate list with other delegates (again advise the purposes e.g. networking)

- receiving marketing / promotion of future events


Accessibility/dietary requirements – must be securely collected and stored e.g. in secure system or password protected document and destroyed once the purposes have been fulfilled. Potentially these could be held for up to 3 years in case there is a legal claim relating to equalities or personal injury e.g. issue caused by food.


Advise that data may be shared with appropriate colleagues internally.​

If the event will be recorded, filmed or photographed, guidance is available in the University's Data Protection Code of Practice - see the Filming and Photography section: https://staff.napier.ac.uk/services/governance-compliance/governance/DataProtection/CodeofPractice/Pages/PhotographyFilmRecording.aspx 

​Page last updated 12 June 2023