This article provides general information about data protection principles as they apply to event ticketing. It is not legal advice. Organisers should consult a qualified data protection professional or their organisation's legal team for advice specific to their circumstances.

Every ticket purchase is a data collection event

When a buyer purchases a ticket through ShowRave, they provide their name and email address at a minimum, and often more depending on what registration fields the organiser has configured. That information is personal data under UK GDPR (which applies in the United Kingdom after Brexit) and EU GDPR (which applies across EU member states). The organiser who configured the event and receives that data is the data controller: the party legally responsible for how it is collected, stored, used, and eventually deleted.

This is not a theoretical concern. Data protection authorities across the UK and EU actively investigate complaints and issue fines for mishandled personal data, including from event organisers who did not consider their compliance obligations. The most common problems are not complex: they tend to involve sending marketing emails to buyers who did not opt in, retaining attendee data indefinitely without a legitimate reason, or failing to have a publicly accessible privacy notice explaining how buyer data is used.

Getting this right is not difficult. It requires understanding what the rules require, configuring the event page and registration accordingly, and following a consistent post-event data handling process. This guide covers all three.

The legal basis for collecting ticket buyer data

Under GDPR, every piece of personal data you collect must have a lawful basis. For ticketing, the most applicable basis is contractual necessity: when a buyer purchases a ticket, you need their name and contact details to fulfil the contract (delivering the ticket, sending confirmation, communicating about the event). This lawful basis covers the essential transaction data without requiring a separate consent process.

Additional data points, job title, dietary requirements, company name, session preferences, require their own justification. Dietary and accessibility information collected for operational purposes (catering, venue arrangements) is typically justified under contractual necessity or legitimate interests where the processing is genuinely necessary for the event to operate safely. Data collected for marketing or profiling purposes, such as opting attendees into a mailing list or sharing their data with sponsors, requires explicit, freely given consent that is separate from the ticket purchase itself.

The key principle: do not collect data you do not need for a specific, documented purpose. Every field on your registration form should have a reason that you can articulate if asked. If you cannot explain why you are collecting a data point and how it will be used, do not collect it.

Your privacy notice: what it must say

Before collecting any personal data from buyers, you must provide a privacy notice explaining: what data you are collecting; why you are collecting it (the legal basis); who you will share it with, such as the venue, catering team, or co-organisers; how long you will retain it; and how buyers can exercise their rights under GDPR, including access, correction, and deletion.

For a ticketed event, a practical implementation is a short privacy notice on the event page itself, linked to or summarising your organisation's full privacy policy. The notice does not need to be lengthy: a clear, plain-English paragraph covering the above points satisfies the transparency requirement for most standard ticketing scenarios. Something like: "We collect your name and email to process your ticket purchase and send event communications. Your data may be shared with [venue name] for event logistics. We will retain your data for [period] after the event. See our full privacy policy at [link]. To request access or deletion, contact [email]."

For events where additional data is collected, such as dietary requirements, employer information, or session preferences, expand the notice to cover each additional category and its specific purpose.

Marketing emails and the opt-in requirement

This is the area where most event organisers create compliance problems without realising it. UK GDPR and the Privacy and Electronic Communications Regulations (PECR) together require that marketing emails sent to individuals, which includes event announcements, newsletters, and future event promotions, are sent only to people who have specifically consented to receive them.

Buying a ticket does not constitute consent to receive future marketing emails. A buyer who purchased a ticket to your event has agreed to receive communications about that specific event: their confirmation email, pre-event reminders, post-event follow-up. They have not agreed to receive announcements about your next event unless they specifically opted in to future communications.

The correct implementation is an opt-in checkbox on the ticket registration form, clearly separated from the ticket purchase process, with wording that accurately describes what the buyer is agreeing to: "Yes, I would like to receive updates about future events from [organiser name]." The checkbox must be unchecked by default. A pre-ticked box does not constitute valid consent under GDPR.

For organisers who want to build a directly owned marketing audience through their events, this means only the subset of buyers who actively opted in during registration can be added to future marketing lists. This is smaller than the full attendee list but more valuable because these buyers are genuinely interested in hearing from you. The ShowRave attendee export shows all registration field data including opt-in responses, allowing you to filter correctly before uploading to any email platform.

Sharing attendee data with third parties

Event organisers routinely need to share attendee data with third parties: the venue requires a final headcount and dietary breakdown, the catering company needs the meal choice data, a co-organiser needs access to check-in the guests. Each of these is a legitimate data sharing need that should be covered in your privacy notice.

Where data is shared for operational event purposes with parties who handle it only as instructed by the organiser (a caterer who receives a list of dietary requirements and uses it only to prepare food), that party is typically a data processor and the organiser remains the data controller. In practice this means: share only the data each third party needs for their specific function, confirm that they will use it only for that purpose, and do not share data with parties not mentioned in the privacy notice without updating the notice first.

For sponsored events where sponsors want access to the attendee list for their own marketing purposes, that access is a data sharing arrangement that requires specific GDPR handling, including explicit consent from the buyers whose data is being shared. Attendees must be clearly told at registration that their data will be shared with sponsors for marketing if that is the case. This is a more complex arrangement that should be designed carefully before the event goes on sale.

Retention: how long you can keep attendee data

GDPR requires that personal data is kept no longer than necessary for the purpose for which it was collected. For event attendee data, "necessary" typically extends for a reasonable period after the event for follow-up communications and for any financial or legal record-keeping purposes, but not indefinitely.

A practical retention approach: retain attendee data for the period needed to fulfil event follow-up (post-event email, any refund or dispute resolution), plus any period required for legal or financial compliance (typically one to six years for financial records depending on the jurisdiction). After that period, delete or anonymise the records. For data that was collected on an opt-in basis for future marketing, retain it until the subscriber opts out or until you have no further legitimate use for it, then delete.

For each event's attendee data, set a specific deletion date when you export the list after the event. Export to your secure systems, retain for your defined period, then delete from the ticketing platform. ShowRave's attendee data can be managed and is exportable at any time from the organiser dashboard. Delete exported files from unsecured systems (email attachments, unprotected spreadsheets) after the legitimate retention period.

Attendee rights under GDPR

Buyers whose data you hold have the right to access their data, request correction of inaccurate data, request deletion of their data, and object to specific uses of their data. A request to exercise any of these rights must be responded to within one calendar month.

For most event organisers, the volume of such requests is low, but the obligation exists regardless. Publish a clear contact route for data subject requests in your privacy notice (a dedicated email address is sufficient). When a request arrives, handle it promptly and document your response. Failure to respond to a data subject request within the required period can itself trigger a regulatory investigation.

For deletion requests, note that some data may need to be retained for legal reasons even when a buyer requests deletion: financial transaction records, for example, may need to be retained for tax purposes regardless of a deletion request. In such cases, explain clearly which data is being deleted and which is being retained, and why. This transparent handling of partial deletion requests is generally accepted by regulators as compliant behaviour.

What ShowRave does at the platform level

ShowRave processes personal data on behalf of event organisers as a data processor. Organisers are the data controllers for the data their attendees submit through ShowRave. The platform processes payments through secure, compliant infrastructure and stores attendee registration data for access by the organiser through the dashboard.

The organiser is responsible for configuring their event page privacy notice, handling data subject requests, managing opt-in consent for marketing, sharing data only with appropriate third parties, and deleting data at the end of its retention period. The platform provides the tools; the organiser determines how they are used within their own GDPR compliance framework.

For complex events, multi-country operations, or organisations subject to specific regulatory requirements beyond standard GDPR, consult a data protection professional before configuring registration fields and before the event goes on sale. The compliance obligation is the organiser's, and addressing it before tickets launch is significantly easier than correcting problems afterwards.

\n\n

The practical conclusion is straightforward: collect only the data you need, tell buyers clearly how you will use it, obtain explicit consent for marketing, share data only as described, and delete it when you no longer have a legitimate need. These four steps cover the vast majority of GDPR obligations for standard event ticketing and require no specialist knowledge to implement. The organisers who get into difficulty are almost always those who skipped one of them, not those who lacked technical understanding of the regulation.