Lorena Pérez Campillo and José A. Castillo Parrilla (UPV/EHU)
Organizing a congress or a conference is a complicated task that involves a high number of issues in terms of data protection. Most people are not willing to have their privacy vulnerated just because they accept to attend and/or participate in an event and we must be extremely respectful with their right of privacy. Violations of basic data protection principles might bring severe sanctions to organizers.
We mainly concentrate on public events since they involve many more issues than private events. As “public events” we understand events open to the public, addressed to a considerable number of people that could complicate controlling information, or events that will be announced or published after taking place. On the contrary, “private events” would allow a better control of information since (1) the events would be addressed to a small amount of people and/or (2) the organisers have asked the participants not to publish information on the event nor images of people without their permission. Public events may have a higher risk to damage privacy, so considerations on these events must be more severe. What is said on them can be applicable to private events even when private events may not need to be as strict as public events.
Some preliminary thoughts that might be particularly relevant
We assume that the research centre / group of researchers are the “controller” (see art. 4(7) GDPR) when choosing the purposes and means of the intended processing. But also, there might be different possible controllers as this diagram shows:
The role to be played by each organizing institution must be clarified from the very beginning of the organization process. A written agreement specifying the role to be played by each organization could be key in order to guarantee an adequate personal data processing. If the controller works with suppliers who process data, or if there are any processors who depend on the controller, they must make sure that processors are compliant with the GDPR and national regulation. Examples of service providers include cloud providers or intermediary event management platforms or conferences software. It will be necessary to ensure that processors comply with the GDPR and data protection national regulations: legitimacy, duty of information, exercising of rights, etc. In addition, it will be necessary to check that the “data processing agreements” are up to date according to the GRPD. Whenever possible, controllers must create binding agreements with suppliers to ensure that they comply both with legal requirements and with requests made by the controller (e.g. to delete or modify data).
In a congress there are several activities that can be affected by data processing:
When organizing an event and registering attendees, we are considering general personal data (as special categories data are usually not collected), such as name, email address or provenance (e.g., entity to which they belong).
When displaying the personal data of source subjects resulting from possible scientific research, organizers might have to deal with special categories of personal data.
The organizers of the congress must distinguish between data that are necessary to apply for the event and other data. The requirements for consent must be different, and specify in each case (1) the purpose of data processing and (2) if providing consent for data processing is necessary (e.g., in order to allow access to the event, for any logistical or control reasons). This way, attendants can freely consent on data processing regarding data that are not necessary. Regarding data that are not necessary for the event, it must be clear that the attendants (now, data subject) can withdraw their consent at any time without prejudicial consequences (see art. 7 and WH 42 and 43 GDPR).
Apart from that, data minimization principle must be taken into account (art. 5.c GDPR). For instance, requiring email, phone number and domicile may not be necessary if the purpose of data processing is allowing contact between the organisers and the attendants. For sure, domicile would not comply with data minimization principle in this case. Depending on the circumstances, even phone number could not be necessary to contact with attendants if they are aware that email should be consulted frequently. To sum up, personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Some practical recommendations that might be useful
- The purpose behind the processing of the collected data must be clear. The controller must explain whether they will use these data for publicizing future conferences, or if they will share them with the sponsors, for instance. They should provide attendees with the possibility to give separate consent to different requests. They could, for instance, use stickers to make it clear if a data subject wants to be recorded but does not want to have the recordings placed online.
- Management of the registration. The attendants might have different preferences about this issue. Some, for instance, might not be willing to be included in the lists of attendants. To avoid problems on the issue, a previous message should be included when collecting data (both, necessary and not necessary data as explained in point 5) warning that a list of attendants will be elaborated and distributed. This message should have the following characteristics: (1) visible: the attendants will be able to read the warning at first glance; (2) complete: the message will inform what data will figure in the list and to whom it will be distributed; and (3) reversible: the message will include a simple way to withdraw the consent warning that once the list is distributed it is impossible to recover it to withdraw data. If this list is also used to give ID cards to the attendants once arrived to the venue (if it is a physical event), the message could include a yes/no question: “would you like to receive an ID card with your name and provenance?”.
- Controllers must make sure about the data they really need and not ask for more. The less data they possess, the less trouble they will have. Once the event is finished, controllers must delete all data that they are not obliged to keep for legal purposes. Controllers must check the type of data that they will have to keep and the period specified by the applicable regulation. They must inform all participants about it from the very beginning.
- Controllers must make sure that all attendants are allowed to decide whether they want to be recorded, filmed or photographed. Gathering informed consent could be an excellent idea in this sense, but then controllers should not forget that you have to respect their right of privacy. Controllers should try to establish “camera free” zones. Some parts of the venue should be isolated from any kind of pictures or recordings. A complementary useful tool consists on preparing different cards with different colors depending on the consent/non-consent of each one of the participants to be photographed. Along with these types of measures, and once the event is held we should have some technical tool that allows to pixel or obfuscate the images in the photographs or videos, for example. We refer, for example, to recordings or photographs of a group of attendees during a lecture break.
- If the controllers are recording the sessions and planning to include the questions and answers section, they shall advise the attendees previously. This is particularly important if panel chairs ask attendants to identify themselves before asking questions.
- The controllers should ask all participants (speakers, chairs…) to provide them with the biographical info and the photographs that they want to include in their short biography. Controllers must inform beforehand if people wouldbe able to access the information. If some of them are not willing to include a photograph, controllers cannot unrespect their will. For instance, they cannot take a picture from internet and use it.
- If the controller needs to inform attendees or participants of some financial information to proceed with the payment of fees or to reimburse attendance costs, they shall do it from the very first communication. For example, on the corresponding form sheet. Sometimes institutions do not work well in terms of data minimization rules. The controller might have serious problems if they notice that attendees do not agree with their institutional policies on privacy and data protection issues.
- The controller must be aware that information about diet preferences might reveal information about religious beliefs or ideology, or even health or status (for instance, pregnancy). They must manage this information very carefully. They must try to include menus that do not result in such consequences.
Some tools you might use
When providing information about the processing
The controller might choose to provide basic information. If this is the case, it is advisable to include a table with the following headings so that the information can be clearly seen by the interested party:
|European Association XXXXC/European Society of Oncology, etc.
|Purpose of data processing
|Registration and management of event attendees
|No data will be passed on to third parties, unless legally obliged to do so
|You have the right to access, rectify and delete data, as well as other rights, as explained in the additional information
|Additional and detailed information on Data Protection can be found on our website: web: www.xxxxxxx/dataprotectionpolicy
|“Before filling in the form you should read the basic information on data protection presented in the link at the bottom of the table”.
When taking pictures/videos of the attendees/presenters…
The controller might use a kind of information pack as the one showed below. The types of personal data to be collected must be indicated: how the data will be collected (e.g. photographs and videos) and where it will be collected (place). In addition, the purpose should be stated: such as marketing, training, etc. The controllers should also indicate the type of data processing (editing, publication, display) and whether it will be published in social media or in a newsletter.
Your image and your voice can be recorded.
Please note that _______________ will take pictures and video in the public areas of the conference (meeting rooms, exhibition rooms, etc.).
We may use these media in marketing materials, educational products, and publications.
They may be published in the Social Media. Tick if you agree to appear in.. Twitter Facebook LinkedIn …..
When there is streaming or photo publication…
- People should be informed, with as much information as possible, whether there will be media coverage, using identifiable external or internal media. The controller should also indicate where this will be published.
- Consent on data processing for each purpose must be different and potential data subjects must be able to clearly distinguish each one of the different consents.
|Broadcast in streaming:
“We inform you that the event and during both days, will have media coverage, with external media (outside the congress, mostly national and international journalists) and internal. There are interns who have been expressly hired by _______________ such as the audio-visual recording of the speakers and some interviews, for their edition and postproduction. The congress will be published online through streaming (through the following YouTube channel xxxxxxxxx)
When the events are webinars …
- The same obligations must be fulfilled as if they were events in a physical place, i.e. there must be a legitimizing basis (consent, contractual obligation, etc.), the interested party must be informed, etc. Some requirements may need to be adapted to the digital environment.
- The corresponding research institution or researchers who organize this type of event (conferences, congresses, webinars, etc.) will include a section with the purpose “management of congresses” in which the following should be detailed:
1According to article 4 GDPR, a data processor is a person, authority, agency or other body which processes personal data on behalf of the controller (art. 4.8 GDPR). ↑
2All the information required in Art. 13 and 14 EU GDPR is available in the section “Data Protection Policy”. ↑