One step ahead with these plugins

Youtube
Account
Vollstart Logo

GDPR for Event Organizers: What Attendee Data You’re Allowed to Collect

What personal data you can legally collect from ticket buyers and how to configure your WooCommerce forms accordingly.

If you’re running events in Europe — or selling tickets to anyone in the EU — GDPR event data WordPress compliance isn’t optional. It’s the law. And the fines for getting it wrong start at €20 million or 4% of global annual turnover, whichever is higher. Yet most event organizers are collecting far more attendee data than they’re legally allowed to — often without even realizing it.

This post breaks down exactly what data you’re allowed to collect, what you need to strip out of your checkout, and how to run a fully GDPR-compliant ticketing setup directly inside WordPress — without paying per-ticket fees to a third-party platform that controls your attendees’ data.

Why Event Organizers Are Especially Exposed Under GDPR

GDPR applies to any organization that processes the personal data of EU residents — regardless of where your business is based. If someone in Germany buys a ticket to your event, GDPR applies to that transaction.

The regulation is built on a principle called data minimization: you may only collect personal data that is adequate, relevant, and limited to what is necessary for the purpose you’ve stated. That last word — necessary — is where most event organizers get into trouble.

A typical WooCommerce checkout out of the box asks for:

  • First and last name
  • Email address
  • Phone number
  • Billing address (street, city, postcode, country)
  • Company name

For a physical product shipped to a home, most of that makes sense. For a digital ticket delivered via email? You legally need the name and email. That’s it. Everything else requires a specific, documented justification — and “we might need it someday” doesn’t count.

What Attendee Data You’re Actually Allowed to Collect

Under GDPR Article 5(1)(c), data must be collected for specified, explicit, and legitimate purposes. Here’s a practical breakdown for event organizers:

  • Name + Email address — Required for ticket delivery and order confirmation. Clear lawful basis: contract performance (Article 6(1)(b)).
  • Phone number — Only justifiable if you have a documented operational reason (e.g., last-minute venue change notifications). If you can send that via email, you don’t need the phone number.
  • Date of birth / age verification — Only collect if legally required for your event type (e.g., age-restricted venue). Even then, you should verify and discard, not store.
  • Billing address — Required if you’re issuing a VAT invoice. If your event doesn’t require that, you don’t need a full address.
  • Dietary preferences / accessibility needs — Special category data under Article 9. Requires explicit opt-in consent, separate from purchase consent. Never bundle this into your general terms checkbox.

The test is simple: for every field in your checkout, ask yourself — what specific, documented purpose does this serve, and what happens if I don’t collect it? If the answer is “the order still goes through and the attendee still gets their ticket,” remove the field.

[SCREENSHOT: WooCommerce checkout settings → Fields configuration, showing how to disable non-required fields]

GDPR Event Data WordPress: Cleaning Up Your WooCommerce Checkout

WooCommerce gives you control over which checkout fields are required, optional, or hidden. Most event organizers have never touched these settings — and are collecting legally unjustifiable data on every order.

Go to WooCommerce → Settings → Accounts & Privacy. Review your data retention settings and make sure you’re not holding onto customer data indefinitely. Then check your checkout fields under WooCommerce → Settings → Advanced or via a field editor plugin.

Strip out everything you can’t justify:

  • Disable company name unless you’re selling B2B tickets
  • Make phone number optional or remove it entirely
  • Disable the full billing address if you don’t issue VAT invoices
  • Never add custom fields for data “that might be useful” — document first, implement second

You also need a clear, up-to-date Privacy Policy linked from your checkout — one that explicitly states what data you collect, why, how long you keep it, and who (if anyone) you share it with. WooCommerce has a built-in privacy policy generator under WooCommerce → Settings → Accounts & Privacy that gives you a starting template.

[SCREENSHOT: WooCommerce → Settings → Accounts & Privacy showing data retention and erasure settings]

The Problem With Third-Party Ticketing Platforms

If you’re currently using Eventbrite, Ticketmaster, or similar platforms, you have an additional GDPR problem: your attendee data lives on their servers, under their terms of service. You are a data controller. They are a data processor. You are legally responsible for what they do with that data — and your attendees have rights (access, erasure, portability) that you may not be able to fulfill because you don’t control the database.

Beyond the legal exposure, every attendee who buys a ticket through Eventbrite is building a profile on Eventbrite’s platform — not yours. You pay per-ticket fees, you lose the relationship, and you lose control of the data.

Running your ticketing inside WordPress means your attendee data stays in your WooCommerce database, on your server, under your control. You decide what’s collected. You decide how long it’s retained. And you can fulfill GDPR data subject requests — access, erasure, portability — directly from your WordPress admin.

How Event Tickets with Ticket Scanner Keeps Your Setup Lean

Event Tickets with Ticket Scanner is a free WordPress plugin that turns any WooCommerce product into a scannable event ticket — complete with QR code and a downloadable PDF link sent via email. There’s no separate SaaS platform, no per-ticket fee, and no attendee profile built on someone else’s server.

Here’s why this matters for GDPR compliance:

  • Your data stays in WordPress. Attendee orders live in your WooCommerce database. You control retention, access, and deletion — exactly what GDPR requires of a data controller.
  • Tickets are delivered via email link — not stored on an external platform. Your customer buys a ticket and receives a unique QR code. There’s no permanent profile created on a third-party system.
  • You control what WooCommerce collects. Because ticketing runs through your own checkout, you can strip out unnecessary fields directly in WooCommerce settings — no workarounds, no API limitations.
  • Built-in QR scanner runs in the browser. No attendee data is transmitted to an external scanning service. Your team scans tickets at the door using any mobile browser — the validation happens against your own database.
  • Refunds release ticket numbers. When a customer exercises their right to erasure and you process a refund, the ticket number is freed — your data stays consistent.

For events that use the visual seating plan designer, seat assignments are stored with the order in WooCommerce — again, on your server, under your control.

[SCREENSHOT: Event Tickets with Ticket Scanner → Ticket list in WordPress admin, showing order data stored locally]

A Practical GDPR Checklist for Event Organizers on WordPress

  • Audit your checkout fields — remove everything you can’t justify with a specific, documented purpose
  • Update your Privacy Policy — explicitly list what event-related data you collect and why
  • Set data retention limits — don’t hold attendee data longer than necessary (WooCommerce lets you configure this)
  • Check your processor agreements — if you use any third-party plugin or service that touches attendee data, you need a Data Processing Agreement (DPA) with them
  • Enable erasure requests — WordPress and WooCommerce have built-in personal data erasure tools under Tools → Erase Personal Data
  • Don’t bundle consent — marketing email opt-in must be separate from purchase completion; pre-ticked boxes are illegal under GDPR
  • Keep it lean — the less data you collect, the smaller your attack surface and your compliance burden

GDPR event data WordPress compliance isn’t about adding more cookie banners. It’s about building a data practice where you only collect what you need, keep it on infrastructure you control, and can account for every field in your checkout. Start with your WooCommerce settings today — remove the fields you can’t justify, and your compliance risk drops immediately.

Event Tickets with Ticket Scanner is free on WordPress.org. Install it, run your ticketing through your own WooCommerce store, and keep your attendee data where it belongs — on your server, under your control.

→ Download Event Tickets with Ticket Scanner — free on WordPress.org
→ Upgrade to Premium for PDF email attachments, team scanner access, and advanced reporting

Login
My Account