GDPR has been in force since 2018, but plenty of event organizers in Poland still haven't sorted out the basics. And the consequences of getting it wrong aren't theoretical — the Polish data protection authority (UODO) issues fines and has done so to organizations much smaller than you might expect.
This guide covers the practical side. Not a legal text — that's what lawyers are for — but a working understanding of what ticketing means for GDPR compliance, what you need to have in place, and where the real risks are.
What data do you actually collect?
When someone buys a ticket to your event, you typically collect: their name, email address, payment details (usually handled by your payment processor), and sometimes their phone number, date of birth (for age-restricted events), or dietary requirements (for events with catering).
Each of these data points is personal data under GDPR. Collecting it creates obligations. The first question to ask is: do you actually need all of it?
Name and email are necessary to send the ticket and confirm the purchase. Phone number is optional in most cases. Date of birth for age verification can often be replaced with a simple age confirmation checkbox. Every piece of data you don't collect is a piece of data you don't need to protect or justify.
Legal basis for processing
GDPR requires a legal basis for processing personal data. For ticket sales, the clearest basis is contract performance — you need the data to fulfil the ticket purchase agreement. Name and email for ticket delivery? Clearly covered.
The problem comes with secondary uses. If you want to add ticket buyers to your email marketing list, that's a different purpose. Contract performance doesn't cover it. You need either explicit consent or a legitimate interest assessment.
Pre-ticked "add me to the newsletter" boxes are not valid consent under GDPR. The opt-in must be active and separate from the ticket purchase.
This is where many Polish event organizers are exposed. Adding buyers to a mailing list without a separate, explicit opt-in is a violation — even if your terms of service mention it somewhere in the small print.
Privacy notice: what it needs to say
At the point of data collection (the ticket purchase flow), you must provide a privacy notice. It needs to cover:
- Who is the data controller (your organization, with contact details)
- What data is being collected
- Why it's being collected (legal basis)
- How long it will be kept
- Whether it will be shared with third parties (your ticketing platform, payment processor)
- How buyers can exercise their rights (access, deletion, correction)
A link to a full privacy policy in the checkout flow satisfies this requirement, as long as the policy is actually complete and accurate. A single-paragraph policy that doesn't address these points doesn't count.
Your ticketing platform as a data processor
If you're using a third-party ticketing platform, that platform processes attendee data on your behalf. Under GDPR, that makes them a data processor and you the data controller. You're responsible for their handling of the data.
This means you need a Data Processing Agreement (DPA) with your ticketing platform. Most reputable platforms have standard DPAs available. If yours doesn't, that's a red flag.
The DPA should specify:
- What data the processor handles
- The purposes they're allowed to use it for
- Security measures they have in place
- Where the data is stored (EU-based storage is simpler from a compliance standpoint)
- Procedures for handling a data breach
Retention: how long can you keep attendee data?
GDPR's storage limitation principle says you can only keep personal data for as long as necessary for the purpose it was collected. For event ticketing, that means:
| Data type | Suggested retention | Reason |
|---|---|---|
| Purchase records | 5 years | Tax and accounting obligations in Poland |
| Entry scan logs | 6–12 months | Event operations, dispute resolution |
| Marketing list (consented) | Until opt-out or 2 years inactive | Consent-based, must respect withdrawal |
| Unsubscribed contacts | Keep email + unsubscribe date | Prevents re-adding to list |
The tax obligation for purchase records in Poland is the reason you can retain financial transaction data longer than the event itself. But that retention has to be documented and justified in your privacy policy.
What to do if there's a breach
A data breach — unauthorized access, accidental disclosure, or loss of personal data — must be reported to UODO within 72 hours if it poses a risk to individuals. If the risk is high (financial data, sensitive personal data), the affected individuals must also be notified.
For most event ticketing scenarios, the relevant scenarios are: your ticketing platform being breached, your attendee data being exported and lost, or a disgruntled staff member with scanner access sharing the attendee list.
The practical preparation: know who in your organization is responsible for data breach reporting. Have the UODO notification form bookmarked. Know who your data protection contact is at your ticketing platform. These things are easy to set up when nothing is wrong and nearly impossible to figure out in a 72-hour window when something has gone wrong.
Compliance doesn't have to be complicated for most event organizers. Get a proper privacy policy, use a ticketing platform with a DPA, collect only what you need, and get explicit opt-ins before marketing to your buyers. That covers the major bases.
