Short version: under the GDPR event registration data rules, you can keep the attendee data you genuinely need for as long as you have a real reason to keep it, and not a day longer. There is no magic number of months written into the law. The principle is "no longer than necessary", which sounds vague until you turn it into a written retention schedule. This guide covers who owns the data (you do), how long the sensible defaults are, how deletion requests work, and why you should export everything before you ever leave a platform. It is practical, not legalese, and it is not legal advice.
If you sell tickets to anyone in the UK or EU, GDPR applies to you even if your event is a 30 person workshop above a pub. The good news is that compliance is mostly common sense with a paper trail. Let us walk through it.
You are the data controller (yes, really)
The single most important idea in GDPR event registration data is the split between controller and processor. The data controller decides why and how personal data gets collected and used. That is you: your organisation, your event team, the people who chose to ask for a name, an email and a dietary requirement. The data processor is any third party that handles that data on your instructions: your ticketing platform, your email tool, your CRM.
Why does this matter? Because the buck stops with the controller. If an attendee asks what you hold on them, or asks you to delete it, that is your legal obligation to fulfil, not your platform's. Your platform is there to help you do it, which is exactly why the quality of your tools matters.
You are the data controller. Your ticketing platform is the processor. That means the responsibility is yours, and the tooling had better make it easy.
Two practical consequences. First, you need a Data Processing Agreement (DPA) in place with every platform that touches attendee data. Reputable platforms publish one and let you sign it without a phone call. Second, you should know where their servers live and who their sub processors are, because their data chain becomes your responsibility to disclose in your privacy notice.
Have a lawful basis before you collect a single field
GDPR does not let you hoover up data just because a form field is easy to add. You need a lawful basis for each thing you collect. In event land, three come up constantly.
Contract: you need a name and email to actually deliver the ticket someone paid for. That is the contract basis, and it does not require separate consent. Legitimate interest: using a past attendee's email to tell them next year's edition is open, where a reasonable person would expect it. Consent: anything they would not obviously expect, like sharing their details with a sponsor, or adding them to an unrelated marketing list. Consent has to be a positive opt in, freely given, and just as easy to withdraw as it was to give. No pre ticked boxes. No "by registering you agree to receive our partners' offers forever" buried in size eight text.
The discipline here is simple: if you cannot name why you are collecting a field, delete the field. Shorter forms convert better anyway, so this is that rare compliance rule that also makes you money.
How long can you actually keep it?
This is the question everyone wants a number for, and the honest answer is "it depends on the data". The law sets no fixed period. Instead you set your own retention schedule based on why you hold each type of data, write it down, and stick to it. Here are sensible working defaults that map to how most organisers actually operate.
| Data type | Sensible retention default | Why |
|---|---|---|
| Registration and contact details | Event date plus 6 to 12 months | Follow up, feedback, dispute resolution |
| Marketing list (opted in) | Until they unsubscribe, reviewed roughly every 2 years | Consent goes stale if never used |
| Repeat annual event contacts | Up to the next edition | Legitimate interest in the recurring event |
| Attendance and participation stats | Around 12 months, or anonymise sooner | Reporting rarely needs names attached |
| Financial and tax records | Longer, per your local tax law (often around 6 years UK) | Separate legal obligation, overrides the above |
| Special category data (health, access needs) | Delete right after the event | Higher risk, narrower justification |
Notice that financial records are the exception that trips people up. Tax law can require you to keep transaction records for years, which is a legal obligation basis and sits outside the "delete when done" rule. So you might purge a marketing profile at 12 months while keeping the underlying invoice for six years. That is fine, as long as you are deliberate about it rather than keeping everything forever because deleting felt like effort.
A neat trick for the stats problem: anonymise instead of delete. Once you strip the names and emails and keep only aggregate numbers ("612 attended, 40 percent were first timers"), it stops being personal data and GDPR stops applying. You keep the insight and lose the liability.
Deletion, access and portability requests
Attendees have rights, and they can exercise them at any time. The three you will meet most are the right of access (tell me what you hold), the right to erasure (delete me), and the right to portability (give me my data in a usable format). You generally have one month to respond.
In practice this is only painful if your data is scattered across a ticketing tool, three spreadsheets, an email platform and a scanner app that do not talk to each other. If someone asks to be deleted and you have five uncoordinated copies, you will miss one, and a missed erasure is exactly the kind of thing regulators frown at. The fix is architectural: keep attendee data in as few systems as possible, with clean export and delete functions, so a request is a two minute job rather than a scavenger hunt. This is where a platform that connects cleanly to your registration and CRM setup earns its keep, because a deletion in one place should propagate rather than leave orphans.
The bit everyone forgets: export before you leave
Here is a quiet GDPR trap. Your right to your attendee data, and your ability to answer requests about it, depends on you actually being able to reach that data. On most platforms, access ends when your subscription ends. Cancel the plan, lose the export button. If you are switching providers, or even just letting a plan lapse between events, get everything out first: attendee lists, custom question answers, financial records, check in history and communication logs. We wrote a full walkthrough of that in how to leave your event platform without losing three years of attendee data, and it pairs directly with this one.
Remember the two bucket model. The data you collected (names, emails, answers) is yours as controller and should always be exportable. The data the platform generated about your audience, like a marketplace's discovery traffic, is theirs and does not travel with you. Plan around that distinction so you are never surprised.
Where your platform quietly helps or hurts
Compliance is easier when the tooling is on your side. A few things to look for. Own payment account rather than a middleman holding the card data means the sensitive payment flow runs through your own processor relationship, not a shared black box. Clean, self service export and delete means you can honour requests without raising a support ticket. Own domain, authenticated comms means your consent records and unsubscribe handling live with you. A published DPA and clear sub processor list means you can actually write an honest privacy notice.
eventcloud is built around that shape: a flat 125 dollars per user per month, your own Stripe account so you are the merchant of record on payments, and clean data export as standard rather than a feature you lose at renewal. We mention it as one example that meets the criteria above, not as the only one. Plenty of platforms handle this well. The point is to check, because the ones that do not will happily let the responsibility land on you.
Honest caveat to end on: this is a practical overview, not legal advice, and the specifics vary by jurisdiction and by how much data you collect. If you run large events, handle special category data at scale, or operate across several countries, get a data protection professional to review your schedule. If you run a small in person event and collect a name and an email, you are most of the way there already: name your reasons, keep only what you need, write down how long, and make deletion easy.
Want registration that treats your attendee data as yours, with clean export and no per ticket surprises? Take a look at what eventcloud does, or see the flat pricing on our pricing page.