1. ADDENDUM: EVENT ATTENDANCE DATA COLLECTION SERVICES
This Addendum supplements the Data Processing Schedule and applies specifically to the provision of online event attendance data collection services ("Event Services"). Where there is any conflict between this Addendum and the Data Processing Schedule, this Addendum shall prevail.
1. SERVICE-SPECIFIC DEFINITIONS
|
Term |
Definition |
|
Attendee |
A third-party individual (not an Authorised User) who registers for, attends, or participates in an Event organised by Controller. |
|
Attendee Data |
Personal Data relating to Attendees that is collected, stored, or processed through the Platform. |
|
Authorised User |
An employee, contractor, or agent of Controller who is authorised to access and use the Platform to manage Events. |
|
Authorised User Data |
Personal Data relating to Authorised Users that is collected to enable their use of the Platform (e.g., name, email address, login credentials, role). |
|
Event |
Any conference, meeting, seminar, webinar, training session, or other gathering organised by Controller for which registration or attendance tracking is managed through the Platform. |
|
Platform |
The online event management system provided by Plus4Group, including registration forms, attendee databases, reporting tools, and related functionality. |
|
Registration Form |
Any online form created by Controller through the Platform to collect Attendee Data for Event registration or participation. |
|
Third-Party Recipient |
Any person or entity (other than Controller and Plus4Group) to whom Attendee Data may be disclosed, including event sponsors, exhibitors, co-hosts, or marketing partners. |
2. DUAL PROCESSING CONTEXTS
2.1. Two Categories of Processing: The parties acknowledge that Plus4Group processes two distinct categories of Personal Data under this Schedule:
2.2. Attendee Data Processing: Plus4Group acts as a processor on behalf of Controller in relation to Attendee Data. Controller determines the purposes and means of processing (e.g., what data fields to collect, how to use the data, whether to share with third parties). Controller bears primary responsibility for GDPR compliance in relation to Attendees.
2.3. Authorised User Data Processing: Plus4Group acts as a controller in relation to Authorised User Data collected for the purpose of providing the Platform functionality (account creation, authentication, billing, support). Plus4Group determines the purposes and means of this processing and is responsible for compliance with Data Protection Law in relation to Authorised Users.
2.4. Scope of this Addendum: This Addendum applies primarily to the processing of Attendee Data. Plus4Group's processing of Authorised User Data is governed by Plus4Group's own Privacy Policy available at https://plus4events.com/legal/privacy-policy.
3. CONTROLLER'S EXPANDED OBLIGATIONS FOR EVENT SERVICES
3.1. Lawful Basis for Attendee Data: Controller warrants that it has established a lawful basis for the collection and processing of all Attendee Data, which shall typically be:
3.1.1. Consent: Freely given, specific, informed and unambiguous consent from Attendees;
3.1.2. Contract: Processing necessary for the performance of a contract with the Attendee (e.g., event registration and attendance); or
3.1.3. Legitimate Interests: Where Controller has conducted a Legitimate Interest Assessment (LIA) demonstrating that the processing is necessary for legitimate interests that do not override Attendees' fundamental rights.
3.2. Privacy Notices: Controller shall provide clear and comprehensive privacy notices to Attendees at or before the point of data collection, which shall include:
3.2.1. Controller's identity and contact details;
3.2.2. the purposes for which Attendee Data will be used;
3.2.3. the lawful basis for processing;
3.2.4. categories of Third-Party Recipients (if applicable);
3.2.5. retention periods;
3.2.6. Attendees' rights under Data Protection Law;
3.2.7. how to withdraw consent (if consent is the lawful basis);
3.2.8. information about international transfers (if applicable); and
3.2.9. the right to lodge a complaint with the Information Commission.
3.3. Registration Form Configuration: Controller is solely responsible for:
3.3.1. determining what data fields to include in Registration Forms;
3.3.2. ensuring that only necessary and relevant data is collected (data minimisation);
3.3.3. clearly labelling mandatory vs optional fields;
3.3.4. providing appropriate explanations for why specific data is being collected;
3.3.5. configuring consent mechanisms correctly (e.g., opt-in checkboxes that are not pre-ticked);
3.3.6. ensuring Special Category Data is only collected where there is a lawful basis under Article 9 UK GDPR; and
3.3.7. regularly reviewing and updating Registration Forms to ensure continued compliance.
3.4. Special Category Data: Where Controller configures Registration Forms to collect Special Category Data (such as dietary requirements indicating religious beliefs, accessibility requirements indicating health data, or demographic data), Controller warrants that:
3.4.1. it has a lawful basis under Article 9 UK GDPR (e.g., explicit consent, substantial public interest);
3.4.2. collection of such data is strictly necessary for the stated purpose;
3.4.3. Attendees have been clearly informed about the processing; and
3.4.4. appropriate additional security measures have been implemented.
3.5. Sharing with Third-Party Recipients: Where Controller intends to share Attendee Data with Third-Party Recipients (such as event sponsors or partners):
3.5.1. Controller must obtain explicit, informed, and freely-given consent from Attendees specifically for such sharing, separate from consent for event registration;
3.5.2. Controller must clearly identify the Third-Party Recipients (by name or category) in the privacy notice and consent mechanism;
3.5.3. Controller must provide Attendees with an easy mechanism to withdraw consent for such sharing;
3.5.4. Controller is responsible for ensuring Third-Party Recipients comply with Data Protection Law; and
3.5.5. Controller must not use pre-ticked boxes or implicit consent mechanisms for third-party data sharing.
3.6. Marketing Communications: Where Controller intends to use Attendee Data for marketing communications (including post-event follow-up, newsletters, or promotional materials):
3.6.1. Controller must obtain separate, explicit consent for marketing purposes, clearly distinguished from registration consent;
3.6.2. Controller must provide clear information about the nature and frequency of marketing communications;
3.6.3. Controller must include an easy unsubscribe mechanism in all marketing communications;
3.6.4. Controller must honour unsubscribe requests promptly (within 48 hours); and
3.6.5. Controller must maintain accurate records of marketing consents and withdrawals.
4. PLUS4GROUP'S SERVICE-SPECIFIC OBLIGATIONS
4.1. Platform Functionality: Plus4Group shall provide Platform functionality that enables Controller to:
4.1.1. create customised Registration Forms with flexible data field options;
4.1.2. configure appropriate consent mechanisms (opt-in checkboxes, granular consent options);
4.1.3. display Controller's privacy notices prominently during registration;
4.1.4. manage Attendee Data securely throughout the event lifecycle;
4.1.5. generate reports and export Attendee Data in machine-readable formats;
4.1.6. implement data retention policies; and
4.1.7. respond to Data Subject rights requests (access, rectification, erasure, portability).
4.2. Data Processing Restrictions: Plus4Group shall:
4.2.1. process Attendee Data only in accordance with Controller's documented instructions via the Platform interface and settings;
4.2.2. not use Attendee Data for any purpose other than providing the Event Services to Controller;
4.2.3. not contact Attendees directly for marketing or promotional purposes (unless expressly instructed by Controller);
4.2.4. not share Attendee Data with Third-Party Recipients unless explicitly instructed by Controller through Platform controls; and
4.2.5. not combine Attendee Data from different Controllers without authorisation.
4.3. Enhanced Security for Event Data: Given the potentially sensitive nature of Attendee Data and the risk of unauthorised access during live events, Plus4Group shall implement enhanced security measures including:
4.3.1. Role-based access controls limiting Authorised Users' access to Attendee Data based on their role;
4.3.2. Encryption of Attendee Data in transit;
4.3.3. Audit logging of all access to and modifications of Attendee Data;
4.3.4. Secure API endpoints with authentication for any third-party integrations;
4.3.5. Regular security assessments;
4.3.6. Intrusion detection and prevention systems; and
4.3.7. Secure data backup and disaster recovery procedures.
4.4. Assistance with Data Subject Rights: Plus4Group shall provide Platform functionality and reasonable assistance to enable Controller to respond to Data Subject rights requests within the statutory timeframes (typically one month). This shall include:
4.4.1. Search and retrieval functionality to locate an Attendee's data across all Events;
4.4.2. Export functionality to provide data in a commonly used, machine-readable format (CSV, JSON);
4.4.3. Rectification tools allowing Controller to update Attendee Data;
4.4.4. Deletion functionality with audit trails;
4.4.5. Tools to restrict processing where required; and
4.4.6. Notification to Controller where Plus4Group receives a Data Subject request directly.
4.5. Data Retention and Deletion:
4.5.1. Controller shall be responsible for setting appropriate data retention periods for Attendee Data through Platform settings.
4.5.2. Plus4Group shall provide automated data retention and deletion functionality enabling Controller to:
4.5.2.1. set Event-specific retention periods;
4.5.2.2. delete the client data on instruction from the Controller to Plus4Group;
4.5.2.3. manually delete individual Attendee records; and
4.5.2.4. bulk delete Attendee Data for closed Events.
4.5.3. Plus4Group shall retain Attendee Data in backup systems for no longer than ninety (90) days after deletion from production systems, except where longer retention is required by law.
5. JOINT RESPONSIBILITIES
5.1. Personal Data Breach Notification: In the event of a Personal Data Breach affecting Attendee Data:
5.1.1. Plus4Group shall notify Controller within twenty-four (24) hours of becoming aware of the breach;
5.1.2. Plus4Group shall provide Controller with sufficient information to enable Controller to assess whether notification to the Information Commission and/or affected Attendees is required;
5.1.3. Controller shall be responsible for determining whether notification is required and for making such notifications within the statutory timeframe (72 hours to the Information Commission, without undue delay to Attendees);
5.1.4. Plus4Group shall provide reasonable assistance to Controller in investigating and remediating the breach; and
5.1.5. Both parties shall cooperate in managing any regulatory investigation arising from the breach.
5.2. Training and Awareness:
5.2.1. Plus4Group shall provide training materials and guidance to assist Controller in understanding data protection obligations when using the Platform.
5.2.2. Controller shall ensure that all Authorised Users receive appropriate training on data protection principles and best practices for handling Attendee Data.
5.3. Compliance Monitoring: Both parties shall implement processes to monitor compliance with this Addendum, including:
5.3.1. Regular review of Registration Form configurations (Controller);
5.3.2. Monitoring of consent rates and withdrawal requests (Controller);
5.3.3. Security audits and vulnerability assessments (Plus4Group); and
5.3.4. Review of data access logs (both parties);
6. SPECIFIC SCENARIOS AND GUIDANCE
6.1. Badge Scanning and Lead Capture: Where Controller enables badge scanning or lead capture functionality at Events:
6.1.1. Controller must inform Attendees at registration and on badges that their information may be shared via badge scanning;
6.1.2. Attendees must have the opportunity to opt out of badge scanning;
6.1.3. Controller must provide clear instructions to exhibitors/sponsors on lawful use of scanned data;
6.1.4. Plus4Group shall provide audit trails of all badge scans; and
6.1.5. Data from badge scans must be subject to the same protection as other Attendee Data.
6.2. Virtual and Hybrid Events: For virtual or hybrid Events where additional data may be collected (IP addresses, viewing analytics, engagement metrics):
6.2.1. Controller must update privacy notices to cover such data collection;
6.2.2. Cookie consent mechanisms must be implemented where required;
6.2.3. Attendees must be informed about recording of sessions (if applicable); and
6.2.4. Recording consent must be obtained where required by Data Protection Law.
6.3. Co-hosted Events (Joint Controllers): Where Events are co-hosted by multiple organisations who jointly determine the purposes and means of processing Attendee Data:
6.3.1. The organisations become joint controllers under Article 26 UK GDPR;
6.3.2. A written agreement between joint controllers must be in place defining respective responsibilities;
6.3.3. Attendees must be informed of the joint controller arrangement;
6.3.4. Each joint controller remains liable for compliance with Data Protection Law;
6.3.5. Controller should seek specialist legal advice before establishing joint controller arrangements; and
6.3.6. This Addendum applies to each joint controller's use of the Platform.
6.4. Post-Event Data Use: Where Controller wishes to use Attendee Data after an Event has concluded (e.g., for future event invitations, surveys, or marketing):
6.4.1. Controller must have obtained appropriate consent or have another lawful basis at the point of registration;
6.4.2. Post-event communications must include clear unsubscribe mechanisms;
6.4.3. Controller must respect data retention periods and delete data when no longer necessary; and
6.4.4. Attendees who attended one Event do not automatically consent to being contacted about future Events unless this was clearly stated and consented to at registration.
7. LIMITATIONS AND DISCLAIMERS
7.1. Controller Responsibility: The parties acknowledge and agree that:
7.1.1. Controller has sole control over Registration Form configuration, data collection practices, and use of Attendee Data;
7.1.2. Plus4Group provides tools and functionality but cannot control how Controller uses such tools;
7.1.3. Controller is responsible for ensuring its use of the Platform complies with Data Protection Law;
7.1.4. Plus4Group is not responsible for Controller's failure to obtain appropriate consents, provide privacy notices, or otherwise comply with its obligations as a controller; and
7.1.5. Any liability arising from Controller's non-compliance remains with Controller, except where Plus4Group has failed to meet its obligations under this Schedule.
7.2. Platform Configuration Audit: Plus4Group reserves the right to audit Controller's Platform configuration for compliance with Data Protection Law. Where Plus4Group identifies configurations that create significant compliance risk (such as pre-ticked consent boxes, inadequate privacy notices, or excessive data collection), Plus4Group may:
7.2.1. notify Controller of the compliance concerns;
7.2.2. require Controller to rectify the issues within a specified timeframe;
7.2.3. suspend access to affected functionality until rectified; or
7.2.4. in cases of serious or repeated non-compliance, terminate the MSA in accordance with its termination provisions.
7.3. No Legal Advice: Plus4Group does not provide legal advice. Any guidance, training materials, or best practice recommendations provided by Plus4Group are for informational purposes only and do not constitute legal advice. Controller should seek independent legal advice on its data protection obligations.
REF: P4E_Event_Services_Addendum 08/02/2026
APPENDIX C: EVENT SERVICES PROCESSING DETAILS
The following details supplement Appendix A of the Data Processing Schedule and are specific to Event Services:
|
Subject matter |
Provision of online event management platform for registration, attendee management, and event administration |
|
Duration |
For the term of the MSA and for any period during which Attendee Data remains stored on the Platform |
|
Nature of processing |
Collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, and erasure of Attendee Data |
|
Purpose of processing |
To enable Controller to: · Create and manage Event registrations · Collect and store Attendee Data · Communicate with Attendees · Generate reports and analytics · Manage Event logistics · Collect and respond to marketing or membership enquiries |
|
Categories of Attendee Data |
To be specified by Controller based on Registration Form configuration, but may typically include: name, email address, phone number, organisation, job title, dietary requirements, accessibility needs, session preferences, payment information |
|
Categories of Data Subjects |
Event attendees, event registrants (including those who register but do not attend), speakers, exhibitors, sponsors (if using the Platform) |
|
Special Category Data |
To be specified by Controller - may include dietary requirements indicating religious beliefs, accessibility requirements indicating health conditions, demographic data for diversity reporting |
|
Authorised User Data |
Names, email addresses, job titles, phone numbers, login credentials (hashed), payment information, usage analytics |
|
Processing locations |
London, UK. |
|
Sub-processors |
Iomart, Google, SumUp |
|
Retention periods |
Attendee Data: As requested by Controller Authorised User Data: For duration of account or as requested |