What information or experience can anyone advise on GDPR data record keeping about visitors information at events.
Hi Steve,
Itâs interesting to hear youâre looking to collect data about visitors. What kind of info are you hoping to record?
We canât provide legal advice here, but we can share some experience.
A lot of GDPR is about informed consent; itâs really important that people know things like what data youâre collecting, how & why you will use it and how they can get it deleted if they want. Based on this, they should be able to opt in or opt out. Youâll probably need a privacy policy that explains all of this.
But the specifics really depend on the answers to questions like these:
- What kind of data do you want to collect from/about visitors?
- How do you intend to collect, store & manage this data? (And who will have access to it?)
- How do you intend to use this data?
How would you answer those?
P.s. I moved this discussion to the Community Repair category as it fits here better than the Repair Data category
1 Like
Hi, how are you today.
Here are the answers
-
What kind of data do you want to collect from/about visitors?
We record the visitors name email and mobile in case theres Follow up needed on the repair -
How do you intend to collect, store & manage this data? (And who will have access to it?)
We collect the visitors name email and mobile on a registration sheet
The sheets are stored for recording the waste data on restarters.net web page
Only 2 organisers access the information -
How do you intend to use this data?
We may Follow up if needed on the repair
and advise them about the next event
So by our view this means any similar repair cafe event will be subject to gdpr regulations
What is your opinion
thanks Steve.
Market Harborough Fixers
Any update on the gdpr conclusion I came to please. we are quite concerned we and other repair cafe events are not contravening the regulations
Hi Steve,
Just to confirm & expand what James saidâŚ
Firstly, I Am Not a Lawyer, but I have done work professionally on IT systems which were designed to be GDPR compliant and I have talked to a lawyer about them.
If you want a legal opinion that will stand up in court, consult a lawyer.
OK, bearing that in mind, hereâs my opinion, given in a personal capacity.
- You are storing & processing personally identitifiable information (âPIIâ) so you are subject to GDPR (well, specifically the Data Protection Act 2018 (âDPAâ) which incorporates the GDPR into UK law).
- The people whose data you are storing & processing need to give âinformed consentâ.
In other words you have to explain exactly what youâre going to do with their data before they hand it over.
Typically this means having a box which they tick to agree, probably referring them to a separate sheet with all the details of your data storage&processing policy on it or a link to a web page with all the details. - Do not put any PII into the Fixometer data as that data is shared openly: this includes, for instance, any links to photos with identifiable faces on them as well as the more obvious names & contact details.
- You need to allow people to see what data you have stored about them (âSubject Access Requestâ).
- You need to remove that data on request (âRight to be Forgottenâ)
All of the above needs to be written down in your data storage&processing policy, including the contact details of your âData Protection Officerâ (the person responsible for enforcing the policy).
This isnât as onerous as it sounds & many organisations have done it all without too much effort. There are some templates around on the web so you donât have to do all the work yourselves. @james do Restart have anything that could help here?
1 Like
Hi, Dave
re your todayâs email
Thatâs clear and understandable.
weâll take that on board and make sure we comply with gdpr when needed
Best Regards and
thanks Steve.
Market Harborough Fixers
Hi Steve, apologies for the slow response! And thanks Dave for that - pretty much exactly what I would have said too 
As Dave said, we canât offer legal advice here but itâs great that youâre looking for guidance around GDPR; it is important to make sure youâre handling peopleâs personal data in a responsible and considered way.
There are 6 +1 core principles outlined in the regulation that you should consider when collecting and handling peopleâs personal data:
1. Personal information shall be processed lawfully, fairly and in a transparent manner
One of the key things here is making sure you get consent from people to collect and record their data. As Dave said, that could mean a checkbox on a webpage or paper form asking people whether they agree to your privacy policy or a description of how you handle personal data.
2. Personal information shall be collected for specified, explicit and legitimate purposes
Make sure people know what you will use their data for. Itâs helpful to make this as simple and clear as possible (e.g. âWeâll send you the latest news and upcoming parties once a monthâ)
3. Personal information shall be adequate, relevant, and limited to what is necessary
Only collect the data you absolutely need (and no more) - e.g. an email address is probably ok for your purposes, but date of birth probably isnât.
4. Personal information shall be accurate and, where necessary, kept up-to-date
5. Personal information shall be retained only for as long as necessary
Donât keep personal data indefinitely - get rid of it when you donât need it any more.
6. Personal information shall be processed in an appropriate manner to maintain security
Keep it safe! Make sure no one can access the data who shouldnât be able to
+1. Accountability and liability
If someone asks you what data you have about them, you need to make sure that you can tell them, get rid of it if they ask and prove you have done so.
A good search around the internet should yield more detailed guidance too.
As I mentioned, this isnât legal advice, just some things weâve learnt from our own experience 
Hope it helps!
1 Like