Data Protection and GDPR for Virtual Career Fair Organizers
Privacy, consent and retention basics every organizer should understand — not legal advice, but the things you should not skip.
Lawful basis matters
Most virtual fair data processing is on the basis of consent or legitimate interest. Pick one per use case (registration, marketing, sharing with exhibitors) and document it.
Consent should be granular
One checkbox for 'everything' is no longer compliant in most jurisdictions. Separate consents for sharing data with exhibitors and for marketing emails are the modern minimum.
Data residency questions to ask vendors
Where is the data stored? Where is it processed? Where are backups? Who can access it? Get answers in writing before you sign.
Retention policies
Decide how long you keep registration data and chat logs, then enforce it. 'Forever' is not a policy; 24 months with documented exceptions is.
Right to access and erase
Your platform must let candidates request their data and delete it. Test the workflow before fair day, not in response to your first request.
Sub-processors and DPAs
If your platform uses third-party tools (analytics, video, storage), they are sub-processors. Make sure your DPA lists them and that you accept the chain.