Three easy steps to be privacy-ready for your webinar in the time of Covid-19

7 April 2020 – Especially during these hectic times, you might need to share information quickly or adapt to new working conditions. Most of us have had to move our businesses online and communicate more, or exclusively, electronically. Data protection will not stop you from doing that. It’s about being proportionate—if something feels excessive from the public’s point of view, then it probably is.

Let’s review together a few basic elements to be observed when preparing a webinar and approaching invitees:

1. Info notice – put one in place

(i) Minimum elements to be included in a notice:

a) Tell people that this is a marketing event based on their consent to participate and give details on the platform facilitating the webinar (e.g. own platform, third-party provider and privacy relationship with the third-party provider; give easy access to the third-party provider’s privacy notice). Will you have statistics reports as a result of the webinar? Tell people that, too.

b) Tell people what data you will collect from them by registering for and attending the webinar. Practical tip: simulate the registration process when preparing the info notice to capture all the data that the attendees will need to fill in.

Don’t forget about data “automatically” collected by the platform if this is shared with you by the platform provider (e.g. metadata [information that a participant enters to identify themselves in the meeting; join and leave time of participants], technical information about attendees’ devices, network, and internet connection [IP address, MAC address, device type, operating system type and version]).

Also, will the participants be able to speak during the webinar? If so, don’t forget about collecting their “voice” and inform them if the webinar will be recorded.

c) Keep the data for a minimum period. Don’t try to use this switch of activity to “online” in order to build portfolios. You need the attendees’ data to get them in the webinar, right? And maybe to have an overview of the impact of the subject of the webinar, correct? Then maybe you could delete the attendees list in a few days after the webinar and only keep aggregated statistics. Tell the attendees for how long you keep the data.

d) Where do you store the invitees and the attendees’ data? Assurances that this will remain with you and within the European Union always help;

e) Briefly outline the invitees’ privacy rights as regulated by the GDPR;

f) Give your contact details (including of your data protection officer, if relevant) and clearly state how participants can contact you for privacy reasons, even if they are existing clients/collaborators.

(ii) Be mindful of the public details of the participants (what attendees see about the rest of the participants). Limit, or make pseudo-anonymous as much as possible. If this is not possible, inform in advance.

2. Promoting the webinar

    (i) Sending e-mail invites for the webinarwebinars on COVID-19 impacts and generally regarding the pandemic remain direct marketing actions

    The bullet-proof solution is to check marketing consents for your contacts and send the webinar invites only to those who already consented to marketing from you.

    Obtaining contact details from other sources (e.g. internet, common contacts, public registries) does not automatically grant you the right to contact these prospects for marketing purposes. Theoretically, the circumstances of obtaining the contact details would need to be checked in order to see if these cover the first contact for marketing purposes and what are the expectations of these contacts. Everybody understands that this is an overreach during the current COVID-19 scenario, but, nevertheless, skipping this step exposes the organiser to possible GDPR fines.

    In order to be pragmatic, have in mind the following risk limitation measures:

    1. No mass e-mailing – it is almost impossible to argue the proportionality;

    2. Filter the sources for obtaining new contacts to those where the recipient would have a reasonable expectation to be contacted for marketing purposes or obtain a verbal confirmation from the persons handing you the prospects’ details that they would not be disturbed by your communication.

    Also, human contact (e.g. prior phone call by you/by the referee) asking the prospect if he/she would be interested in the webinar is usually both more productive and safer from a privacy perspective.

    3. Do not disturb – don’t contact them again if they do not accept the invite and do not register for the webinar;

    4. Make sure that you have an unsubscribe button in the e-mail for those who actively want to express their option from this first communication.

    (ii) Link for webinar registration made available on the website/public platforms (e.g. LinkedIn, Facebook)—this is a safer approach from a privacy perspective considering that no active contact will be pursued by you, but at the same time not that effective.

    (iii) Reference to the privacy info notice

    The e-mail invite to the webinar or the post on the website/public platform needs to have a short privacy paragraph which includes the reference to the info notice, e.g., We will take great care to safeguard your personal data collected for this webinar. Please review details here.

    3. Follow-up materials

    Send these only to the participants. Chances are you would like to expand your marketing database with new contacts. Kindly ask all attendees to send you an e-mail/express their marketing option on a dedicated page if they agree to receive future marketing materials from you/your company and respect such option.

    Something to think about

    Many data privacy authorities understand that resources, whether they are financial or people, might be diverted away from usual compliance or information governance work in this COVID-19 era. The expectation is also that the privacy authorities won’t penalise organisations that need to prioritise other areas or adapt their usual approach during this extraordinary period.

    However, such expected leniency needs to be filtered with great care. While one can expect that delays in replies to data requests may be overlooked, aggressive and intrusive actions would probably not be!

    For more information on the topic, please contact Bogdan Bibicu, Partner, at


    , or Oana Grigore, Senior Associate, at .