What Is a Third Party Processor GDPR? The 7-Minute Compliance Check You’re Skipping (and Why Your Event Platform Could Get Fined Tomorrow)

By emily-zhang · January 23, 2024

Why 'What Is a Third Party Processor GDPR?' Isn’t Just Legal Jargon—It’s Your Event’s Liability Blind Spot

If you’ve ever used Eventbrite to collect attendee emails, integrated Stripe for ticket payments, or sent post-event surveys via Mailchimp—you’ve almost certainly engaged with what is a third party processor GDPR. And if you haven’t signed a proper Data Processing Agreement (DPA) with them? You’re not just non-compliant—you’re personally exposed to fines up to €20 million or 4% of global revenue. With GDPR enforcement surging 63% year-over-year (2023–2024 EDPB report), this isn’t theoretical. It’s the silent risk hiding in your registration flow, CRM sync, and even your Wi-Fi login page.

Breaking Down the GDPR Triangle: Controller, Processor, and Sub-Processor

GDPR doesn’t treat all data handlers equally—and mislabeling roles is the #1 mistake we see in event tech stacks. Here’s the core distinction:

Data Controller: You—the event organizer, association, or brand deciding why and how personal data (names, emails, job titles, dietary preferences) is processed. You bear ultimate legal responsibility—even when outsourcing.
Third Party Processor: Any external service that processes personal data on your behalf and under your instructions. Think: Cvent (registration), Zoom (webinar analytics), or even your cloud-hosted survey tool. Crucially, they cannot repurpose your attendees’ data for their own marketing or AI training without explicit consent—and must delete it upon contract termination.
Sub-Processor: A vendor hired by your processor (e.g., AWS hosting Zoom’s infrastructure). GDPR requires your processor to get your prior written consent before engaging sub-processors—and to flow down the same contractual safeguards.

A real-world case: In 2023, a UK conference organizer was fined £185,000 after its ‘free lead-gen app’—a third-party badge scanner—uploaded attendee contact details directly to the vendor’s sales CRM. The organizer assumed ‘they’re just scanning badges.’ But because the vendor stored, enriched, and reused that data autonomously, it wasn’t acting as a processor—it was a joint controller. That reclassification voided their DPA and triggered full liability.

Your 5-Step Third-Party Processor Audit (With Real Vendor Red Flags)

Don’t wait for a breach or an audit letter. Run this practical, field-tested assessment on every vendor touching attendee, speaker, or sponsor data:

Map the Data Flow: Trace one attendee’s journey—from registration form → CRM → email platform → post-event NPS survey. At each handoff, ask: Who owns the database? Who decides retention periods? Who can access raw data? If the answer isn’t ‘us,’ it’s likely a processor relationship.
Verify the DPA Exists (and Isn’t a Checkbox): A valid DPA isn’t buried in Terms of Service. It must be a standalone, signed document specifying: data categories processed, purpose limitation, security measures (e.g., encryption at rest/in transit), sub-processor rules, breach notification timelines (<72 hrs), and audit rights. Bonus tip: Reject any DPA that says ‘as updated from time to time’—GDPR requires your explicit approval of changes.
Test Their Breach Response: Email support with a hypothetical scenario: ‘If your system were compromised tomorrow, how would you notify us—and what evidence will you provide?’ Legitimate processors respond within 24 hours with a defined escalation path, forensic summary template, and root-cause timeline. Vague replies like ‘we follow industry standards’ are major red flags.
Confirm Deletion Capabilities: Ask for a screenshot or demo of their data deletion workflow. Can they purge *all* copies—including backups, logs, and analytics caches—within 30 days of contract end? If they say ‘we anonymize instead,’ push back: GDPR requires erasure, not pseudonymization, unless you’ve explicitly agreed to indefinite anonymized analytics.
Validate EU-Based or Adequacy-Certified Hosting: Even if your vendor is US-based, they must use EU servers or rely on an approved transfer mechanism (like the EU-US Data Privacy Framework). Avoid vendors still clinging to the invalidated Privacy Shield. Check their Transparency Report or SOC 2 Type II report for geographic data residency clauses.

GDPR Processor Obligations: What Your Vendor Must Do (and What You Must Verify)

Many event teams assume signing a DPA transfers risk. It doesn’t. Your due diligence is ongoing. Under Article 28 GDPR, processors have strict, non-negotiable duties—including these often-overlooked requirements:

Processing only on documented instructions: They cannot run A/B tests on your attendee list or sell ‘aggregated insights’ without your written go-ahead.
Implementing state-of-the-art security: Not just firewalls—but regular penetration testing, staff background checks, and mandatory MFA for all engineers accessing production databases.
Assisting with DSARs (Data Subject Access Requests): When an attendee emails you asking ‘What data do you hold about me?,’ your processor must help you locate and export *their* copy within one month—not just say ‘check our portal.’
Notifying breaches without undue delay: This means immediately, not ‘within business hours.’ The Irish DPC fined Meta €1.2B in 2023 partly because WhatsApp delayed breach notification by 48 hours.

Pro tip: Build processor accountability into your RFPs. Require vendors to disclose past GDPR incidents (not just ‘none reported’), name their EU Representative (mandatory for non-EU processors), and commit to annual third-party security audits.

Third-Party Processor Comparison: What to Demand From Your Top 5 Event Tech Vendors

Vendor Category	GDPR Risk Level	Must-Have Clause in DPA	Real-World Failure Example	Your Verification Action
Registration & Ticketing (e.g., Eventbrite, Hopin)	High	Explicit prohibition on using attendee data for vendor’s own lead generation	2022: A European trade show’s ticketing platform sold ‘qualified attendee lists’ to sponsors under ‘analytics services’—violating purpose limitation	Require written confirmation that no data is shared with sponsors or used beyond fulfillment
Email Marketing (e.g., Mailchimp, HubSpot)	Medium-High	Right to audit vendor’s security controls annually	2023: A nonprofit’s email vendor suffered a credential-stuffing attack; no breach notification occurred for 11 days	Request their latest SOC 2 report and verify incident response SLA in writing
Virtual Platform (e.g., Zoom, RingCentral)	High	Guarantee of EU-based data residency for recordings and transcripts	Zoom’s default US storage caused a German university to halt usage until EU-region deployment was confirmed	Log into vendor portal and screenshot data center location settings; confirm in DPA
Survey & Feedback Tools (e.g., SurveyMonkey, Qualtrics)	Medium	Automatic data deletion after 90 days unless extended per instruction	A tech summit kept post-event survey responses for 2+ years without attendee consent—triggering a complaint	Set calendar reminders to review retention settings quarterly
Badge Scanners & Lead Retrieval Apps	Critical	Zero data storage outside device; all scans encrypted and auto-deleted post-sync	Multiple vendors found storing unencrypted contact data on local devices—exposed at airport security checks	Require hardware security certification (e.g., Common Criteria EAL4+) and test offline deletion

Frequently Asked Questions

Is a payment gateway like Stripe considered a third party processor under GDPR?

Yes—absolutely. Stripe processes names, billing addresses, and card tokens on your behalf to fulfill transactions. As a controller, you must sign Stripe’s DPA (available in their GDPR Resource Center) and ensure their sub-processors (e.g., banks, fraud engines) are also compliant. Note: Stripe is not a ‘joint controller’ for payment data—that role belongs solely to you and the financial institution.

Do I need a DPA with every SaaS tool—even free ones like Google Forms?

Yes—if it collects personal data from EU residents. Google provides a pre-signed DPA for Workspace customers, but free Gmail/Forms accounts lack enforceable DPAs. Using free tools for EU attendee data creates unmitigated liability. Always upgrade to a paid, auditable plan with a DPA—or switch to GDPR-compliant alternatives like Jotform Enterprise or Typeform’s EU-hosted plans.

What happens if my third party processor has a data breach?

You remain legally liable to regulators and affected individuals—even if the breach originated with the processor. However, a robust DPA lets you seek indemnification. Key: Your DPA must require the processor to cover costs of regulatory fines *if* the breach resulted from their negligence (e.g., unpatched software, weak credentials). Without this clause, you absorb 100% of penalties.

Can I use a US-based vendor if they’re certified under the EU-US Data Privacy Framework?

Yes—but only if they appear on the official DPF List and you’ve verified their certification status. Crucially, the DPF covers transfers *from the EU to the US*, not onward transfers (e.g., your US vendor sending data to India). For those, you’ll need SCCs + Transfer Impact Assessments. Also: DPF doesn’t replace the need for a DPA—it supplements it.

Does GDPR apply to events held outside the EU but with EU attendees?

Yes—unequivocally. GDPR’s territorial scope (Article 3) applies whenever you offer goods/services to, or monitor the behavior of, individuals in the EU. If your event website accepts EUR payments, displays language selectors for DE/FR/ES, or uses cookies to track EU visitors, you’re in scope—even if the venue is in Singapore or Mexico City.

Common Myths About Third Party Processors and GDPR

Myth #1: “If I don’t store data, I’m not responsible.” False. Merely transmitting or instructing processing makes you the controller. Example: Sending attendee emails to Mailchimp for sending triggers your obligations—even if Mailchimp hosts everything.
Myth #2: “Signing a DPA once covers all future vendors.” False. Each processor relationship requires its own DPA. Using Vendor A for registration and Vendor B for surveys? Two separate DPAs. Replacing Vendor A with Vendor C? A new DPA—not an amendment.

Ready to Turn Compliance From a Cost Center Into Your Competitive Edge

Understanding what is a third party processor GDPR isn’t about avoiding fines—it’s about building trust. Attendees increasingly scrutinize privacy policies (74% say they’ll skip an event if data practices seem opaque—2024 EventMB Trust Index). When you proactively audit vendors, publish clear data promises, and empower speakers/sponsors with compliant tools, you signal professionalism, reduce churn, and future-proof against stricter regulations like the upcoming EU AI Act. So today: Pull up your last three vendor contracts, open a blank doc, and run the 5-step audit above. Then, schedule a 30-minute internal workshop to align your marketing, ops, and IT teams on one shared data governance standard. Your next event won’t just be memorable—it’ll be trusted.