Events
Yes, provided that the participant has consented to the disclosure of his/her data.
A disclosure without prior consent, p.ex. based on the legitimate interest, would be difficult to defend.
Relying on legitimate interest of the organiser – for instance to increase the attractiveness of the event and to ensure its success - can be in fact problematic due to
-
the difficulty to prove that it is necessary to publish world-wide the attendees‘ list for the successful organisation and execution of the event, as there are other, less privacy invasive ways available to achieve this objective, and
-
the rights and interests of the attendees that would have been disregarded by such a mandatory disclosure.
The world-wide publication of personal data can constitute a considerable impairment of the privacy of the individual concerned; in the worst case it can lead even to physical and material damages, for instance if criminals use the participants‘ list to identify possible targets for burglaries.
Be careful not to confuse the necessity to process personal data for your stated purpose with processing which is only necessary because of your chosen method of pursuing that purpose!
If there is another reasonable and less invasive way to meet the interest and achieve your purpose without the processing, then it would be unlawful (unless another lawful basis applies).
Yes.
The recommended approach is to seek the consent of the participant to disclose his/her data to the other attendees.
But depending on the character and purpose of the event, the organiser could rely on legitimate interest, instead. This is particular the case for networking events or events for the purpose of scientific exchange, where the identify of each participant is an important information for the attendees. In such kind of events, generally participants expect that an attendees list exist and is shared with them.
That means, the participants would not be asked to agree with the data disclosure. However, the organiser should be prepared to accommodate attendees who don’t want their personal data used in this way, or foresee the possibility to opt-out for attendees who claim that their interest outweighs the interest of the organiser.
The principles of protecting personal data include the requirement to only collect the personal data required for delivering the service. In this context, when organising an event, you should only request the minimum data actually required to attend the event, for example for access to the CERN site. Those data can only be used for that purpose.
Any other data you might like to collect, or using data for another purpose (for example contacting afterwards) should be on an opt-in basis only.
The registration page should contain a conspicuous link to the privacy notice which should follow the CERN standard and includes details on how the data will be processed, who it may be passed to and how long it will be kept for. It also informs the individual of how to exercise their rights as a data subject.
See also Procedure: Processing of personal data for event organisation