When an attendee enters their name, ID or photo to get into an event, they’re trusting you with that data. What’s it used for? Who has it? Is it deleted? The short answer: in a well-run access control operation, data is collected with consent, used only to validate entry, and stays under the organizer’s control. Nothing more.
At SOMOS DER we treat attendee data for what it is: sensitive information that has to be looked after. Here’s how we do it, and what the law says in Argentina.
What data is collected (and why the minimum)
Good access control asks for only what it needs to validate entry:
- First and last name
- Email (to send the QR)
- ID number, if the event requires it
- Any extra fields the organizer defines (company, phone, etc.)
If the event uses facial recognition, a photo captured at pre-registration is added. The principle is the same in every case: data minimization. The less data you collect, the less you have to protect.
What it’s used for: a single purpose
The data is used for one thing only: to generate the QR (or facial profile) and validate event access. It doesn’t feed marketing campaigns, it isn’t sold, and it isn’t shared with third parties without consent.
This is key: the organizer owns the database. The access operator manages it technically, for that single purpose, and hands it back to the client. You control the list at all times.
What Law 25.326 says
In Argentina, Law 25.326 on Personal Data Protection sets the rules. In plain terms, the core points:
- Consent. The data subject has to consent to you collecting their data.
- Specific purpose. Data is collected for a clear purpose (accrediting the event) and can’t be used for a different one.
- Security and confidentiality. You have to guarantee the data is protected.
- Rights of the data subject. The person can access their data, rectify it, and request its deletion.
This article is informational and doesn’t replace legal advice. For events with strict privacy requirements, it’s worth reviewing the data handling with a specialist.
Collecting data to accredit an event is perfectly legitimate as long as these principles are respected. The problem is never collecting data: it’s collecting it carelessly.
How we handle it in practice
Three simple rules:
- A secure environment. Pre-registration and the database run on a controlled environment, not on spreadsheets floating around over email.
- The client is in charge. The database belongs to the organizer. If your company has a retention or deletion policy, we build it into the setup.
- No parallel uses. The data isn’t reused for anything other than the event.
For corporate clients with specific requirements — like brands handling their own customers’ data — we adapt the data handling to their standards. It’s part of the service, not an add-on.
Privacy isn’t a legal footnote: it’s part of the trust the attendee places in the event. We look after it the way we look after the door. Learn about our access control and accreditation service.