GDPR applies to you
If you collect personal data from EU residents (which includes name + email at registration), GDPR applies. Scale doesn't matter. A 50-person charity 5K has the same obligations as a 10,000-person marathon, just at smaller scope.
Non-compliance fines are up to 4% of global annual turnover. For a small organisation, that can be business-ending.
This guide is practical, not legal advice. For specific questions, consult a DPO.
What counts as personal data in race context
- Name, email, phone, address
- Date of birth
- Gender
- Medical declarations
- Emergency contact
- Payment data (handled via PCI-DSS layer, still under GDPR)
- Photos that identify individuals
- Finish times associated with identified runners
- IP addresses
Literally everything about your participants.
Core GDPR principles applied to races
Purpose limitation: Collect data only for specified purposes. Use it only for those purposes.
Practical: Don't collect dietary preferences unless you're offering food. Don't collect shoe size unless you're giving shoes.
Data minimization: Only collect what you actually need.
Practical: Strip registration forms to essentials (see "Custom Registration Forms" guide for 10-field minimum).
Storage limitation: Keep data only as long as needed.
Practical: After 3-5 years, purge participant records unless actively registered for future events.
Integrity and confidentiality: Secure data against unauthorised access.
Practical: SSL everywhere, bcrypt passwords, encrypted backups.
Accountability: You must be able to demonstrate compliance.
Practical: Document your data flows. Maintain audit trail.
The consent landscape
Two bases for processing:
Contract necessity: You need the data to provide the service (registration, invoice, race day). This is your main legal basis.
Consent: Explicit opt-in for things beyond contract necessity. Needed for:
- Marketing emails after the event
- Sharing runner data with sponsors
- Using photos in marketing materials
- Sharing with external timing partners (argue contract necessity or consent)
Don't rely on consent for things you can justify under contract. Consent is withdrawable; contract necessity holds.
The registration form consent structure
- ✅ Required: acceptance of terms (contract necessity)
- ✅ Required: medical waiver
- ☐ Optional: marketing consent (separate checkbox)
- ☐ Optional: sponsor communications
- ☐ Optional: publication of name in results
Do NOT pre-tick optional boxes. The user must actively opt in.
Rights you must honor
Participants have the right to:
- Access: Request all data you hold on them
- Rectification: Correct incorrect data
- Erasure: Delete their data ("right to be forgotten")
- Restriction: Limit how you process
- Portability: Export their data in machine-readable format
- Objection: Opt out of certain processing
You must respond to these within 30 days. Document requests and responses.
The "right to be forgotten" wrinkle
Fiscal compliance (Croatia: 11 years invoice retention) CONFLICTS with full erasure.
Resolution: pseudonymise the participant record but retain the fiscal invoice with required details. Document this policy.
Time-Monkey handles this: "anonymise participant" command strips personal details from a participant record while preserving invoices.
Data Processing Agreement (DPA)
If you use any third-party service that processes participant data, you need a DPA with them. Your DPA inventory likely includes:
- Time-Monkey (your race platform)
- Stripe / Stripe (payment processor)
- Timing company / RaceResult
- Email service (Mailgun, SendGrid)
- Hosting provider
- Analytics (Google Analytics)
Each provider has a standard DPA available. Sign them all. Keep copies.
Privacy Policy (public)
Your event page must link to a privacy policy that explains:
- What data you collect
- Why (legal basis)
- How long you keep it
- Who you share it with (specifically name third parties)
- Participant rights and how to exercise
- Your contact (DPO or equivalent)
Update annually or when practices change.
Children's data
Participants under 16 need parental consent. Registration forms for kids races must collect:
- Parent/guardian consent checkbox
- Parent/guardian name and contact
Data for minors is processed under stricter rules. Consult local regulations.
Security measures
- HTTPS on all pages (Let's Encrypt is free)
- bcrypt password hashing (never plain text)
- Access control (who can see participant data?)
- Audit logs (who accessed what, when)
- Encrypted backups
- Incident response plan (what do you do if breached?)
Time-Monkey implements all of the above by default.
Breach notification
If your participant data is compromised, you have 72 hours to notify the relevant data protection authority (AZOP in Croatia).
You must also notify affected participants if the breach is likely to result in risk to their rights.
Have a written incident response plan. Know who makes notification calls.
Photo consent
Event photography is GDPR-relevant because photos identify individuals. Common practice:
- Notice at registration: "Photos will be taken and may be used for promotional purposes. Opt out at registration."
- Signage at event: "Photography in progress. Opt out by telling any staff member."
- Participants can request removal of specific photos after the event
Quick compliance checklist
- ☐ Privacy policy published and linked from event page
- ☐ Registration form has optional marketing consent (separate checkbox)
- ☐ DPAs signed with all third-party processors
- ☐ Incident response plan documented
- ☐ Participants can request data access / erasure
- ☐ Data retention policy (max 3-5 years post-event)
- ☐ SSL on all pages
- ☐ Photo consent communicated
- ☐ Staff trained on GDPR basics
The Time-Monkey angle
Time-Monkey provides:
- GDPR-compliant default configuration
- Data access + erasure self-service for participants
- Anonymization command for fiscal-retention-with-erasure scenarios
- Audit trail on all data operations
- DPA ready to sign
- Security practices aligned with GDPR requirements
Using GDPR-native tools saves months of compliance work.