How Does GDPR Affect Race Organizers?

Cyclists in a race

The General Data Protection Regulation (GDPR) has been in effect since May 2018 and has had a significant impact on how businesses and organizations handle personal data. Obviously, this includes race organizers and all other types of organizations of events where participants provide personal information during the registration process. In this article, we’ll explore how GDPR affects you as a race organizer and what you’ll need to do to ensure compliance.

What is GDPR?

Firstly, let’s start with the basics. GDPR is a regulation implemented by the European Union that sets out rules for the collection, processing, and storage of personal data. Personal data includes any information that can be used to identify an individual, such as their name, address, email address, and phone number.

GDPR applies to any organization that processes personal data of EU citizens, regardless of where the organization is based. Note: this means that race organizers based outside of the EU who collect personal data from EU citizens are also subject to GDPR.

How Does GDPR Affect Race Organizers?

Race organizers collect a significant amount of personal data from participants, including names, addresses, dates of birth, and contact information. GDPR requires that race organizers obtain explicit consent from participants to collect and process their personal data. This means that race organizers must inform participants of the purpose of collecting their data, how it will be used, and who will have access to it.

Race organizers must also ensure that personal data is kept secure and is only accessible to those who need it. They must have appropriate measures in place to prevent unauthorized access, accidental loss, or destruction of personal data. Additionally, they must inform participants if there is a data breach that may affect their personal data.

Participants also have the right to access their personal data that race organizers hold and request that it be deleted or corrected if necessary. Race organizers must respond to these requests within one month.

What Steps Can Race Organizers Take to Ensure GDPR Compliance?

To ensure GDPR compliance, race organizers can take the following steps:

  • Obtain explicit consent: Obtain explicit consent from participants to collect and process their personal data. This can be done through a consent form or a privacy policy that participants must agree to when registering for the race.
  • Keep personal data secure: Ensure that personal data is kept secure and is only accessible to those who need it. This can be done by using secure online registration systems and encryption for sensitive data.
  • Be transparent: Be transparent about the purpose of collecting personal data, how it will be used, and who will have access to it. This can be done through a clear and concise privacy policy that participants can easily access.
  • Respond to requests: Respond promptly to requests from participants to access, correct, or delete their personal data.
  • Regularly review policies and procedures: Regularly review policies and procedures to ensure they are up to date and comply with current GDPR requirements.

Luckily for you, the majority of the points above can be efficiently and conveniently handled through your EMS or registration provider. At RaceID for example, the system has a built-in compliance procedure where participants accept the RaceID terms (including the GDPR data policy on how their data is stored and used inside the platform) when they register and create an account. But, if you store participant data somewhere else or are going to use the data you collect through the system for other activities then you might have to add in your own policy and make your participants aware of it.

Likewise, if you have your own website, you must have a data and GDPR policy available and comply with all points above for the type of data you collect and how you use it. This includes website cookies (for example, tracking of user behavior via Google or other advertising 3rd parties) and other ways you may monitor visitors. 

What Happens to Race Organizers That Fail to Comply with GDPR?

It goes without saying that Race organizers that fail to comply with the GDPR framework, may face serious consequences. Some of which include:

  • Fines: Organizations that violate GDPR can be fined up to 4% of their global annual revenue or €20 million (whichever is greater) for the most serious breaches.
  • Legal Action: Individuals whose data has been mishandled or compromised can sue the organization responsible for the breach for damages.
  • Reputational Damage: Failing to protect personal data can harm an organization’s reputation and trust with its customers/participants. This will obviously have long-term effects on the success of the organization.
  • Loss of Business: Race organizers may lose participants and business if they are not GDPR-compliant, as participants will be hesitant to share their personal data with an organization that does not take data protection seriously.


To recap then, GDPR has had a significant impact on how race organizers are allowed to handle personal data. You must obtain explicit consent from participants, keep personal data secure, be transparent about the purpose of collecting personal data, respond to requests from participants, and regularly review policies and procedures to ensure compliance with GDPR. By taking these steps, or ensuring that you have these steps taken care of via your EMS or registration platform, you can ensure that you are compliant with GDPR and protect the personal data of your participants.

Remember, failing to comply with the GDPR framework can result in serious consequences for race organizers, including fines, legal action, reputational damage, and loss of business. It’s essential to take the necessary steps to ensure that they are GDPR-compliant and protect participants’ personal data.

Want to Learn More?

Additional Source information: 

To see how RaceID handles participant data, read this article.