The GDPR is basically a prohibition regulation with reservation of permission, i. everything is forbidden, which is not expressly allowed. This applies in particular to the lawfulness of the processing.
The following conditions constitute lawful processing under DSGVO:
a. The consent for the purpose of the data processing was granted (kind 6 exp. 1 S. 1 lit. a DSGVO)
b. The processing serves the fulfillment of a contract or preliminary contract (Art. 6 (1) sentence 1 (b) DSGVO)
c. There is a legal obligation (Article 6 (1) (1) (c) GDPR) or a public interest (Article 6 (1) (1) (e) GDPR) for processing
d. There is a legitimate interest of the person responsible, which outweighs the protection interests of the person concerned (Article 6 (1) sentence 1 (f) DSGVO). This is especially the case when
i. The affected customer or employee is and
ii. Direct mail for similar products (see § 7 Abs. 3 UWG) is available.
Whenever you refer to Art. 6 para. 1 sentence 1 lit. If you wish to invoke DSGVO as a legal basis, you should actually carry out the balancing of interests and scribble the result as evidence, eg in the respective list of processing activities (Article 30 GDPR).
It is inadvisable to collectively obtain the consent of your customers in order to be able to rely on it, since there is the danger that there will be no effective consent at all and that they must always expect the customer to withdraw their consent. So if you can base the processing on other legal bases, you should do that mainly. Apart from that, it is important to keep in mind what an approval for conditions is. Consent is a voluntary acknowledgment of will in an informed manner. This means that you first have to provide information about the exact purpose and the personal data required for this purpose, and you must give your consent, e. G. in the form of a tickbox check box not as a mandatory field, otherwise it is not voluntary (who should say 'yes' voluntarily, must also be able to say 'no' without any consequences). The person concerned must also be informed that consent can be revoked at any time and by what means. He may not incur costs, except, for example, ordinary telephone costs (landline telephony).
You should therefore disconnect between
Data given to you by a participant to attend a specific event (ie data required to attend the event)
The right to invite or contact him afterward.
The legal situation as to whether public registrations for an event require any consent for item 1 is controversial. In some cases it is assumed that there is (implied) consent in filling in the form itself. In that case, a reference to your privacy policy would be sufficient. If necessary, please contact the responsible regulatory authority or your national data protection officer as to how this is handled in your state.