Data Protection Impact Assessment
Data Protection Impact Assessment (DPIA) under Article 35 GDPR.
Version 1.0 — 3 July 2026. This document is reviewed periodically and whenever the processing activities change materially.
1. Introduction and rationale
This Data Protection Impact Assessment (DPIA) describes the processing of personal data within the MijnEvent platform, assesses the risks to the rights and freedoms of data subjects, and sets out the measures that mitigate those risks. It has been prepared in accordance with Article 35 of the General Data Protection Regulation (GDPR). Because MijnEvent processes personal data at scale in a ticketing environment involving payments, resale and access control, a DPIA is appropriate and also supports organisers in meeting their own accountability obligations.
2. Responsibilities and roles
Depending on the processing activity, MijnEvent acts in two roles:
- For visitors' personal data (ticket purchase, payment, resale, check-in), the organiser is the controller and MijnEvent acts as processor, in line with the data processing agreement (Article 28 GDPR).
- For the platform's own processing — organiser accounts, authentication and security, billing and platform-wide statistics — MijnEvent is itself the controller.
- This DPIA covers both roles at platform level and enables organisers to meet their own DPIA obligations.
3. Systematic description of the processing
The register below describes, for each processing activity, the purpose, the legal basis, the data subjects, the categories of personal data and the retention period.
| Processing | Purpose | Legal basis (Art. 6 GDPR) | Data subjects | Personal data | Retention |
|---|---|---|---|---|---|
| Ticket sales and orders | Processing ticket purchases and delivering tickets. | Performance of the contract (Art. 6.1.b). | Visitors/buyers. | Name, email address, city of residence, order and ticket data. | Duration of the event; financial data falls under the organiser's statutory retention obligation. |
| Payment processing (Mollie Connect) | Settling payments and the platform fee. | Performance of the contract (Art. 6.1.b); legal obligation (Art. 6.1.c). | Visitors/buyers. | Payment status and transaction references. Card and bank details are processed solely by Mollie and never reach MijnEvent's servers. | In line with Mollie and the statutory retention obligation. |
| Organiser accounts and Mollie connection | Managing the organisation, billing/acceptance and connecting the organiser's own Mollie account. | Performance of the contract (Art. 6.1.b); legal obligation (Art. 6.1.c); legitimate interest (Art. 6.1.f). | Organisers and team members. | Name, business email address, company details (Chamber of Commerce, VAT) entered by the organiser in MijnEvent, and encrypted Mollie OAuth tokens. | Duration of the account, plus statutory retention periods. |
| Authentication and email masking | Secure, passwordless access and masking of visitor email addresses in management environments. | Legitimate interest: security (Art. 6.1.f). | Organisers, team members and visitors. | Email address, hashed magic-link and OTP tokens, device tokens, and an audit log when a masked address is revealed. | Tokens are short-lived (minutes to days); audit logs are retained longer for accountability. |
| Resale | Peer-to-peer resale of tickets between visitors. | Performance of the contract (Art. 6.1.b). | Buyers and sellers. | Ticket ownership, asking price and the old and new ticket tokens. | Duration of the event. |
| Check-in via QR codes | Access control at the event. | Performance of the contract (Art. 6.1.b); legitimate interest of the organiser (Art. 6.1.f). | Visitors and inspectors. | Unique ticket token, check-in timestamp, inspector identification and optionally the scan location. | Duration of the event with a short follow-up period. |
| Multi-tenancy (subdomain per organiser) | Logical and, where applicable, physical separation of each organiser's data. | Organisational and technical measure supporting the other processing activities (no separate legal basis). | Not applicable (isolation measure). | Not applicable. | Not applicable. |
| Statistics per organiser | Providing insight into sales and attendance figures. | Legitimate interest of the organiser (Art. 6.1.f). | Visitors (aggregated only). | Cookieless, aggregated visit statistics and sales figures; no individual visitor profiles. | As long as the statistics remain relevant to the organiser. |
| Privacy requests (access/erasure) | Facilitating data subject rights (access, portability, erasure). | Legal obligation (Art. 6.1.c; Art. 15–17 GDPR). | Visitors and organisers. | Identification and request data needed to handle the request. | As long as needed to handle the request and to evidence correct execution. |
Note: creating and verifying (KYC) the Mollie account takes place directly between the organiser and Mollie, outside MijnEvent. Mollie acts as an independent controller in that respect; MijnEvent only receives the OAuth tokens (encrypted) to initiate payments on the organiser's behalf, and does not process any identity or KYC documents itself.
An up-to-date overview of all engaged sub-processors (including Mollie, Amazon Web Services, Cloudflare and the email and statistics services), with their purpose and location, is available on our security page. View the current sub-processor overview
4. Necessity and proportionality
The processing activities are necessary to sell tickets, settle payments and control access. MijnEvent applies the following principles:
- Data minimisation: only name, email address and city of residence are requested from visitors; no special categories of personal data are processed.
- Purpose limitation: data is used only for the ticketing service and never for MijnEvent's own advertising or sale to third parties.
- Storage limitation: data is not kept longer than necessary, with self-service erasure and arrangements for return or destruction afterwards.
- Privacy by design and by default: passwordless authentication, email masking, cookieless statistics and encryption are built in by default.
5. Risk assessment and residual risks
For each identified risk to the rights and freedoms of data subjects, the mitigating measures and the remaining (residual) risk have been assessed.
| Risk | Mitigating measures | Residual risk |
|---|---|---|
| Unauthorised access to visitor data. |
|
Low |
| Compromise of payment data. |
|
Low |
| Data leak between organisers (cross-tenant). |
|
Low |
| Misuse or duplication of tickets via QR codes or resale. |
|
Low to medium |
| Undesired profiling through statistics. |
|
Low |
| Excessive or overly long retention of data. |
|
Medium |
| Data subjects unable to exercise their rights. |
|
Low |
| Transfer of data outside the EEA. |
|
Low |
| Unauthorised or untraceable administrative actions. |
|
Low |
| Unwanted linking of identities during resale. |
|
Low |
6. Conclusion and control
After implementing the described measures, a low residual risk remains for the majority of the processing activities. For retention periods and ticket integrity, a low-to-medium residual risk applies, controlled through data minimisation, storage limitation and unique, auditable ticket tokens. The processing is therefore assessed as proportionate and manageable.
- The processing is necessary, proportionate and surrounded by appropriate safeguards.
- No special categories of personal data are processed and no automated decision-making with legal effect takes place.
- This DPIA is reviewed on new processing activities, new sub-processors or changed risks.
7. Review and updates
This DPIA is reassessed at least annually and whenever the processing changes materially. Where a high residual risk cannot be reduced by reasonable measures, the Dutch Data Protection Authority is consulted prior to processing (Article 36 GDPR).
Questions about this DPIA?
For questions about this impact assessment or about data protection at MijnEvent, please contact us.