Skip to content
New: connect Linkly to your favourite AI and ask about your tradeshow results and leads
Blog · compliance

Collecting trade fair leads in line with the GDPR

GDPR trade fair leads: legal basis, privacy notice and data retention for contacts collected at your stand. A practical guide for DPOs and Heads of Sales.

by Veronica Pisana · June 24, 2026 · 7 min read

Collecting trade fair leads in line with the GDPR is not a task you postpone. A personal data point crosses your stand every couple of minutes, and the DPO and the Head of Sales rarely speak the same language. This is the operational version: what you actually need, and what is theatre.

In short:

  • The most common legal basis for a B2B lead collected at the stand is legitimate interest (Art. 6.1.f GDPR), not consent. Explicit consent is for newsletters/mass marketing.
  • The privacy notice (Art. 13) must be accessible at the stand: a QR code linking to a page is enough. No paper forms signed by every contact.
  • Retention follows the storage-limitation principle (Art. 5.1.e): set a proportionate period (many B2B firms: 12-24 months), write it down, respect it.
  • Enrichment from public sources is compatible if it serves the same declared purpose and you inform the data subject.
  • Keep the data in your CRM, not in the fair app: one controller, one retention period, one clean export.

The first thing people who’ve never worked a stand ask is: “do we get them to sign a consent?”. Almost always the answer is no. If a visitor hands you their card or lets you scan their badge to be contacted about a B2B offer, there is a reasonable expectation of commercial contact. The correct legal basis is often legitimate interest (Art. 6.1.f GDPR).

Explicit consent is for specific cases: newsletter sign-up, automated mass marketing, heavy profiling. Confusing the two leads to opposite mistakes: asking for consent when you don’t need it (and losing leads to friction), or running email marketing without consent when you should have it.

The rule of thumb: for 1:1 commercial follow-up after the fair, legitimate interest. For pushing the contact into automated marketing flows, consider consent. Document the choice with a minimal balancing test.

The privacy notice at the stand, without theatre

Art. 13 GDPR requires the data subject to know, at the moment of collection: who the controller is, why you process the data, on what basis, how long you keep it, how to exercise rights.

In fair practice this is solved with:

  • a QR code at the stand linking to a notice page, or
  • a line in your digital qualification form with a link to the full notice.

You don’t need every contact to sign a paper form: it slows the conversation and produces paper no one files. What you need is proof the information was available at the moment of collection. If you use a digital trade fair lead capture system, the scan timestamp is already your proof.

Retention: the number you must decide

The GDPR doesn’t say “24 months”. It says storage limitation (Art. 5.1.e): keep data only as long as needed for the purpose. You define the purpose.

From our experience, many B2B companies adopt:

  • leads converted to customers → retention tied to the contractual relationship;
  • qualified, unconverted leads → 12-24 months, then review, deletion or anonymisation;
  • cold, volume-collected contacts → a shorter window.

What makes a difference in an audit isn’t the number, it’s consistency: having written it in the notice and respected it in the CRM. A contact “forgotten” in an Excel file on a salesperson’s desktop is the real risk, not the retention period itself.

Automatic enrichment and the GDPR

Enrichment from public sources is only a grey area if you treat it carelessly. If you enrich for the same purpose already declared (qualifying a B2B commercial contact) and from public sources, it’s compatible. You still must inform the data subject that you integrate data from public sources.

Here it matters where the system runs. Linkly enriches from 30+ public data sources and runs on EU GDPR-compliant infrastructure: the data doesn’t leave the Union. That’s the detail the DPO checks first.

The real risk: fragmentation

Non-compliance at fairs rarely comes from a wrong legal basis. It comes from fragmentation: badges photographed on personal phones, cards in pockets, the fair app, a Google Sheet “we’ll fix on Monday”. More places where personal data lives means less control over retention, access and deletion.

Operational tidiness is also GDPR tidiness: every contact lands straight in the company CRM, with event tag, legal basis and retention period aligned. One controller, one system, one export. This is exactly where compliance and sales productivity coincide.

When DIY is enough

If you do one fair a year with ten contacts, a QR-linked notice and a sheet deleted after 18 months can be enough, handled with discipline. The problem scales when contacts run into the hundreds, people differ and events multiply: there you need a process, not the goodwill of a single salesperson.

The next step

If you want to see how to keep compliance and follow-up speed together, book a demo: we’ll show you the badge → CRM flow with aligned legal basis, tags and retention, on EU infrastructure.

FAQ

Do I need consent to collect a lead at a trade fair? +

Not always. If someone hands you a business card or lets you scan their badge to be contacted about a B2B offer, the legal basis can be legitimate interest (Art. 6.1.f GDPR), not consent. Explicit consent is needed instead for newsletters or mass email marketing. Always document which basis you use and why.

What privacy information do I need at the stand? +

An accessible privacy notice (Art. 13 GDPR): who the controller is, why you process the data, on what legal basis, how long you keep it and how to exercise rights. In practice a QR code at the stand linking to a page, or a line in your digital qualification form. You don't need paper forms signed by every contact.

How long can I keep the leads I collect? +

The GDPR sets no fixed number: the principle is storage limitation (Art. 5.1.e). You define a period proportionate to the commercial purpose — many B2B companies use 12-24 months for unconverted leads, then deletion or anonymisation. The rule: write it in your notice and stick to it.

Is automatic data enrichment GDPR-compatible? +

Yes, if the sources are public and the enrichment serves the same declared purpose (qualifying a B2B commercial contact). Linkly enriches from 30+ public data sources and runs on EU GDPR-compliant infrastructure. It remains your responsibility to inform the data subject that you integrate data from public sources.

Where should I store the data: the fair app or my CRM? +

In your CRM, with a clear controller and retention period. The fair app often gives you no control over retention or a clean export, and multiplies the places where personal data lives. Fewer systems, more control.

Ready to turn your next trade fair's contacts into pipeline?

Linkly captures, enriches, qualifies and follows up every lead, from badge to CRM to follow-up.

Go deeper with AI

Linkly pages are optimised to be read correctly by AI assistants. Open the conversation in your preferred one with the context already in place, or copy the prompt to use it anywhere.