Overview and Definitions.
The terms of this DPA are hereby incorporated into the AddEvent Terms of Service or any other
applicable services agreement between you and AddEvent (the "Agreement").
With respect to provisions regarding Processing of Personal Data, in the event of a conflict
between the Agreement and this DPA, the provisions of this DPA shall control. In the event of
a conflict between this DPA and any other
provision of the Agreement between you and us, this DPA will control; except where Organizer
and AddEvent have individually negotiated data processing terms that are different from this
DPA and which meet the requirements of
applicable Data Protection Laws in full, in which case those negotiated terms will control.
If Section 2.5 applies, in the event of a conflict between this DPA and the applicable data
transfer agreement (if any), the terms of
the applicable data transfer agreement referenced in Section 2.5 will control.
“Controller-to-Processor Standard Contractual Clauses” means the
Controller-to-Processor Standard Contractual Clauses in the Annex to the European Commission Decision of
February 5, 2010, as may be amended or replaced from time to time by the European Commission.
“Data Protection Laws” means all laws or regulations related to the privacy, confidentiality
and security of Personal Data.
“Business,” "Data Controller," "Data Processor," "Data Subject," "Processing," "Personal Data,"
and “Service Provider” shall have the meanings ascribed to them in applicable Data Protection Laws.
"Data Security Breach" means a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data Processed
by AddEvent on Organizer’s
behalf as part of Organizer’s use of the Services.
“Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring,
or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a
third party, other than to a
sub-processor pursuant to Section 2, for monetary or other valuable consideration.
“Services” means any services provided by AddEvent to Organizer, as defined in the AddEvent Terms
of Service of any other applicable services agreement between Organizer and AddEvent.
"Technical and Organizational Security Measures" means reasonable security measures implemented by
AddEvent appropriate to the type of Personal Data being Processed on Organizer’s behalf and the
Services being provided by
AddEvent designed to protect Personal Data against unauthorized or unlawful Processing and against
accidental loss, destruction, damage, alteration or disclosure.
1. Applicability of DPA and scope of data processing activities.
1.1 In using AddEvent's Services, Organizer acts as a Business and is a Data Controller of the Personal
Data associated with an individual using AddEvent Services, or on whose behalf an individual is using
AddEvent
Services, to register for or purchase a ticket to attend such Organizer's event ("Consumer").
Organizer represents and warrants that it has provided any necessary notices and if required,
obtained any necessary consents related to the collection of such Personal Data from the Consumer
and Organizer has the right to share such Personal Data with AddEvent.
1.2 Where AddEvent Processes the Personal Data of Consumers on behalf of Organizer as part of the Services,
AddEvent is a Data Processor or Service Provider in performing such Processing and Organizer is the
Data Controller or Business. This includes circumstances where AddEvent obtains Personal Data as a
result of the provision of its core ticketing services (for example, where AddEvent facilitates the
transmission of emails to Consumers at the request of Organizers, Processes payments, or provides
event reports and tools to enable Organizers to gain insights into the effectiveness of various
sales channels).
In respect of some Processing of Consumers' Personal Data, AddEvent may act as a Data Controller
or Business, for example, where Consumers have engaged with aspects of AddEvent's Applications
beyond those relating to Organizer's event or where Consumers' Personal Data is Processed by
AddEvent to conduct research and analysis to enable AddEvent to improve its products and
features and provide targeted recommendations. With regard to such
Processing, AddEvent is an independent Data Controller and not a joint Data Controller with
Organizer.
To the extent that AddEvent Processes Personal Data as a Data Processor or Service Provider on
behalf of Organizer, Section 2 of this DPA shall apply, however, when AddEvent is acting as a
Business or Data Controller of Consumers' Personal Data, AddEvent's Processing shall not be
subject to this DPA.
1.3 Details about the Personal Data to be Processed by AddEvent and the Processing activities
to be performed under the Agreement are as follows: (i) duration - as set out in the Agreement;
(ii) nature, purpose and subject matter - to enable Organizer to organize and promote events
and manage ticketing using AddEvent Services; (iii) data categories - name, email address,
billing and payment information, information related to events booked and
attended, relationship to Organizer and any other Personal Data that Organizer requests of its
Consumers; (iv) data subjects - Consumers.
2. Data processing clauses.
2.1 Whenever AddEvent Processes Personal Data on behalf of Organizer, AddEvent shall:
2.1.1 Process Personal Data only on the documented instructions of Organizer, unless required to do
otherwise by applicable law. AddEvent shall inform Organizer of the legal requirement before
Processing Personal Data other than in accordance with Organizer's instructions, unless that same
law prohibits AddEvent from doing so on important grounds of public interest. AddEvent will not
retain, use, disclose or Sell Personal Data except as necessary to perform AddEvent’s obligations
under the Agreement, or as otherwise permitted by Applicable Law. Organizer will ensure that its
instructions comply with all laws, regulations and rules applicable to the Personal
Data, and that AddEvent’s Processing of such Personal Data will not cause AddEvent to violate
any applicable law, regulation or rule, including Data Protection Laws. AddEvent will notify
Organizer if in its opinion an
instruction is in breach of applicable Data Protection Laws. Organizer hereby instructs AddEvent,
and AddEvent hereby agrees, to Process Personal Data as necessary to perform AddEvent's obligations
under the Agreement and
for no other purpose, unless otherwise specified in this DPA or required to comply with the law or
other binding governmental order. In the event that this DPA or any actions to be taken or contemplated
in performance of this
DPA do not or would not satisfy either party’s obligations under applicable Data Protection Laws,
the parties shall negotiate in good faith upon an appropriate amendment to this DPA;
2.1.2 Have in place Technical and Organizational Security Measures which include, but are not
limited to, the measures described here:
https://www.addevent.com/security/;
2.1.3 Notify Organizer in the event of a Data Security Breach without undue delay, unless otherwise
prohibited by law or otherwise instructed by a law enforcement or data protection authority. In the
event of any Data Security
Breach, AddEvent shall provide reasonable assistance, where required by applicable Data Protection
Laws and at Organizer’s request, to enable Organizer to comply with its obligations as a Data Controller
or Business in
relation to data breach notification requirements;
2.1.4 Ensure that its personnel are subject to binding obligations of confidentiality with respect
to Personal Data of Consumers Processed by AddEvent on Organizer’s behalf;
2.1.5 Impose obligations on its sub-processors that have access to Personal Data of Consumers Processed
by AddEvent on Organizer’s behalf that are the same as or equivalent to those set out in this Section 2
by way of written
contract, and remain fully liable to Organizer for any failure by a sub-processor to fulfill its
obligations in relation to such Personal Data;
2.1.6 Provide reasonable assistance to Organizer in responding to individual rights requests or
other communications received under applicable Data Protection Laws from any applicable data protection
authority or Consumer who is
the subject of any Personal Data Processed by AddEvent on Organizer’s behalf. In the event that a
Consumer submits a Personal Data deletion request to AddEvent, Organizer hereby instructs and
authorizes AddEvent to delete
or anonymize the Consumer's Personal Data on Organizer's behalf;
2.1.7 Upon Organizer's written request, make available to Organizer all information reasonably necessary
to demonstrate its compliance with the obligations set out in this Section 2, provide reasonable
assistance with privacy
and data protection impact assessments and related consultations of data protection authorities,
and allow for and co-operate with any audits. Any on-site audits shall be: (i) permitted only on
reasonable advance notice to
AddEvent; (ii) subject to appropriate confidentiality undertakings; and (iii) limited to once
every three (3) years and only in order to evaluate a specific suspected deficiency after exhausting
all other reasonable means; and
2.1.8 Except for that Personal Data with respect to which AddEvent acts as a Data Controller or
Business, return, delete, or destroy (at Organizer's election) the Personal Data of Consumers Processed
on Organizer’s behalf and
copies thereof, at Organizer's request (unless applicable law requires the storage of such Personal Data).
2.2 Organizer hereby consents and authorizes AddEvent to disclose or transfer Personal Data to, or
allow access to Personal Data by, AddEvent's current sub-processors (i.e. those listed on AddEvent's
website on the
Effective Date of this DPA or the Agreement, whichever is later) ("Current Sub-Processors") to Process
Personal Data on Organizer’s behalf.
2.3 Organizer hereby consents to AddEvent appointing additional and replacement sub-processors
("Replacement Sub-Processors") to Process Personal Data on Organizer’s behalf. AddEvent shall: (i)
give notice to Organizer of
the identity of Replacement Sub-Processors via AddEvent's website (Organizer is responsible for
regularly checking and reviewing AddEvent's website for any such changes and AddEvent's website
shall be the sole means of
AddEvent communicating any such changes); and (ii) give Organizer the opportunity to object to such
changes that take place after the Effective Date of the Agreement, in accordance with the terms that
follow in Section 2.4 of
this DPA.
For the avoidance of doubt, any termination rights available herein shall only apply in the
instance of objections to Replacement Sub-Processors appointed after the Effective Date of this
DPA that are not remedied in accordance
with the terms herein, and shall not apply in relation to Current Sub-Processors.
2.4 Organizer shall raise any objection to the appointment of Replacement Sub-Processors within
ten (10) days of AddEvent posting the changes on its website. Organizer shall send its objection to
privacy@addevent.com with the
subject line 'Objection to Replacement Sub-Processor'.
Provided that Organizer's objection: (i) concerns the Replacement Sub-Processor's ability to allow
AddEvent to materially comply with its data protection obligations under this DPA; and (ii) includes
sufficient detail to
support its objection and provides specific examples, AddEvent will then use commercially reasonable
efforts to review and respond to Organizer's objection within thirty (30) days of receipt of Organizer's
objection with
AddEvent's determined method of accommodation.
If AddEvent determines in its sole discretion that it cannot reasonably accommodate Organizer's
objection, upon notice from AddEvent, Organizer may choose to terminate the Agreement by providing
written notice to AddEvent,
and complying with the terms herein, which shall be Organizer's sole and exclusive remedy. Without
limiting the generality of the foregoing, Organizer's termination right under this Section 2.4 will
be deemed an additional
termination right of Organizer under the "Term and Termination" Section of the Agreement (if any) and
if exercised will be deemed a termination pursuant to such Section. Such written notice must be sent to
legal@addevent.com and must specifically
reference this Section 2.4 of the DPA. The day AddEvent receives an Organizer's written termination
notice under this
Section 2.4 will be referred to as the "Objection Date" in this DPA. Should Organizer choose to
terminate the Agreement as a result of a Replacement Sub-Processor, then nothing in this Section 2
shall relieve Organizer from any
of its payment and/or repayment obligations to AddEvent under the Agreement.
Without limiting AddEvent's other rights and remedies, if Organizer terminates the Agreement pursuant
to this Section 2.4, then Organizer will immediately pay to AddEvent (1) all amounts accruing and
owed to AddEvent,
including, without limitation, obligations to pay and/or repay AddEvent for Fees, Sponsorship Payments,
Advances, and/or Advance payments of Event Registration Fees, as such terms are defined in the Agreement
and only to the
extent applicable to Organizer, (2) if the Agreement includes a minimum number of tickets Organizer
must sell, a minimum amount of Event Registration Fees or AddEvent Services Fees that must be
processed (each such sales or
processing threshold, a "Minimum Threshold"), and/or a requirement to pay AddEvent the portion
of Service Fees AddEvent would have received had a Minimum Threshold been met, then Organizer
agrees to pay AddEvent an amount
equal to (x) the amount that AddEvent would have received in Service Fees had the Minimum Threshold
been met in each year of the term up to the date of such termination (with such Minimum Threshold
prorated as to any partial
year of the Term), less (y) the amount that AddEvent actually received in Service Fees attributable
to Organizer's sales during the Term up to the date of such termination; and (3) 80% of the
anticipated Fees AddEvent would
have earned during the remainder of the Term had the Agreement not been terminated with
respect to (x) events on sale on the Site as of the Objection Date, and (y) any future events
contemplated under the Agreement intended to
go live in the ninety (90) days following the Objection Date.
3. Cross-Border Transfers.
3.1 Organizer agrees that AddEvent may transfer Personal Data of Consumers to various locations
in connection with providing the Services. Transfers will be made in accordance with legally
enforceable transfer mechanisms where required by applicable Data Protection Laws.
3.2 For Organizers located in the European Economic Area/United Kingdom/Switzerland, AddEvent
agrees that it will be bound by the
Controller-to-Processor Standard Contractual Clauses.
For Organizers located in Argentina, transfers of applicable Personal Data of Consumers outside
of Argentina will be governed by the Argentine Model Clauses (Controller to Processor),
hereby incorporated by reference.
