Data Processing Addendum
The terms of this Data Processing Addendum ("DPA") are part of the EventsFrame Terms and Conditions, Privacy Policy and/or any other applicable services agreement between the Organizer ("you") and EventsFrame (the "Agreement").
In the event of a conflict between the Agreement and this DPA regarding processing of Personal Data, the provisions of this DPA shall prevail. In the event of a conflict between this DPA and any other provision of the Agreement between you and EventsFrame, this DPA will prevail; except where Organizer and EventsFrame have individually negotiated data processing terms that are different from this DPA and which meet the requirements of applicable Data Protection Laws in full, in which case those negotiated terms will control.
1. Definitions
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
1.1.2 "Business", "Data Controller", "Data Processor", "Data Subject", "Processing", "Personal Data", and "Service Provider" shall have the same meanings as in applicable Data Protection Laws.
1.1.3 "Data Security Breach" means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by EventsFrame on Organizer’s behalf as part of Organizer’s use of the Services.
1.1.4 "New EU SCCs" means the Standard Contractual Clauses issued pursuant to EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
1.1.5 "Old EU SCCs" means the Standard Contractual Clauses issued pursuant to EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (available as of the Effective Date at http://data.europa.eu/eli/dec/2010/87/2016-12-17).
1.1.6 "Sell" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party, other than to a sub-processor pursuant to Section 2, for monetary or other valuable consideration.
1.1.7 "Services" means any services provided by EventsFrame to Organizer, as defined in the EventsFrame’s Terms and Conditions or any other applicable services agreement between Organizer and EventsFrame.
1.1.8 "Security Measures" means reasonable security measures implemented by EventsFrame appropriate to the type of Personal Data being Processed on Organizer’s behalf and the Services being provided by EventsFrame designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.
1.1.9 "EU" means the European Union.1.1.10 "EEA" means the European Economic Area.
2. Data processing scope
2.1 In using EventsFrame's Services, Organizer acts as a Business and is a Data Controller of the Personal Data associated with an individual using EventsFrame Services, or on whose behalf an individual is using EventsFrame Services, to register for or purchase a ticket to attend such Organizer's event ("Consumer"). Organizer represents and warrants that it has provided any necessary notices and if required, obtained any necessary consents related to the collection of such Personal Data from the Consumer.
2.2 Where EventsFrame Processes the Personal Data of Consumers on behalf of Organizer as part of the Services, EventsFrame is a Data Processor or Service Provider in performing such Processing and Organizer is the Data Controller or Business. This includes circumstances where EventsFrame obtains Personal Data as a result of the provision of its core ticketing services.
In respect of some processing of Consumers' Personal Data, EventsFrame may act as a Data Controller or Business, for example, where Consumers have engaged with aspects of EventsFrame's Applications beyond those relating to Organizer's event or where Consumers' Personal Data is Processed by EventsFrame to conduct research and analysis to enable EventsFrame to improve its products and features and provide targeted recommendations. With regard to such processing, EventsFrame is an independent Data Controller and not a joint Data Controller with Organizer.
To the extent that EventsFrame processes Personal Data as a Data Processor or Service Provider on behalf of Organizer, Section 2 of this DPA shall apply, however, when EventsFrame is acting as a Business or Data Controller of Consumers' Personal Data, EventsFrame's processing shall not be subject to this DPA.
2.3 Personal Data to be processed by EventsFrame and the Processing activities to be performed under the Agreement are to enable Organizer to organize and promote events and manage ticketing using EventsFrame Services by collecting these data categories - name, email address, billing and payment information, information related to events booked and attended, relationship to Organizer and any other Personal Data that Organizer requests from data subjects (Consumers).
3. Data processing clauses
3.1 Whenever EventsFrame processes Personal Data on behalf of Organizer, EventsFrame shall:
3.1.1 Unless required to do otherwise by applicable law, process Personal Data only on the documented instructions of Organizer. EventsFrame shall inform Organizer of the legal requirement before processing Personal Data other than in accordance with Organizer's instructions, unless that same law prohibits EventsFrame from doing so on important grounds of public interest. EventsFrame will not use, disclose or Sell Personal Data except as necessary to perform EventsFrame’s obligations under the Agreement, or as otherwise permitted by Applicable Law. Organizer will ensure that its instructions comply with all laws, regulations and rules applicable to the Personal Data, and that EventsFrame’s processing of such Personal Data will not cause EventsFrame to violate any applicable law, regulation or rule, including Data Protection Laws. EventsFrame might notify Organizer, if in its opinion, an instruction is in breach of applicable Data Protection Laws. Organizer hereby instructs EventsFrame, and EventsFrame hereby agrees, to process Personal Data as necessary to perform EventsFrame's obligations under the Agreement and for no other purpose, unless otherwise specified in this DPA or required to comply with the law or other binding governmental order. In the event that this DPA or any actions to be taken or contemplated in performance of this DPA do not or would not satisfy either party’s obligations under applicable Data Protection Laws, the parties shall negotiate in good faith upon an appropriate amendment to this DPA.
3.1.2 Have in place Security Measures.
3.1.3 Notify Organizer in the event of a Data Security Breach without undue delay, unless otherwise prohibited by law or otherwise instructed by a law enforcement or data protection authority. In the event of any Data Security Breach, EventsFrame, in its sole discretion, may provide data breach notification to affected data subjects directly. Where EventsFrame does not provide such notification, EventsFrame shall provide reasonable assistance, where required by applicable Data Protection Laws and at Organizer’s request, to enable Organizer to comply with its data breach obligations as a Data Controller or Business.
3.1.4 Take reasonable steps to ensure the reliability of personnel who may have access to the Personal Data of Consumers Processed by EventsFrame on Organizer’s behalf, ensuring that access is strictly limited to those individuals who need to access the relevant Personal Data, as necessary for the purposes of the Agreement, and to comply with applicable laws in the context of that individual’s duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
3.1.5 Impose obligations on its sub-processors that have access to Personal Data of Consumers Processed by EventsFrame on Organizer’s behalf that are the same as or equivalent to those set out in this Section 2 by way of written contract, and remain liable to Organizer for any failure by a sub-processor to fulfill its obligations in relation to such Personal Data.
3.1.6 Provide reasonable assistance to Organizer in responding to individual rights requests or other communications received under applicable Data Protection Laws from any applicable data protection authority or Consumer who is the subject of any Personal Data processed by EventsFrame on Organizer’s behalf. In the event that a Consumer submits a Personal Data deletion request to EventsFrame, Organizer hereby instructs and authorizes EventsFrame to delete or anonymize the Consumer's Personal Data on Organizer's behalf.
3.1.7 Upon Organizer's written request, make available to Organizer all information reasonably necessary to demonstrate its compliance with the obligations set out in this Section 2, provide reasonable assistance with privacy and data protection impact assessments and related consultations of data protection authorities, and allow for and co-operate with any audits. Any on-site audits shall be permitted only on reasonable advance notice to EventsFrame, be subject to appropriate confidentiality undertakings; and limited to once every three years and only in order to evaluate a specific suspected deficiency after exhausting all other reasonable means.
3.1.8 Except for that Personal Data with respect to which EventsFrame acts as a Data Controller or Business, return, delete, or destroy (at Organizer's election) the Personal Data of Consumers processed on Organizer’s behalf and copies thereof, at Organizer's request (unless applicable law requires to store such Personal Data).
3.2 Organizer hereby consents and authorizes EventsFrame to disclose or transfer Personal Data to, or allow access to Personal Data by, EventsFrame's current sub-processors (i.e. those listed on EventsFrame's website on the Effective Date of this DPA or the Agreement, whichever is later) ("Current Sub-Processors") to process Personal Data on Organizer’s behalf.
3.3 Organizer hereby consents to EventsFrame appointing additional and replacement sub-processors ("Replacement Sub-Processors") to process Personal Data on Organizer’s behalf. EventsFrame shall inform Organizer of the identity of Replacement Sub-Processors by updating EventsFrame's website (Organizer is responsible for regularly checking and reviewing EventsFrame's website for any such changes). EventsFrame shall also give Organizer the opportunity to object to such changes that take place after the Effective Date of the Agreement. Organizer shall raise any objection to the appointment of Replacement Sub-Processors within ten days of EventsFrame posting the changes on its website. Organizer shall send its objection to [email protected] with the subject line 'Objection to Replacement Sub-Processor'. Provided that Organizer's objection: a) concerns the Replacement Sub-Processor's ability to allow EventsFrame to materially comply with its data protection obligations under this DPA; and b) includes sufficient detail to support its objection and provides specific examples, EventsFrame will then use commercially reasonable efforts to review and respond to Organizer's objection with EventsFrame's determined method of accommodation. If EventsFrame determines in its sole discretion that it cannot reasonably accommodate Organizer's objection, upon notice from EventsFrame, Organizer may choose to terminate the Agreement by providing written notice to EventsFrame, and complying with the terms herein, which shall be Organizer's sole and exclusive remedy. Such written notice must be sent to [email protected] and must specifically reference this Section of the DPA. The day EventsFrame receives an Organizer's written termination notice under this Section will be referred to as the "Objection Date" in this DPA. Should Organizer choose to terminate the Agreement as a result of a Replacement Sub-Processor, then nothing in this Section 2 shall relieve Organizer from any of its payment and/or repayment obligations to EventsFrame under the Agreement.
4. Data Transfers
4.1 Organizer agrees that EventsFrame may transfer Personal Data of Consumers to various locations in connection with providing the Services. Transfers will be made in accordance with legally enforceable transfer mechanisms where required by applicable Data Protection Laws.
4.2 Regarding the transfer of Personal Data from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, and such law permits use of the Old EU SCCs but not use of the New EU SCCs, the Old EU SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the Old EU SCCs, until such time that the United Kingdom adopts new Standard Contractual Clauses, in which case new, Standard Contractual Clauses will control. For purposes of the Old EU SCCs, they shall be deemed completed as follows: a) The "exporters" and "importers" are the Parties and their Affiliates to the extent any of them is involved in such transfer, including those set forth in Annex I.A of the New EU SCCs; b) Clause 9 of the Old EU SCCs specifies that United Kingdom law will govern the Old EU SCCs; c) The content of Appendix 1 of the Old EU SCCs is set forth in Annex I.B of the New EU SCCs herein; d) The content of Appendix 2 of the Old EU SCCs is set forth in Annex II of the New EU SCCs herein.
4.3 Regarding the transfer of Personal Data from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, references to the GDPR in Clause 4 of the New EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority shall include the Swiss Federal Data Protection and Information Commissioner.
4.4 Regardig the transfer of Personal Data from the European Economic Area, the New EU SCCs incorporated herein shall apply and form part of this DPA. In the event of a conflict between any provision of the New EU SCCs and any provision of this DPA, the New EU SCCs shall prevail.
5. Governing Law and Jurisdiction
5.1 This Agreement is governed by the laws of Slovakia.
5.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Slovakia.