Data Processing Addendum
Last Updated: September 16, 2022
1. Definitions
In this Data Protection Addendum:
1.1 The terms “process/processing”, “data subject”, “processor”, “controller”, “personal data”, “personal data breach”, and “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
1.2 “Addendum” means this Data Processing Addendum;
1.3 “Client” means the “Client”, “Customer” or similarly defined party under the Order Form (whether in its capacity as controller, or as processor for its client);
1.4 “Data Protection Laws” means all applicable data protection and privacy laws in force from time to time which apply to a party relating to the processing of Protected Data, including:
(i) in the EU, the General Data Protection Regulation (EU) 2016/679 (“EU GDPR“) and EU Directive 2002/58/EC on privacy and electronic communications, as transposed into domestic legislation of each Member State;
(ii) in the UK, the retained version of the EU GDPR as enacted into UK law (“UK GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended); and
(iii) any applicable decisions, guidelines, guidance notes and codes of practice issued from time to time by courts, supervisory authorities and other applicable government authorities;
in each case, together with all laws implementing, replacing, amending or supplementing the same and any other applicable data protection or privacy laws;
1.5 “EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland and Liechtenstein;
1.6 “EU Processor SCCs” means module two of the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision C(2021) 3972, or any set of clauses approved by the European Commission which amends, replaces or supersedes them;
1.7 “EU Sub-processor SCCs” means module three of the standard contractual clauses for the transfer of personal data to sub-processors, as approved by the European Commission in Decision C (2021) 3972 established in third countries, or any set of clauses approved by the European Commission which amends, replaces or supersedes them;
1.8 “Order Form” means the subscription services agreement between the Client and the Vendor into which this Addendum is incorporated;
1.9 “Protected Data” means any personal data, as defined in Data Protection Laws, which is processed by the Vendor on behalf of the Client in the course of providing the Services;
1.10 “Services” means the services described in the Order Form;
1.11 “Standard Contractual Clauses” means the International Data Transfer Agreement being the Standard Data Protection Clauses under S119A(1) Data Protection Act 2018
1.12 “Sub-processor” means any processor (including any affiliate of the Vendor) appointed by the Vendor to process Protected Data on behalf of the Client;
1.13 “Supervisory Authority” means any regulatory authority responsible for the enforcement of Data Protection Laws.
1.14 “Vendor” means AudienceView Ticketing Corporation, which party is generally defined as either “Vendor” or “AudienceView” under the Order Form (as processor or sub-processor for the Client);
2. Applicability of this Addendum
2.1 This Addendum shall apply only to the extent that the Vendor carries out processing on the Client’s behalf of Protected Data to which the EU GDPR or UK GDPR applies.
3. Processing of the Protected Data
3.1 The parties acknowledge that the Client is the controller and the Vendor is a processor in relation to the Protected Data.
3.2 Each party shall at all times in relation to the processing of Protected Data comply with Data Protection Laws.
3.3 The Vendor shall only process Protected Data for the purposes of the provision of the Services or otherwise in accordance with the Client’s documented instructions (whether in the Order Form or otherwise) unless required to do so by applicable law to which the Vendor is subject; in such a case, the Vendor shall inform the Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.4 The processing to be carried out by the Vendor under this Addendum shall comprise the processing set out in Annex 1, and such other processing as may be agreed by the parties in writing from time to time.
3.5 The Client warrants to and undertakes with the Vendor that all data subjects of the Protected Data have been or will be provided with appropriate notices and information to establish and maintain for the relevant term the necessary legal grounds under Data Protection Laws for transferring the Protected Data to the Vendor to enable the Vendor to process the Protected Data in accordance with this Addendum and the Order Form.
4. Processor Personnel
4.1 The Vendor shall treat Protected Data as strictly confidential and shall inform all its employees, agents, contractors and Sub-processors engaged in processing the Protected Data of the confidential nature of such Protected Data.
4.2 The Vendor shall take reasonable steps to ensure the reliability of any employee, agent, contractor and Sub-processor who may have access to the Protected Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Protected Data, as necessary for the purposes set out in Section 3 above in the context of that person’s or party’s duties to the Vendor.
4.3 The Vendor shall ensure that all such persons or parties involved in the processing of Protected Data are subject to:
4.3.1 confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
4.3.2 user authentication processes when accessing the Protected Data.
5. Security
5.1 The Vendor shall implement appropriate technical and organisational measures to ensure a level of security of the Protected Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Protected Data transmitted, stored or otherwise processed.
6. Sub-Processing
6.1 The Client hereby provides its general authorisation to the Vendor to engage any Sub-processor selected by the Vendor provided that the Vendor shall use only Sub-processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of Data Protection Laws and this Addendum.
6.2 As at the date of the Order Form or (if later) implementation of this Addendum the Sub-processors engaged by the Vendor are listed as referred to in Annex 2, as such list may be updated from time to time pursuant to Section 6.3.
6.3 Subject to Section 6.4, the following shall apply in the event of the addition or replacement of a Sub-processor.
6.3.1 The Vendor shall give the Client not less than thirty (30) days’ prior written notice of any intended change concerning the addition or replacement of a Sub- processor. Each such notice shall include details of the processing activities to be undertaken by the additional or replacement Sub-processor and the identity and location of the Sub-processor.
6.3.2 If the Client objects to the appointment or replacement of a Sub-processor in writing (which shall include Client’s reasonable data protection grounds for such objection) within ten (10) days after the notice under Section 6.3.1, the Vendor may, at its option, suggest a commercially reasonable change, if available, to the Client’s use of the Services so that the relevant Sub-processor is not used in provision of the Services. If Client does not object during such time period, the new Sub-processor(s) shall be deemed accepted.
6.3.3 For the purposes of this Section, notices may be provided electronically.
6.4 The Vendor may replace or appoint a Sub-processor without prior written notice to the Client if the need to do so is urgent and necessary to provide the Services and the reason for the change is beyond the Vendor’s reasonable control. In such event, the Vendor shall notify the Client of the replacement or appointment as soon as reasonably practicable, and the Client shall have the right to object pursuant to Section 6.3.
6.5 With respect to each Sub-processor engaged by the Vendor, the Vendor shall:
6.5.1 include terms in the contract between the Vendor and each Sub-processor which are substantially similar to those set out in this Addendum so far as referred to in Article 28(3) EU GDPR or UK GDPR (as applicable), and shall supervise compliance therewith; and
6.5.2 remain fully liable to the Client for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of any Protected Data.
7. Data Subject Rights
7.1 The Vendor shall without undue delay, and in any case within three (3) working days, notify the Client if it receives a request from a data subject under any Data Protection Laws in respect of Protected Data, including requests by a data subject to exercise rights in Chapter III EU GDPR or UK GDPR (each being a “Data Subject Request“), and shall provide full details of that request.
7.2 The Vendor shall, taking into account the nature of the processing, assist the Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to Data Subject Requests.
8. Incident Management
8.1 In the case of a personal data breach involving Protected Data, the Vendor shall without undue delay notify the personal data breach to the Client providing the Client with sufficient information which allows the Client to meet any obligations to report a personal data breach under Data Protection Laws. Such notification shall at a minimum:
8.1.1 describe the nature of the personal data breach, the categories and numbers of data subjects concerned, and the categories and numbers of Protected Data records concerned;
8.1.2 communicate the name and contact details of the Vendor’s data protection officer or other relevant contact from whom more information may be obtained;
8.1.3 describe the likely consequences of the personal data breach; and
8.1.4 describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
8.2 The Vendor shall, at the Client’s request, taking into account the nature of processing and the information available to the Vendor, assist the Client in respect of the personal data breach in order to meet any requirement under Data Protection Laws.
8.3 The Vendor’s obligation to report a personal data breach and assist the Client under this Section 8 will not be construed as an acknowledgment by the Vendor of any fault or liability with respect to the personal data breach.
8.4 The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons. The Vendor shall not inform any third party without first obtaining the Client’s prior written consent, unless notification is required by law to which the Vendor is subject, in which case the Vendor shall to the extent permitted by such law inform the Client of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Client before notifying the personal data breach.
9. Data Protection Impact Assessment
9.1 The Vendor shall, at the Client’s request, taking into account the nature of processing and the information available to the Vendor, provide reasonable assistance to the Client with any data protection impact assessments and any consultations with any Supervisory Authority of the Client as may be required in relation to the processing of Protected Data by the Vendor on behalf of the Client.
10. Deletion or Return of Protected Data
10.1 Upon request made by the Client within thirty (30) days of the earlier of: (i) cessation of processing of Protected Data by the Vendor; or (ii) termination of the Order Form, the Vendor shall, at Client’s election, delete all Protected Data or return all
Protected Data to the Client (the latter may be fulfilled by making the Protected Data available to Client for retrieval).
10.2 If the Client does not make an election within such thirty (30) day period, the Vendor shall securely dispose of Protected Data and delete all copies of it (except to the extent that any applicable law requires the Vendor to retain a copy of such Protected Data) and Client acknowledges that the Vendor will have no obligation to maintain or provide such Protected Data.
11. Audit Rights
11.1 The Vendor shall make available to the Client on request all information necessary to demonstrate compliance with this Addendum and Data Protection Laws.
11.2 The Vendor shall permit the Client or another auditor mandated by the Client during normal working hours and on reasonable prior notice to inspect, audit and copy any relevant records, processes and systems in order that the Client may satisfy itself that the provisions of Data Protection Laws and this Addendum are being complied with.
12. International Transfers
12.1 The Client acknowledges and agrees that the Vendor may, in the course of providing the Services, process, access or store (or permit any Sub-processor to process, access or store) Protected Data outside the UK or EEA (as applicable), provided that such processing takes place in accordance with the requirements of Data Protection Laws.
12.2 Transfers of Protected Data to the Vendor (and any of its Sub-processors) in Canada take place on the basis of European Commission Decision 2002/2/EC that Canada offers an adequate level of data protection.
12.3 In respect of any processing of Protected Data in a country outside of the EEA or UK (as applicable) which is not recognised under Data Protection Laws as having an adequate level of protection, where requested by the Client, the Vendor shall:
12.3.1 if the Protected Data is subject to EU GDPR, enter into the EU Processor SCCs with the Client and, if the processing is carried out by a Sub-processor, enter into the EU Sub-processor SCCs with the relevant Sub-processor; or
12.3.2 if the Protected Data is subject to UK GDPR, enter into (or procure that any Sub-processor enters into) an agreement with the Client (or, where the Client is a processor for its controller customer, with the controller customer) on Standard Contractual Clauses.
12.4 The Client shall ensure that:
12.4.1 the Client is entitled to transfer the Protected Data to the Vendor so that the Vendor may lawfully use, process, and transfer the Protected Data in accordance with the Order Form on the Client’s behalf; and
12.4.2 all transfers of the Protected Data by the Client to the Vendor shall (to the extent required under Data Protection Laws) be effected by way of adequate safeguards and in accordance with Data Protection Laws.
13. Liability
13.1 If a party receives a compensation claim from a person relating to processing of the Protected Data under this Addendum, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
13.1.1 make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
13.1.2 consult fully with the other party in relation to any such action, but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible for paying the compensation.
13.2 The disclaimers, liability exclusions and limitations of liability set out under the Order Form shall apply also to this Addendum.
14. Costs
14.1 The Client shall pay any reasonable costs and expenses incurred by the Vendor in meeting the Client’s requests made under this Addendum
15. Miscellaneous
15.1 Any obligation imposed on the Vendor under this Addendum in relation to the processing of Protected Data shall survive any termination or expiration of the Order Form.
15.2 With regard to the subject matter of this Addendum, in the event of any conflict or inconsistency between any provision of the Order Form and any provision of this Addendum, the provision of this Addendum shall prevail.
15.3 If the EU Processor SCCs or the Standard Contractual Clauses apply pursuant to Section 3, then in the event of any conflict or inconsistency between the Order Form or this Addendum and the EU Processor SCCs or Standard Contractual Clauses, the EU Processor SCCs or Standard Contractual Clauses shall prevail.
Annex 1: Details of Processing of Personal Data
This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Personal Data
For the term of the Order Form (including any renewals or extension thereof) and up to 1 year after termination or expiration of the Order Form.
The nature and purpose of the processing of Personal Data
Processing of ecommerce transactions, such as ticketing tickets and subscriptions, related to live events, and other related services, in connection with and for the purpose of the provision of Services to Client under the terms of the Order Form.
The types of Personal Data to be processed
The categories of personal data are determined by the Client in its sole discretion and may include but are not limited to: first and last name, contact information (e.g. email, phone, physical address), network connection data, device identification data, personal data for the purposes of access control and e-commerce delivery, credit card information, personalization and preference settings data, services usage data, delivery location information, and marketing communication consent data.
The categories of data subject to whom the Personal Data relates
Personal Data relates to Client end-users/customers and/or Client system users.
Annex 2: Authorised Sub-Processors
The Vendor maintains a list of Sub-processors at: audienceview.com/subprocessors