Data Processing Agreement
This Data Processing Agreement including its appendices (together, DPA), forms part of our Terms and Conditions for Organisers agreed between you (Event Organiser, you or your) and us (FIXR, us, our or we) pursuant to which we provide services (Services) which you accept when entering into a service agreement with us or using our self-service platform (Agreement).
The purpose of this DPA is to ensure that proper arrangements are in place relating to the personal data to be processed by FIXR on your behalf in connection with the provision of the Services and that such personal data is processed in accordance with Data Protection Law.
You authorise us for the purposes and the duration of the Agreement to process the personal data necessary for us to provide the Services. The details of the Processing entrusted to us are specified in Appendix 1. Each party acknowledges and agrees that a violation of this DPA constitutes a material breach of the Agreement.
By accepting our Services, you will be deemed to have agreed and accepted the terms of this DPA.
In accordance with the terms of the Agreement, this DPA applies only to the personal data we process in providing the Services as processor and does not apply to our processing of personal data of which we are the controller. For the purpose of this DPA, we are the processor and you are the controller of personal data (in each case, as defined below).
The follow definitions, in addition to those terms defined in bold above, shall apply to this DPA.
Customer: an individual or individuals who purchase tickets from you via the Platform.
Data Protection Law(s): all applicable laws relating to the processing of personal data, data privacy, electronic communications, marketing and/or data security including the GDPR, UK GDPR, the Data Protection Act 2018, The Privacy and Electronic Communications (EC Directive) Regulations 2003 in each case as from time to time in force and as from time to time amended, extended, consolidated, re-enacted, replaced, superseded or otherwise converted, succeeded, modified or incorporated into law.
GDPR: EU Regulation (EU) 2016/679 more commonly known as the General Data Protection Regulation.
Platform: our website; mobile applications; Entry Manager application; and Content Management System used by Event Organisers (including features contained within this which can be used by Event Organisers for their events, including but not limited to, ticket widgets and "ticket shop" functionality).
Sub-Processor: means any third party (other than our employees) engaged by us to carry out any processing activities in respect of Customer personal data.
UK GDPR: the GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the any existing or subsequent legislation of England and Wales from time to time).
The terms controller, processor, personal data, processing and third country shall have the meaning given in the Data Protection Laws.
1 OUR OBLIGATIONS
We agree that we will perform the Services in accordance with the Data Protection Laws. In particular we agree that we shall:
1.1 process the personal data only on your instructions and only for the purposes of carrying out the Services;
1.2 only process the personal data within United Kingdom and will not transfer the personal data outside of the United Kingdom without your prior consent;
1.3 at all times ensure that all employees and other representatives accessing the personal data are aware of the terms of this DPA, have received appropriate training in relation to the Data Protection Laws and associated practices and have agreed to keep the personal data confidential at all times;
1.4 put in place and will maintain at all times during the operation of this DPA, such technical, operational and organisational measures as are necessary to ensure that an appropriate level of security is maintained, and will at all times as a minimum comply with security of processing requirements set out in Article 32 of the UK GDPR. We also agree that these security measures will remain in place for so long after the termination of the Agreement as is necessary in order to protect the confidentiality of the personal data;
1.5 not sub-contract the provision of any of the Services or involve any third party in the processing of the personal data without your prior consent (save as set out in clause 2 below). In the event that consent is given for a third party to process the personal data, we agree that the third party must also enter into a Data Processing Agreement containing the relevant provisions set out in this DPA and referred to in Article 28 of the UK GDPR;
1.6 in the event that we are required to respond to requests from individuals exercising their rights as set out in Chapter 3 of the UK GDPR, including but not necessarily limited to the rights to erasure, rectification, access, restriction, portability, objection and not being subject to automated decision making, then we shall, so far as it is possible to do so, assist you in dealing with those requests within such time limits as are appropriate in the circumstances;
1.7 taking into account the nature of the processing and the information available to us, we shall assist you in ensuring compliance with the obligations set out in Articles 32 to 36 of the UK GDPR in relation to the security of the processing, the notification of a personal data breach to the supervisory authority, the communication of a personal data breach to the data subject, the carrying out of a data protection impact assessment or a consultation with the Information Commissioner’s Office in connection with such an assessment;
1.8 upon your request, safely delete or return the personal data at any time and will, in any event, securely delete the personal data or return the same to you at the end of the Agreement (save where we are also the controller of that personal data which falls outside the scope of this DPA);
1.9 if requested to delete the personal data then, unless there is a legal obligation upon us to retain such personal data (or we are also a controller of the personal data which sits outside the scope of this DPA), this shall be taken to include the destruction of all existing copies;
1.10 upon request, make available to you all information necessary to demonstrate compliance with the obligations laid down under this DPA. We shall, in addition, permit and contribute to any audits, inspections or other verification exercises as shall be reasonably required by you from time to time;
1.11 maintain at all times a record of all categories of processing activities carried out your behalf, which will contain:
1.11.1 our name and contact details, your name and contact details and, where applicable, details of the data protection officer or manager of each;
1.11.2 the categories of processing carried out on your behalf;
1.11.3 where applicable, details of transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the UK GDPR, the documenting of suitable safeguards; and
1.11.4 where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the UK GDPR;
1.12 maintain the integrity of the personal data, without alteration, ensuring that the personal data can be separated from any other information created; and
1.13 immediately contact you in the unlikely event that there is any personal data breach or incident where the personal data, or the confidentiality of any person, may have been compromised.
2 SUB PROCESSORS
2.1 You consent and authorise us to use those Sub-Processors listed in Appendix 1 to process personal data on your behalf subject to and in accordance with the terms of this Agreement.
2.2 You hereby acknowledge and agree that we may update the list of Sub-Processors contained in Appendix 1 from time to time as necessary for us to provide our Services. We shall give notice to you when updating this list by updating our website. You hereby acknowledge and agree that it is your responsibility to check our website and inform us of any objections you have to any newly appointed Sub-Processor processing personal data on your behalf and that in the absence of any such objection you hereby consent to us appointing any such replacement or additional Sub-Processor to process personal data on your behalf. Any objections should be sent to us by e-mail within 10 business days of us updating our website and should be sent to us by e-mail at [email protected] with the subject heading “Sub-Processor Objection”. Upon receipt of any such objection, we shall contact you within a reasonable timeframe to discuss your objection.
2.3 We shall enter into a legally binding contract with each Sub-Processor that, in each case, contains enforceable obligations on the same or equivalent terms as those contained in this Agreement (including providing sufficient guarantees to implement appropriate technical and organisational measures in such a matter that the processing will meet the requirements of Data Protection Laws) and shall ensure that the Sub-Processor complies with the terms of such contract. We shall be liable for the acts and omissions of each Sub-Processor and acknowledge that the appointment of any Sub-Contractor shall not relieve us of our obligations under this Agreement.
This DPA may be varied by us from time to time and we will contact you in writing if we vary the terms. Any variation shall comply with Data Protection Laws.
4 COMPLIANCE WITH THE UK GDPR
Nothing in this Agreement nor in any other dealings between FIXR and the Event Organiser is to be taken as relieving or exonerating us from all or any responsibilities under the UK GDPR and we shall ensure that all necessary steps to ensure such compliance have been, and will continue to be, taken.
The parties to this DPA shall indemnify, defend, protect, hold harmless, and release to the other, its officers, agents, and employees, from and against any and all direct claims, loss, proceedings, damages, causes of action, liability, costs, or expense, including legal and related fees, arising from, or in connection with, or caused by, any act, failure to act, or negligence of such indemnifying party in particular, any failure by the indemnifying party to observe and comply with the provisions of this DPA and the Data Protection Laws.
This DPA will remain in full force and effect so long as the Agreement remains in effect or we retain any of the personal data related to the Agreement in our possession or control. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect the personal data will remain in full force and effect.
APPENDIX 1: DETAILS OF THE PROCESSING CARRIED OUT BY FIXR PURSUANT TO THIS DPA
Controller: Event Organiser
Nature and Purpose of Processing:
For the purpose of carrying out the FIXR services in accordance with the terms of the Agreement.
Duration of Processing:
For the term and duration of the Agreement and during any period where you accept our Services
Categories of Data Subjects:
- Persons who purchase tickets to an Event Organiser’s event using the FIXR Platform;
- Persons who follow an Event Organiser using the FIXR Platform;
- Persons who communicate with an Event Organiser or with us in relation to an Event Organiser (including one of their events) using the FIXR Platform;
- Persons who gain entry to an Event Organiser’s event where the Event Organiser uses the FIXR Entry Management Application;
- Persons we communicate with who are your former, current and future employees, staff, consultants, contractors, temporary agency workers or interns; and
- Persons who visit the FIXR website, social media sites, mobile applications and who interact with FIXR’s digital properties.
Types of personal data:
- Identity Data: A Customer’s first name, surname, date of birth, gender, location, student ID or similar identifier;
- Contact Data: A Customer’s billing address, delivery address, home address, postcode, email address and telephone numbers;
- Financial Data: A Customer’s bank details and payment card information;
- Technical Data: A Customer’s device properties, including, but not limited to Media Access Control (MAC) address and identifier for advertising (IDFA) or other device identifier; (ii) device software platform and firmware; (iii) mobile phone carrier; (iv) geographical data such as coarse location;
- Usage Data: Information about the pages or sections a Customer has visited on the Platform;
- Marketing and Communications Data: a Customer’s preferences in receiving marketing data from you and their communications preferences; information a Customer provides to us with they contact us by phone, email, post, or when they communicate with us online or via social media to discuss your event or a ticket they have purchased from you (e.g., with a query, complaint or refund request); information about electronic communications a Customer receives from us about you or your event (including whether that communication has been opened and if they have clicked on any links within that communication); and answers a Customer provides when they respond to your competitions, votes and surveys (where applicable);
- Geodemographic Data: such as age range, gender, location; and
- Other: Any other data a Customer provides in answer questions asked by you using the Platform.
List of Authorised Sub-processors:
- Amazon Web Services, Inc.
- Google, LLC (Google G-Suite, Google Cloud and Google Analytics)
- HubSpot, Inc.
- Braze, Inc.
- PayPal, Inc.
- Stripe, Inc.
- Slack Technologies, Inc
- Facebook, Inc.