Data Sharing Agreement

Part 1  Data Protection Provisions

DEFINITIONS

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, processing and appropriate technical and organisational measures: as defined in the Data Protection Legislation.

Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR); the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder)  and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and the guidance and codes of practice issued by the Information Commissioner or other relevant regulatory authority and applicable to a party.

Domestic Law: the law of the United Kingdom or a part of the United Kingdom.

  1. DATA PROTECTION

1.1       Both parties will comply with all applicable requirements of the Data Protection Legislation. This paragraph 1 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.

1.2       Subject to paragraph 1.3, the parties acknowledge that each party may act as a Controller in relation to Personal Data processed in connection with this agreement and each party shall, at its own expense, ensure that it complies with and assists the other party to comply with the requirements of Data Protection Legislation.

1.3       The parties acknowledge that where the Supplier processes Personal Data on behalf of the Client in connection with this agreement, the Client is the Controller and the Supplier is the Processor for the purposes of the Data Protection Legislation and the remainder of this paragraph 1 shall apply. Part 2 of this Schedule 1 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data and categories of Data Subject.

1.4       Without prejudice to the generality of paragraph 1.1, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier and/or lawful collection of the Personal Data by the Supplier on behalf of the Client for the duration and purposes of this agreement.

1.5       Without prejudice to the generality of paragraph 1.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement:

(a)        process that Personal Data only on the documented written instructions of the Client unless the Supplier is required by Domestic Law to otherwise process that Personal Data.

(b)        ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data;

(c)        ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and

(d)        not transfer any Personal Data outside of the UK unless the prior written consent of the Client has been obtained and the following conditions are fulfilled:

(i)         the Client or the Supplier has provided appropriate safeguards in relation to the transfer;

(ii)        the data subject has enforceable rights and effective legal remedies;

(iii)       the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and

(iv)       the Supplier complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data;

(e)        assist the Client, at the Client's cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(f)         notify the Client without undue delay on becoming aware of a Personal Data Breach;

(g)        at the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of the agreement unless required by Domestic Law to store the Personal Data; and

(h)        maintain complete and accurate records and information to demonstrate its compliance with this paragraph 1.5.

1.6       The Client consents to the Supplier appointing the Ticket Factory as a third-party processor of Personal Data under this agreement. The Supplier confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement incorporating terms which are substantially similar to those set out in this paragraph 1.5 and in either case which the Supplier confirms reflect and will continue to reflect the requirements of the Data Protection Legislation. As between the Client and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this paragraph 1.6.

1.7       Either party may, at any time on not less than 30 days’ notice, revise this paragraph 1 by replacing it with any applicable controller to processor standard paragraphs or similar terms adopted by the Information Commissioner or forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).

Part 2  - Processing, Personal Data and Data Subjects

  1. Processing by the Supplier

1.1       Scope / Nature - may include:

  • receiving data, including collection, accessing, retrieval, recording, and data entry;
  • holding data, including storage, organisation and structuring;
  • updating data, including correcting, adaptation, alteration, alignment and combination;
  • protecting data, including restricting, encrypting, and security testing;
  • sharing data, including disclosure, dissemination, allowing access or otherwise making available;
  • returning data to the Client or data subject;
  • erasing data, including destruction and deletion.

1.2       Purpose of processing - to enable the Supplier to perform its obligations under the Contract and so that Client to organise and promote events and manage ticketing through the use of the Supplier’s services.

1.2       Duration of the processing – for the duration of this Contract unless otherwise required by law.

  1. Types of Personal Data - name, email address, postal address, phone number, billing and payment information.
  2. Categories of Data Subject – Client representatives and employees, event attendees (end-customers).