This Data Processing Addendum ("DPA") specifies the obligations of the Parties in relation to the Processing of Personal Data of which the Client is the Controller, or in respect of which the Client has a Processing or sub-processing relationship with the Controller, for the purposes of the applicable Data Protection Laws, within the scope of and related to the Agreement for the provision of Services between the Parties.
1.1 Except where set forth otherwise, the following terms shall have the following meanings:
Data Protection Laws: the Data Protection Laws of the country in which Client is established and any Data Protection Laws applicable to Client and/or Global Ticket in connection with the Agreement.
Personal Data: any information relating to an identified or identifiable natural person (‘Data Subject’) that is Processed by Global Ticket in its role as Processor as part of providing the Service to Client under the Agreement. Processing/to Process: any operation or set of operations which is performed on Personal Data, whether or not by automatic means, including collecting, accessing, storing, using, combining, transferring, disclosing or deleting of Personal Data.
Technical and Organizational Measures: measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alternation, unauthorized disclosure or access and against all other unlawful forms of Processing.
Personal Data Breach: a breach of security leading to the accident or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
The expressions such as, ‘Data Subject’, ‘Processor’, ‘Controller’, ‘data protection impact assessment’, etc. shall have the meaning ascribed to them in the Data Protection Laws.
1.2 References in Part II of these terms and conditions to the Data Protection Laws shall be replaced with or incorporate references to any laws replacing or amending those Data Protection Laws, and the equivalent terms defined in such laws, once in force and applicable.
1.3 Notwithstanding anything in Part II of these terms and conditions, Global Ticket will have the right to collect, extract, compile, synthesize and analyze non-personal identifiable data or information resulting from Client's use or operation of the Services including, by way of example and without limitation, information relating to volumes, frequencies, bounce rates, or any other information regarding use of the Global Ticket System (“Service Data”) that Client or its Visitors generate and send using the Services. To the extent any Service Data is collected or generated by Global Ticket such data will be solely owned by Global Ticket and may be used by Global Ticket for any lawful business purpose without a duty of accounting to Client, provided that such data is used only in an aggregated form, without directly identifying any person. For the avoidance of doubt, Part II of these terms and conditions will not apply to Service Data.
1.4 In case of any conflict, the provisions of this Part II of these terms and conditions concerning Processing of Personal Data shall take precedence over the other provisions of this Agreement. Where individual provisions of this Part II are invalid or unenforceable, the validity and enforceability of the other provisions shall not be affected.
2.1 Compliance
2.1.1 Client shall, in its use of the Service, Process Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data.
2.1.2 Client shall maintain accurate and complete records of the use of the Service under the Agreement during the term and as required under the Data Protection Laws. Upon reasonable written notice, Client shall provide information as requested and where required by Global Ticket and/or any regulator or other competent authority. Without limiting the generality of any other provision of the Agreement, prior to using the Service, Client shall obtain verifiable informed consent of the End Users or be able to provide confirmation of the lawful basis for Processing in accordance with applicable legislation and regulations, and shall maintain a record of each such consent and/or lawful basis.
3.1 Instructions 24.1.1 Global Ticket shall Process Personal Data in accordance with this Part II and the Agreement, and for the purposes and in the manner specified by Client from time to time in the Agreement and further instructions within the scope of the Agreement.
3.1.2 In case Global Ticket is required to Process Personal Data under mandatory law as specified in this Part II or the Agreement, Global Ticket shall for those purposes be considered an independent controller. If Global Ticket is required to Process Personal Data under mandatory law Global Ticket shall inform Client hereof in writing before Processing unless the law prohibits providing such information.
3.2 Technical and Organizational Measures
3.2.1 Taking into account the state of the art, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Global Ticket shall implement appropriate Technical and Organizational Measures (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data) to ensure a level of security appropriate to the risk. Up to date information regarding Technical and Organizational Measures can be found on Global Ticket.com/about-Global Ticket/security-compliance/.
3.2.2 Global Ticket shall test, assess and evaluate the effectiveness of Technical and Organizational Measures for ensuring the security of the Processing on an ongoing basis. Global Ticket shall continuously enhance and improve Technical and Organizational Measures.
3.3 Personnel requirements
Global Ticket ensures that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.4 Confidentiality
Global Ticket agrees that it shall maintain the Personal Data in confidence. In particular, Global Ticket agrees that it shall not disclose any Personal Data supplied to Global Ticket by, for, or on behalf of Client to any third party without Client's prior written consent, except as foreseen and required for the performance of the Service under the Agreement or mandatory law.
3.5 Data Subject Rights
3.5.1 Where Client so instructs Global Ticket, Global Ticket shall transfer, correct, delete or block Personal Data if Client receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”).
3.5.2 Global Ticket shall promptly notify Client if Global Ticket receives a Data Subject Request. Taking into account the nature of the Processing, Global Ticket shall assist Client, for the fulfilment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws. Global Ticket shall assist Client in responding to such Data Subject Request, to the extent Global Ticket is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Client shall be responsible for any costs arising from Global Ticket’s provision of such assistance.
3.6 Assistance with Client’s compliance
Global Ticket shall provide to Client further assistance reasonably required to ensure compliance with Client's obligations under Data Protection Laws, including with respect to: (a) data protection impact assessment, by providing such information and cooperation as Client may require for the purpose of assisting Client in carrying out a data protection impact assessment and periodic reviews to assess if the Processing of Personal Data is performed in compliance with the data protection impact assessment; (b) prior consultation with a data protection supervisory authority regarding high risk Processing.
3.7 Compliance, information and audit
3.7.1 Global Ticket has obtained the third-party certifications set forth in the Security & Compliance section on the website of Global Ticket, which provides information on Technical and Organizational Measures and data security. Upon Client’s written request, and subject to the confidentiality obligations set forth in the Agreement, Processor shall make available to Client, that is not a competitor of Global Ticket (or Client’s independent, third-party auditor that is not a competitor of Global Ticket) a copy of Global Ticket’s then most recent third-party certifications and information regarding the IT architecture and security, as applicable and reasonably requested.
3.7.2 Client has the right to appoint an accredited external expert at most once per year to audit the procedures regarding the data Processing for Client. Global Ticket will cooperate with such audit upon a reasonable prior written notice of no less than ten working days. Client shall reimburse Global Ticket for any time expended by Global Ticket for any such audit at Global Ticket’s then-current professional services rates, which shall be made available to Client upon request. Before the commencement of any such audit, the Parties shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible.
3.7.3 Global Ticket is entitled to request that the external expert signs a confidentiality declaration in favor of Global Ticket. The confidentiality declaration shall contain the terms and conditions that are usual for this type of declaration. Any report or statement provided by the external expert shall be made available to Global Ticket. Client shall ensure that the audit hinders Global Ticket 's operations as little as possible.
3.8 Records Global Ticket shall maintain complete, accurate and up to date records of Processing activities carried out on behalf of its Clients.
3.9 Affiliates and Sub-processors
3.9.1 Some or all of Global Ticket’s obligations under the Agreement may be performed by Affiliates of Global Ticket. Global Ticket and its Affiliates have entered into intra-company arrangements, under which its Affiliates Processing Personal Data adopt safeguards consistent with those of Global Ticket. Global Ticket is responsible for compliance of its Affiliates' with this Agreement.
3.9.2 Client acknowledges and agrees that (a) Global Ticket’s Affiliates may be retained as sub-processors; and (b) Global Ticket and Global Ticket’s Affiliates respectively may engage third-party sub-processors in connection with the provision of the Services, provided always that Global Ticket or a Global Ticket Affiliate has entered into a written agreement with each sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Personal Data to the extent applicable to the nature of the Service provided by such sub-processor. The sub-processors in place at the outset of this Agreement is Sendgrid Inc. to provide e-mail services. If Global Ticket wishes to appoint a new sub-processor, is shall notify Client in writing. If Client objects, on reasonable grounds related to data protection, to the appointment of a new sub-processor within 30 days of this notification and Global Ticket nevertheless elects to use such sub-processor to deliver the Services, Client may terminate the Agreement by providing written notice to Global Ticket.
3.9.3 Global Ticket shall be responsible for each of its sub-processors to the same extent Global Ticket would be responsible if performing the services of each sub-processor directly under the terms of the Agreement.
3.10 Breach Notification
In respect of a Personal Data Breach, Global Ticket shall:
(a) notify Client of a Personal Data Breach involving Global Ticket or a sub-contractor without undue delay (but in no event later than forty-eight hours after becoming aware of the Personal Data Breach).
(b) provide reasonable cooperation and assistance to Client in relation to any action to be taken in response to a Personal Data Breach, including regarding any communication of the Personal Data Breach to the Data Subject and data protection authorities. Global Ticket will promptly investigate a Personal Data Breach and take reasonable measures to identify its root cause(s) and prevent a recurrence. As information is collected or otherwise becomes available, unless prohibited by law, Global Ticket will provide Client with a description of the Personal Data Breach, the type of data that was the subject of the Personal Data Breach, and other information Client may reasonably request. The Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected Data Subjects and/or the relevant data protection authorities.
Global Ticket shall Process and retain data, including Personal Data, in accordance with the Client’s instructions. The Personal Data shall be retained for no longer than is necessary for providing the Services under the Agreement, for the purposes as states in Part I and as far as required under Applicable Law. Global Ticket shall return or delete, at Client’s option, any remaining Personal Data upon termination of this Agreement, unless prevented by Applicable Law.
5.1 Nature and Purpose of Processing Global Ticket will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Agreement, and as further instructed by Client in its use of the Services.
5.2 Categories of Data Subjects Client may submit data to Global Ticket in using the Service, the content of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
• Visitors;
• Employees, contractors, advisors, freelancers or persons hired by (clients of) Client;
• Contact persons of Client’s prospects, Clients and business partners;
• Client’s users authorized by Client to use the Services.
5.3 Type of Personal Data Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: First and last name, Contact information (, address, email, phone), IP address.
The Personal Data is Processed for the following purposes: Provision of the Services as detailed in the Agreement, handling complaints and disputes, providing information to emergency services, preventing fraud and criminal activities on Global Ticket’s platform.