Skip Main Navigation

Eventbrite EU Data Protection

Eventbrite Logo

Updated by Antwonne D.

Last updated: 3 April 2018 Eventbrite takes data privacy and security very seriously. We take steps to make sure that we comply with our data privacy law obligations in the EU (primarily, the Data Protection Directive 95/46/EC (as implemented into the national laws of EU Member States) and the General Data Protection Regulation ("GDPR") beginning in May of 2018), and make it easy for our Organisers to comply with their respective obligations too. With GDPR set to take effect in May 2018, Eventbrite updated our data privacy program so that we, and our Organisers, are comfortable that we will meet the new requirements. Here are a few highlights.

TIP: To learn more about Eventbrite's Legal Terms, take a look eblink{here=>https://www.eventbrite.co.uk/l/LegalTerms}.

NOTE: Capitalized terms in this article are defined in our eblink{Terms of Service=>https://www.eventbrite.co.uk/support/articleredirect?anum=8477}.

1. Eventbrite's data processing obligations.

a. Eventbrite as a data controller. — Where an Organiser creates an account with Eventbrite to organise and ticket their events, Eventbrite will be a data controller over the personal data that Organisers provide about themselves as part of their account creation process. Similarly, where a Consumer provides Eventbrite with personal data in the course of creating an account, Eventbrite will be a data controller over the personal data provided to Eventbrite directly by that Consumer. Eventbrite will also be a data controller of the personal data that Eventbrite obtains in the course of an Organiser or Consumer's use of Eventbrite Services, which Eventbrite may then use to conduct research and analysis, improve our products and features, and provide targeted recommendations. b. Eventbrite as a data processor. — Eventbrite will be a data processor over a Consumer's personal data that Eventbrite obtains as a result of providing its core ticketing services to our Organisers. For example, allowing Organisers to learn more about their attendees during the ticket purchase, facilitating the transmission of emails to Consumers at the request of the Organiser, processing payments, or providing event reports and tools so Organisers can gain insights into the effectiveness of various sales channels. Given that Eventbrite processes a Consumer's personal data both in providing Eventbrite Services to the Organiser, and to the Eventbrite account-holding Consumer directly in his or her own use of Eventbrite, Eventbrite may be both a controller and a processor of the same personal data and will be held to different processing obligations as a result.

2. A Data Processing Addendum for Organisers and Sub-Processors.

In broad terms, any business that is established in the European Union ("EU") or that monitors, or offers goods or services to, individuals in the EU is potentially subject to EU data protection law. In many instances, both Eventbrite and Organisers will be subject to, and need to comply with, EU data protection laws.As a data processor processing Personal Data on behalf of the Organiser, Eventbrite will be subject to a Data Processing Addendum to our eblink{Terms of Service=>https://www.eventbrite.co.uk/support/articleredirect?anum=8477} with our Organiser. Our eblink{Data Processing Addendum (DPA) for Organisers=>https://www.eventbrite.co.uk/support/articleredirect?anum=41392}, incorporated in our eblink{Terms of Service=>https://www.eventbrite.co.uk/support/articleredirect?anum=8477}, includes Eventbrite's legal obligations as a processor consistent with the GDPR. Eventbrite also published a public facing list of Eventbrite's eblink{Sub-Processors=>https://www.eventbrite.co.uk/support/articleredirect?anum=41395} as referenced in the eblink{DPA for Organisers=>https://www.eventbrite.co.uk/support/articleredirect?anum=41392}.

3. Email Tools.

We offer the ability for Organisers to email Consumers directly through our platform. This functionality was built to send service related emails specific to an Organiser's event attended by the recipient of such email. If an Organiser wants to use this function for marketing purposes, you (the Organiser) needs to secure your own compliant opt-in consents for the sending of marketing emails. Eventbrite does not do this on an Organiser's behalf.

4. Data Deletion.

As a data controller of our account-holding Consumers, Eventbrite will adhere to a Consumer's request that Eventbrite delete that Consumer's personal data. As a result, there may be a time when your Organiser dashboard will show anonymized personal data for a particular attendee, however the financial data associated with that attendee should remain as part of the event. Similarly, if Eventbrite removes personal data on its own in accordance with our internal data retention policy, this same view within the dashboard will appear. In the event an Organiser's data retention needs require that Eventbrite no longer provide such Organiser with access to the personal data of its former attendees, the Organiser can accomplish this by removing the event from its dashboard. Should the Organiser still need access to the non-personal event data, it should first download the event to a .csv or text file and manipulate that file as it sees fit. Should one of your attendees ask you directly to have Eventbrite remove that attendee's personal data from our system, please forward the request to us at ebmail{privacy@eventbrite.com=>mailto:privacy@eventbrite.com}. Our support team may reach out to the Consumer directly to confirm the request.

5. Data Incident Notifications.

In cases where we are a data controller (even if we are both a data processor and a data controller) over data accessed in an unauthorised manner, we will notify the affected Consumer directly rather than the Organiser of each event associated with that Consumer. As a reminder, we are a data controller for all Organisers, as well as Consumers that created an Eventbrite account in the course of a ticket purchase. When we are solely a processor of data, meaning an individual purchased tickets on Eventbrite without creating an account with Eventbrite directly, then we will notify Organisers we determine to be most likely in contact with that individual around the time of a data incident involving the unauthorised access of that individual's personal data.

6. Cross-border Data Transfers.

Eventbrite physically stores personal data in the United States. In order to ensure that personal data can be lawfully transferred from the EU to our US-based servers, Eventbrite certifies to the EU-US Privacy Shield framework operated by the US Department of Commerce. Eventbrite's certification was effective 14th October 2016. You will find Eventbrite's eblink{Privacy Shield Notice=>https://www.eventbrite.co.uk/support/articleredirect?anum=31015} linked directly from Eventbrite's eblink{Privacy Policy=>https://www.eventbrite.co.uk/support/articleredirect?anum=8478}.

7. Do I (the Organiser) need model clauses with Eventbrite?

No. Eventbrite is Privacy Shield certified, which ensures the lawful transfer of personal data from the EU to our US-based servers. As a result, Organisers do not need to execute model clauses with Eventbrite.

8. How does Eventbrite secure personal data?

Eventbrite is committed to maintain the highest level of security to protect personal data. In this effort, Eventbrite has implemented numerous security measures and monitors them on a daily basis. Eventbrite's information systems are protected by industry standard firewalls and intrusion detection systems. In addition, regular vulnerability scans are performed, both automatically and manually by an internal and dedicated team of security experts. You can find out more about the robust security and privacy measures Eventbrite have implemented in the "Eventbrite Security and Safety Guide", available at eblink{www.eventbrite.co.uk/security=>https://www.eventbrite.co.uk/security}.

9. What else is Eventbrite doing as a result of GDPR?

a. Accountability and Training. — We're revamping our internal data privacy guidelines to make sure they're in line with the GDPR and we're making sure that all of our employees are trained on them appropriately. This means that everyone at Eventbrite plays a role in handling personal data in a legitimate and fair way. b. Privacy by Design. — We're implementing enhanced guidelines to help ensure that all of our systems and tools that collect and store personal data are designed in a privacy-friendly way. By doing this, we can reduce privacy risks at the outset and offer our Organisers and Consumers more control over their information. c. Data Privacy Impact Assessments. — We're implementing new internal protocols to make sure that certain activities involving personal data will go through a Privacy Impact Assessment, measuring compliance with the GDPR while also allowing for ease of record keeping. This means we can be confident that new products and services that we offer respect our Organisers' and Consumers' privacy rights. d. Our Privacy Policy. — We recently updated our eblink{privacy policy=>https://www.eventbrite.co.uk/support/articleredirect?anum=8478} as an additional step towards our commitment to transparency about what we do with personal data provided to Eventbrite. e. Vendors. — We've reviewed our vendors and sub-processor contracts to make sure that each meets the new requirements of the GDPR and are compliant with rules on international data transfers. We'll be requiring and expecting more from our vendors and sub-processors handling personal data on our behalf.

Still have questions? Our team can help. Contact us.