Skip Main Navigation

Data Processing Addendum (DPA) for Organisers

Eventbrite LogoUpdated by Antwonne D

Category: Terms and policies

Last Updated: November 8, 2021 This Data Processing Addendum ("DPA") sets forth the terms and conditions related to the privacy, confidentiality and security of Personal Data associated with Services provided by Eventbrite to Organiser pursuant to the Agreement. In this DPA references to "you" means the Organiser and references to "we,'' "us," "our" and "Eventbrite" means Eventbrite, Inc. and our affiliates.

NOTE: To learn more about Eventbrite's Legal Terms, take a look eblink{here=>}.

<h2 id="01">Overview and Definitions.</h2> <p>The terms of this DPA are hereby incorporated into the Eventbrite Terms of Service, Privacy Policy or any other applicable services agreement between you and Eventbrite (the &quot;Agreement&quot;).<br><br>With respect to provisions regarding Processing of Personal Data, in the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control. In the event of a conflict between this DPA and any other provision of the Agreement between you and us, this DPA will control; except where Organiser and Eventbrite have individually negotiated data processing terms that are different from this DPA and which meet the requirements of applicable Data Protection Laws in full, in which case those negotiated terms will control.<br><br>“Data Protection Laws” means all laws or regulations related to the privacy, confidentiality and security of Personal Data.<br><br>“Business,” &quot;Data Controller,&quot; &quot;Data Processor,&quot; &quot;Data Subject,&quot; &quot;Processing,&quot; &quot;Personal Data,&quot; and “Service Provider” shall have the meanings ascribed to them in applicable Data Protection Laws.<br><br>&quot;Data Security Breach&quot; means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Personal Data Processed by Eventbrite on Organiser’s behalf as part of Organiser’s use of the Services.<br><br>“New EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.<br><br>“Old EU SCCs” means the Standard Contractual Clauses issued pursuant to EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (available as of the Effective Date at<br><br>“Sell” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party, other than to a sub-processor pursuant to Section 2, for monetary or other valuable consideration.<br><br>“Services” means any services provided by Eventbrite to Organiser, as defined in the Eventbrite Terms of Service of any other applicable services agreement between Organiser and Eventbrite.<br><br>&quot;Technical and Organisational Security Measures&quot; means reasonable security measures implemented by Eventbrite appropriate to the type of Personal Data being Processed on Organiser’s behalf and the Services being provided by Eventbrite designed to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.</p> <h2 id="02">1. Applicability of DPA and scope of data processing activities.</h2> <p>1.1 In using Eventbrite&#39;s Services, Organiser acts as a Business and is a Data Controller of the Personal Data associated with an individual using Eventbrite Services, or on whose behalf an individual is using Eventbrite Services, to register for or purchase a ticket to attend such Organiser&#39;s event (&quot;Consumer&quot;). Organiser represents and warrants that it has provided any necessary notices and if required, obtained any necessary consents related to the collection of such Personal Data from the Consumer and Organiser has the right to share such Personal Data with Eventbrite.<br><br>1.2 Where Eventbrite Processes the Personal Data of Consumers on behalf of Organiser as part of the Services, Eventbrite is a Data Processor or Service Provider in performing such Processing and Organiser is the Data Controller or Business. This includes circumstances where Eventbrite obtains Personal Data as a result of the provision of its core ticketing services (for example, where Eventbrite facilitates the transmission of emails to Consumers at the request of Organisers, processes payments, or provides event reports and tools to enable Organisers to gain insights into the effectiveness of various sales channels).<br><br>In respect of some processing of Consumers&#39; Personal Data, Eventbrite may act as a Data Controller or Business, for example, where Consumers have engaged with aspects of Eventbrite&#39;s Applications beyond those relating to Organiser&#39;s event or where Consumers&#39; Personal Data is Processed by Eventbrite to conduct research and analysis to enable Eventbrite to improve its products and features and provide targeted recommendations. With regard to such processing, Eventbrite is an independent Data Controller and not a joint Data Controller with Organiser.<br><br>To the extent that Eventbrite processes Personal Data as a Data Processor or Service Provider on behalf of Organiser, Section 2 of this DPA shall apply, however, when Eventbrite is acting as a Business or Data Controller of Consumers&#39; Personal Data, Eventbrite&#39;s processing shall not be subject to this DPA.<br><br>1.3 Details about the Personal Data to be processed by Eventbrite and the Processing activities to be performed under the Agreement are as follows: (i) duration - as set out in the Agreement; (ii) nature, purpose and subject matter - to enable Organiser to organise and promote events and manage ticketing using Eventbrite Services; (iii) data categories - name, email address, billing and payment information, information related to events booked and attended, relationship to Organiser and any other Personal Data that Organiser requests of its Consumers; (iv) data subjects - Consumers.</p> <h2 id="03">2. Data processing clauses.</h2> <p>2.1 Whenever Eventbrite processes Personal Data on behalf of Organiser, Eventbrite shall:<br><br>2.1.1 Process Personal Data only on the documented instructions of Organiser, unless required to do otherwise by applicable law. Eventbrite shall inform Organiser of the legal requirement before processing Personal Data other than in accordance with Organiser&#39;s instructions, unless that same law prohibits Eventbrite from doing so on important grounds of public interest. Eventbrite will not retain, use, disclose or Sell Personal Data except as necessary to perform Eventbrite’s obligations under the Agreement, or as otherwise permitted by Applicable Law. Organiser will ensure that its instructions comply with all laws, regulations and rules applicable to the Personal Data, and that Eventbrite’s processing of such Personal Data will not cause Eventbrite to violate any applicable law, regulation or rule, including Data Protection Laws. Eventbrite will notify Organiser, if in its opinion, an instruction is in breach of applicable Data Protection Laws. Organiser hereby instructs Eventbrite, and Eventbrite hereby agrees, to process Personal Data as necessary to perform Eventbrite&#39;s obligations under the Agreement and for no other purpose, unless otherwise specified in this DPA or required to comply with the law or other binding governmental order. In the event that this DPA or any actions to be taken or contemplated in performance of this DPA do not or would not satisfy either party’s obligations under applicable Data Protection Laws, the parties shall negotiate in good faith upon an appropriate amendment to this DPA;<br><br>2.1.2 Have in place Technical and Organisational Security Measures which include, but are not limited to, the measures described here: <a href="" target="_self"></a>;<br><br>2.1.3 Notify Organiser in the event of a Data Security Breach without undue delay, unless otherwise prohibited by law or otherwise instructed by a law enforcement or data protection authority. In the event of any Data Security Breach, Eventbrite, in its sole discretion, may provide data breach notification to affected data subjects directly. Where Eventbrite does not provide such notification, Eventbrite shall provide reasonable assistance, where required by applicable Data Protection Laws and at Organiser’s request, to enable Organiser to comply with its data breach obligations as a Data Controller or Business;<br><br>2.1.4 Ensure that its personnel are subject to binding obligations of confidentiality with respect to Personal Data of Consumers Processed by Eventbrite on Organiser’s behalf;<br><br>2.1.5 Impose obligations on its sub-processors that have access to Personal Data of Consumers Processed by Eventbrite on Organiser’s behalf that are the same as or equivalent to those set out in this Section 2 by way of written contract, and remain fully liable to Organiser for any failure by a sub-processor to fulfill its obligations in relation to such Personal Data;<br><br>2.1.6 Provide reasonable assistance to Organiser in responding to individual rights requests or other communications received under applicable Data Protection Laws from any applicable data protection authority or Consumer who is the subject of any Personal Data processed by Eventbrite on Organiser’s behalf. In the event that a Consumer submits a Personal Data deletion request to Eventbrite, Organiser hereby instructs and authorises Eventbrite to delete or anonymize the Consumer&#39;s Personal Data on Organiser&#39;s behalf;<br><br>2.1.7 Upon Organiser&#39;s written request, make available to Organiser all information reasonably necessary to demonstrate its compliance with the obligations set out in this Section 2, provide reasonable assistance with privacy and data protection impact assessments and related consultations of data protection authorities, and allow for and co-operate with any audits. Any on-site audits shall be: (i) permitted only on reasonable advance notice to Eventbrite; (ii) subject to appropriate confidentiality undertakings; and (iii) limited to once every three (3) years and only in order to evaluate a specific suspected deficiency after exhausting all other reasonable means; and<br><br>2.1.8 Except for that Personal Data with respect to which Eventbrite acts as a Data Controller or Business, return, delete, or destroy (at Organiser&#39;s election) the Personal Data of Consumers processed on Organiser’s behalf and copies thereof, at Organiser&#39;s request (unless applicable law requires the storage of such Personal Data).<br><br>2.2 Organiser hereby consents and authorises Eventbrite to disclose or transfer Personal Data to, or allow access to Personal Data by, Eventbrite&#39;s <a href="" target="_blank">current sub-processors</a> (i.e. those listed on Eventbrite&#39;s website on the Effective Date of this DPA or the Agreement, whichever is later) (&quot;Current Sub-Processors&quot;) to process Personal Data on Organiser’s behalf.<br><br>2.3 Organiser hereby consents to Eventbrite appointing additional and replacement sub-processors (&quot;Replacement Sub-Processors&quot;) to process Personal Data on Organiser’s behalf. Eventbrite shall give notice to Organiser of the identity of intended Replacement Sub-Processors (i) via email where Organiser has opted in to receive such email notifications and (ii) by updating Eventbrite&#39;s website (Organiser is responsible for regularly checking and reviewing Eventbrite&#39;s website for any such changes). Organisers interested in receiving email notice of Replacement Sub-Processors must opt in and subscribe using this <a href="" target="_blank">form</a> (Organiser is solely responsible for ensuring its contact information remains accurate). Eventbrite shall also give the Organiser the opportunity to object to such changes that take place after the Effective Date of the Agreement, in accordance with the terms that follow in Section 2.4 of this DPA.<br><br>For the avoidance of doubt, any termination rights available herein shall only apply in the instance of objections to Replacement Sub-Processors appointed after the Effective Date of this DPA that are not remedied in accordance with the terms herein, and shall not apply in relation to Current Sub-Processors.<br><br>2.4 Organiser shall raise any objection to the appointment of Replacement Sub-Processors within ten (10) days of Eventbrite posting the changes on its website. Organiser shall send its objection to with the subject line &#39;Objection to Replacement Sub-Processor&#39;.<br><br>Provided that Organiser&#39;s objection: (i) concerns the Replacement Sub-Processor&#39;s ability to allow Eventbrite to materially comply with its data protection obligations under this DPA; and (ii) includes sufficient detail to support its objection and provides specific examples, Eventbrite will then use commercially reasonable efforts to review and respond to Organiser&#39;s objection within thirty (30) days of receipt of Organiser&#39;s objection with Eventbrite&#39;s determined method of accommodation.<br><br>If Eventbrite determines in its sole discretion that it cannot reasonably accommodate Organiser&#39;s objection, upon notice from Eventbrite, Organiser may choose to terminate the Agreement by providing written notice to Eventbrite, and complying with the terms herein, which shall be Organiser&#39;s sole and exclusive remedy. Without limiting the generality of the foregoing, Organiser&#39;s termination right under this Section 2.4 will be deemed an additional termination right of Organiser under the &quot;Term and Termination&quot; Section of the Agreement (if any) and if exercised will be deemed a termination pursuant to such Section. Such written notice must be sent to <a href="" target="_blank"></a> and must specifically reference this Section 2.4 of the DPA. The day Eventbrite receives an Organiser&#39;s written termination notice under this Section 2.4 will be referred to as the &quot;Objection Date&quot; in this DPA. Should Organiser choose to terminate the Agreement as a result of a Replacement Sub-Processor, then nothing in this Section 2 shall relieve Organiser from any of its payment and/or repayment obligations to Eventbrite under the Agreement.<br><br>Without limiting Eventbrite&#39;s other rights and remedies, if Organiser terminates the Agreement pursuant to this Section 2.4, then Organiser will immediately pay to Eventbrite (1) all amounts accruing and owed to Eventbrite, including, without limitation, obligations to pay and/or repay Eventbrite for Fees, Sponsorship Payments, Advances, and/or Advance payments of Event Registration Fees, as such terms are defined in the Agreement and only to the extent applicable to Organiser, (2) if the Agreement includes a minimum number of tickets Organiser must sell, a minimum amount of Event Registration Fees or Eventbrite Services Fees that must be processed (each such sales or processing threshold, a &quot;Minimum Threshold&quot;), and/or a requirement to pay Eventbrite the portion of Service Fees Eventbrite would have received had a Minimum Threshold been met, then Organiser agrees to pay Eventbrite an amount equal to (x) the amount that Eventbrite would have received in Service Fees had the Minimum Threshold been met in each year of the term up to the date of such termination (with such Minimum Threshold prorated as to any partial year of the Term), less (y) the amount that Eventbrite actually received in Service Fees attributable to Organiser&#39;s sales during the Term up to the date of such termination; and (3) 80% of the anticipated Fees Eventbrite would have earned during the remainder of the Term had the Agreement not been terminated with respect to (x) events on sale on the Site as of the Objection Date, and (y) any future events contemplated under the Agreement intended to go live in the ninety (90) days following the Objection Date.</p> <h2 id="04">3. Cross-Border Transfers.</h2> <p>3.1 Organiser agrees that Eventbrite may transfer Personal Data of Consumers to various locations in connection with providing the Services. Transfers will be made in accordance with legally enforceable transfer mechanisms where required by applicable Data Protection Laws. Eventbrite’s exclusive transfer mechanism for data exported from the European Economic Area, United Kingdom and Switzerland is the use of <a href="" target="_blank">Standard Contractual Clauses</a>, which have been pre-signed by Eventbrite for Organiser compliance records.</p> <p>3.2 With respect to Eventbrite Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, and such law permits use of the Old EU SCCs but not use of the New EU SCCs, the Old EU SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the Old EU SCCs, until such time that the United Kingdom adopts new Standard Contractual Clauses, in which case new, Standard Contractual Clauses will control.  For purposes of the Old EU SCCs, they shall be deemed completed as follows:</p> <p>i) The “exporters” and “importers” are the Parties and their Affiliates to the extent any of them is involved in such transfer, including those set forth in Annex I.A of the New EU SCCs.  </p> <p>ii) Clause 9 of the Old EU SCCs specifies that United Kingdom law will govern the Old EU SCCs.</p> <p>iii) The content of Appendix 1 of the Old EU SCCs is set forth in Annex I.B of the New EU SCCs herein.</p> <p>iv) The content of Appendix 2 of the Old EU SCCs is set forth in Annex II of the New EU SCCs herein.</p> <p>3.3.  With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, references to the GDPR in Clause 4 of the New EU SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority shall include the Swiss Federal Data Protection and Information Commissioner. </p> <p>3.4. With respect to Personal Data transferred from the European Economic Area, the <a href="" target="_blank">New EU SCCs</a> incorporated herein shall apply and form part of this DPA. In the event of a conflict between any provision of the New EU SCCs and any provision of this DPA, the New EU SCCs will control to the extent of conflicts.</p>

Still have questions? Contact us.