DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of the Products and Services Agreement or other written or electronic agreement between Active Network, LLC (“Active”) and you (“Client”), to reflect the parties’ agreement with regard to the processing of personal data. The parties agree to process personal data in accordance with the Data Protection Laws, as defined below, directly applicable to the Services.
This DPA is an addendum to and forms part of the Agreement. This DPA shall not replace any comparable or additional rights relating to processing of participant information contained in the Agreement.
All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
"Data Protection Laws" means any applicable data protection laws relating to the protection of individuals with regards to the processing of personal data including (i) EU Data Protection Directive 95/46/EC as implemented by EU member states, (ii) the General Data Protection Regulation (EU) 2016/679 ("GDPR"), from 25 May 2018, (iii) laws implemented by EU member states or the UK (as may be applicable) which contain derogations from, or exemptions or authorisations for the purposes of, the GDPR, or which are otherwise intended to supplement the GDPR, (iv) Directive 2002/58/EC as implemented by EU member states or in the UK (as may be applicable), (v) any legislation that, replaces or converts into domestic law the GDPR and/or the ePrivacy Directive (as may be updated or replaced) or any other law relating to data protection, the processing of personal data and privacy as a consequence of the United Kingdom leaving the European Union; and/or (vi) any corresponding or equivalent national laws or regulations including any amendment, update, modification to or re-enactment of such laws, and the terms "controller", "processor", "personal data", "process", "data subject", “personal data breach”, and “special categories” as used in this DPA shall have the meaning given to those terms in the Data Protection Laws.
"Standard Contractual Clauses" means either (as applicable) (i) the standard contractual clauses for the transfer of personal data to controllers established in third countries which do not ensure an adequate level of protection as set out in Commission Decision C(2004)5721; or (ii) the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of protection as set out in Commission Decision C(2010) 593, in each case as updated, amended, replaced or superseded from time to time by the European Commission.
2. ROLES AND OBLIGATIONS OF THE PARTIES
2.2 Controllers. For the purposes of the Data Protection Laws, the parties agree that (subject to Section 2.3 below and except as otherwise set forth in the Agreement) both Active and Client separately determine the purposes and means of the processing of personal data and each shall act as a separate and independent controller in respect of its processing of personal data under this Agreement, including, but not limited to, any personal data comprised in the Participant Information. Both parties undertake to comply with Data Protection Laws and the terms of the Agreement, as well as this DPA, and each shall procure that their employees, agents, and subcontractors comply with the provisions of Data Protection Laws, as well as the terms of the Agreement and this DPA with respect to any/all personal data. In particular, each party shall (i) ensure that data subjects are provided with a notice giving all required particulars of the processing contemplated by this Agreement; and (ii) establish a lawful basis for each processing activity contemplated by this Agreement, including, where necessary, obtaining any consents from data subjects in the manner prescribed by the Data Protection Laws.
2.3 Client Personal Data. For the purposes of the Data Protection Laws, the parties acknowledge that Client may collect information from End Users in addition to the Participant Information. Any such information collected by Client is ‘Client Personal Data’. In respect of the processing of Client Personal Data, the parties agree that Active shall act solely as a processor on behalf of Client, and the provisions of Article 28(3) of the GDPR are hereby incorporated by reference (as modified by Section 3). In its use of the SaaS or Services, Client agrees if it does collect or elicit any special categories of personal data, including, but not limited to, data revealing racial or ethnic origin, political opinions, religious or other beliefs, trade-union membership, as well as personal data concerning health or sexual life, biometric or genetic information or any data concerning criminal convictions or offences other than as expressly authorized by Active in writing, it will do so in compliance with the Data Protection Laws and Client is responsible for determining an appropriate lawful basis to process that personal data under Article 9 of the GDPR, and in such event, it will collect such personal data only in pre-defined fields within the Software that are intended for that purpose. For the avoidance of doubt, any collection of special categories of personal data or the collection of information through custom questions is Client Personal Data for which Active is not a controller.
2.4 Client as Licensor. To the extent Client is a Licensor of an Event (“Licensed Event”) and requests that Active provide Client with administrative access to a Licensee’s client account with Active, including access to Participant Information relating to the Licensed Event, Client represents and warrants: (i) Client has and will continue to hold all necessary licenses, permits, consents, permissions, and agreements necessary for Active to provide Client with such access; (ii) Active’s provision of such access does not and will not violate any applicable laws, rules, or regulations; (iii) Client will notify Licensee of Client’s access to and use of such Participant Information and Client will get affirmative written consent from the Licensee (and the End User, as necessary) to provide Active with the rights to provide such access, or alternatively where applicable, establish an alternative lawful basis for access under Data Protection Laws; and (iv) Client will use such Participant Information in compliance with all applicable law.
2.5 Third Party Access. To the extent Client requests Active to provide a third party, such as an affiliated entity, Licensee, event timer, email marketer, donation service provider, etc. (“Third Party”) with administrative access to Client’s account, including access to Participant Information, Client represents and warrants that (i) Client has and will continue to hold all necessary licenses, permits, consents, permissions, and agreements necessary for Active to provide Third Party with such access; (ii) Active’s provision of such access to a Third Party does not and will not violate any applicable laws, rules, or regulations; (iii) Client will notify each End User of any Third Party’s access to and use of Participant Information and Client will get affirmative written consent from each End User which allows Active to provide such access to the Third Party, or establish an alternative lawful basis for access under Data Protection Laws; (iv) Client will contractually require the Third Party to comply with contractual terms no less restrictive than those set forth herein and (v) Client will be responsible and liable for Third Party’s compliance with Data Protection Laws.
2.6 Data Subject Requests. Further, where one party ("Disclosing Party") discloses or otherwise makes available personal data ("Disclosed Personal Data") to the other party ("Receiving Party"), the Receiving Party shall notify the Disclosing Party without undue delay if it receives any request (including in respect of data subject rights), complaint, enquiry or other form of communication from a data subject or supervisory authority regarding the processing of Disclosed Personal Data, and the Disclosing Party and Receiving Party shall each provide one another with reasonable co-operation, upon request, in relation to responding to any such communication, and to complying with their respective obligations under the Data Protection Laws.
3. PROCESSING DETAILS.
3.1 Processing Details. This section sets out the details required by Article 28(3) of GDPR which are applicable when Active is solely the processor of Client personal data.
3.2 Duty of Confidentiality. Subject to any confidentiality obligations in the Agreement, each party shall take reasonable steps to ensure the reliability of any of its personnel who may have access to personal data, ensuring in each case that access is strictly limited to those individuals who need to access such personal data as strictly necessary to deliver the Services. Further, each party shall ensure that personnel are subject to confidentiality obligations at least as restrictive as those contained herein and/or subject to an appropriate statutory obligation of confidentiality.
3.3 Security Measures. Subject to any other security obligations in the Agreement, each party will implement and maintain all appropriate technical and organizational measures required by Article 32 of GDPR for the protection of the security, confidentiality, and integrity of the personal data. The Receiving Party shall notify the Disclosing Party without undue delay upon becoming aware of a personal data breach affecting either the Participant Information or Client Personal Data, as applicable, providing the Disclosing Party with sufficient information to allow it to meet any obligations to report or inform the Receiving Party of the personal data breach under the Data Protection Laws. The parties shall cooperate with each other and take steps, as are required by Article 33 of the GDPR, to assist in the investigation, mitigation and remediation of any data security incident and personal data breaches.
3.4 DPIA. Each party shall provide reasonable assistance as required by applicable law to the other party in respect of any data protection impact assessment (including prior consultation with a supervisory authority) when such party is required to conduct such assessment as required under Articles 35 and 36 of the GDPR.
3.5 Sub-processing. For purposes of the Client Personal Data, Active does not use subprocessors. To the extent Active will use subprocessors to process any Client Personal Data, Active shall provide Client with written notice and Client shall promptly, and in any event within ten (10) business days, notify Active in writing of any objection to such changes. If Client objects to Active’s intended changes to the subprocessors, notwithstanding anything to the contrary in the Agreement, Client may terminate the Agreement immediately upon written notice to Active. Alternatively, if Client agrees to Active’s intended changes to the authorized subprocessors, such consent shall at all times be subject to Active meeting the conditions set out in Article 28(2) and (4) of the GDPR in relation to any new subprocessors.
3.6 Data Retention. Following expiration or termination of the Agreement (or sooner if reasonably requested by Client), Active shall delete or return to Client all Client Personal Data, in its possession or under its control in accordance with the terms and timelines of the Agreement, or if not stated, within thirty (30) days of the Agreement’s termination or expiration, unless otherwise required by applicable laws.
3.7 Audits and Inspections. Active will maintain records of processing activities (including categories), as well as other records as necessary to demonstrate Active’s compliance with the Data Protection Laws. Upon reasonable written request, Active shall make available to Client information it reasonably deems necessary to demonstrate its compliance with its obligations as set forth herein. Where Client can demonstrate that the provision of such information is not sufficient to reasonably demonstrate Active's compliance with the obligations set forth herein, Client shall be permitted, on reasonable prior written notice, and subject to meeting its own costs relating to the same, to conduct an audit or inspection of Active’s records relating exclusively to Client by Client or another auditor mandated by Client (provided that Client shall not be permitted to conduct any more than one such audit / inspection annually).
3.8 Transfer. Active self-certifies to and complies with the EU-U.S. Privacy Shield Framework, as administered by the US Department of Commerce, and Active shall ensure that it maintains its self-certification to and compliance with the EU-U.S. Privacy Shield Framework with respect to the processing of personal data that is transferred from the European Economic Area to the United States. For countries not covered by the EU-U.S. Privacy Shield Framework, the parties agree that the Standard Contractual Clauses are incorporated herein by reference.
All other terms and conditions of the Agreement not expressly modified by this DPA shall remain in full force and effect. The provisions of this DPA are supplemental to the provisions of the Agreement. In the event of inconsistencies between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the provisions of this DPA and the Standard Contractual Clauses incorporated into this DPA by virtue of the above, the provisions of the Standard Contractual Clauses shall prevail, as applicable.