This GDPR Data Processing Agreement Addendum forms part of the Terms of Use: available here. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below. Without limiting Event Temple’s obligations under the Terms of Use, to the extent that Licensee stores, transmits, collects, or otherwise uses EU Personal Data (as defined below) Event Temple will comply with the following additional provisions. As used herein, “Agreement” means, collectively, the Terms of Use, this Addenda, and any other agreements entered into by the parties with respect to Licensee’s use of the Event Temple Platform.
To the extent that Event Temple Processes any Customer Personal Data (each as defined below) and (i) the Customer Personal Data relates to individuals located in the EEA; or (ii) Customer is established in the EEA or UK, the provisions of this Data Processing Addendum (“DPA”) shall apply to the processing of such Customer Personal Data. In the event of any conflict between the remainder of the Agreement and the DPA, the DPA will prevail.
1. Definitions
1.1. The following capitalized terms used in this DPA shall be defined as follows:
(a) “Controller” has the meaning given in the GDPR.
(b) “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR“) or the UK General Data Protection Regulation (“UK GDPR”), tailored by the Data Protection Act 2018, any applicable national implementing legislation in each case as amended, replaced or superseded from time to time, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data.
(c) “Data Subject” has the meaning given in the GDPR.
(d) “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
(e) “Processing” has the meaning given in the GDPR, and “Process” will be interpreted accordingly.
(f) “Processor” has the meaning given in the GDPR.
(g) “Security Incident” means any confirmed accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data.
(h) “Standard Contractual Clauses” means the Standard Contractual Clauses (processors) approved by European Commission Decision (EU) 2021/914 of 4 June 2021 or any subsequent version thereof released by the European Commission (which will automatically apply).
The Standard Contractual Clauses are applicable to the extent they reference Module Two (Controller-to-Processor).
When (i) the Customer Personal Data relates to individuals located in the UK; or (ii) Customer is established in the UK, the parties agree to the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section18 of those Mandatory Clauses.
(i) “Subprocessor” means any Processor engaged by Event Temple who agrees to receive from Event Temple Customer Personal Data.
(j) “Customer Personal Data” means the “personal data” (as defined in the GDPR) described in the Annex and any other personal data contained in the Content or that Event Temple processes on Customer’s behalf in connection with the provision of the Service.
(k) “Supervisory Authority” has the meaning given in the GDPR.
(l) “United Kingdom” or “UK” means the country of the United Kingdom.
2. Data Processing
2.1. The Parties acknowledge and agree that for the purpose of the Data Protection Laws, the Customer is the Controller and Event Temple is the Processor.
2.2 Instructions for Data Processing. Event Temple will only Process Customer Personal Data in accordance with Customer’s written instructions. The parties acknowledge and agree that the Agreement (subject to any changes to the Service agreed between the parties) and this DPA shall be Customer’s complete and final instructions to Event Temple in relation to the processing of Customer Personal Data.
2.3. Processing outside the scope of this DPA or the Agreement will require prior written agreement between Customer and Event Temple on additional instructions for Processing.
2.4. Required consents. Where required by applicable Data Protection Laws, Customer will ensure that it has obtained/will obtain all necessary consents and complies with all applicable requirements under Data Protection Laws for the Processing of Customer Personal Data by Event Temple in accordance with the Agreement.
3. Transfer of Personal Data
3.1. Authorized Subprocessors. Customer agrees that Event Temple may use Subprocessors listed to Process Customer Personal Data. The current list of Subprocessors may be accessed here: SCHEDULE 1 – APPROVED SUB-PROCESSORS
3.2. As per Clause 9(a), Module 2, OPTION 2 of the Standard Contractual Clauses, Customer agrees that Event Temple may use subcontractors to fulfill its contractual obligations under the Agreement. Event Temple shall notify Customer from time to time of the identity of any Subprocessors engaged. If Customer (acting reasonably) objects to a new Subprocessor on grounds related to the protection of Customer Personal Data only, then without prejudice to any right to terminate the Agreement, Customer may request that Event Temple move the Customer Personal Data to another Subprocessor and Event Temple shall, within a reasonable time following receipt of such request, use reasonable endeavors to ensure that the original Subprocessor does not Process any of the Customer Personal Data. If it is not reasonably possible to use another Subprocessor, and Customer continues to object for a legitimate reason, either party may terminate the Agreement on thirty (30) days written notice. If Customer does not object within thirty (30) days of receipt of the notice, Customer is deemed to have accepted the new Subprocessor.
3.3. Save as set out in clauses 3.1 and 3.2, Event Temple shall not permit, allow or otherwise facilitate Subprocessors to Process Customer Personal Data without Customer’s prior written consent and unless Event Temple:
(a) enters into a written agreement with the Subprocessor which imposes equivalent obligations on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on Event Temple under this DPA; and
(b) shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to Customer for the acts and omissions of any Subprocessor as if they were Event Temple’s acts and omissions.
3.4. International Transfers of Customer Personal Data. To the extent that the Processing of Customer Personal Data by Event Temple involves the export of such Customer Personal Data to a third party in a country or territory outside the EEA, such export shall be:
(a) to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission;
(b) to a third party that is a member of a compliance scheme recognised as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission; or
(c) governed by the Standard Contractual Clauses between the Customer as exporter and such third party as importer. For this purpose, the Customer appoints Event Temple as its agent with the authority to complete and enter into the Standard Contractual Clauses as agent for the Customer on its behalf.
The Customer acknowledges and agrees that Customer Personal Data may be processed by Sub-processors outside the European Economic Area or the country where the Customer is located in order to carry out the Services and Event Temple’s other obligations under the Terms of Use. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
4. Data Security, Audits, and Security Notifications
4.1 Event Temple Security Obligations. Event Temple will implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, including as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 Upon Customer’s reasonable request, Event Temple will make available all information reasonably necessary to demonstrate compliance with this DPA.
4.3 Security Incident Notification. If Event Temple becomes aware of a Security Incident, Event Temple will (a) notify Customer of the Security Incident within 72 hours, (b) investigate the Security Incident and provide Customer (and any law enforcement or regulatory official) with reasonable assistance as required to investigate the Security Incident.
4.4 Event Temple Employees and Personnel. Event Temple will treat the Customer Personal Data as confidential, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
4.5 Audits. Event Temple will, upon Customer’s reasonable request and at Customer’s expense, allow for and contribute to audits, including inspections, conducted by Customer (or a third party auditor on Customer’s behalf and mandated by Customer) provided (i) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (ii) are conducted only during business hours; (iii) are conducted in a manner that causes minimal disruption to Event Temple’s operations and business; and (iv) Following completion of the audit, upon request, Customer will promptly provide Event Temple with a complete copy of the results of that audit.
5. Access Requests and Data Subject Rights
5.1 Data Subject Rights. Where applicable, and taking into account the nature of the Processing, Event Temple will use reasonable endeavors to assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising Data Subject rights laid down in the Data Protection Laws.
6. Data Protection Impact Assessment and Prior Consultation
6.1 To the extent required under applicable Data Protection Laws, Event Temple will provide Customer with reasonably requested information regarding its Service to enable Customer to carry out data protection impact assessments or prior consultations with any Supervisory Authority, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Event Temple.
7. Termination
7.1 Deletion or return of data. Subject to 7.2 below, Event Temple will, at Customer’s election and within 90 (ninety) days of the date of termination of the Agreement:
(a) make available for retrieval all Customer Personal Data Processed by Event Temple (and delete all other copies of Customer Personal Data Processed by Event Temple following such retrieval); or
(b) delete the Customer Personal Data Processed by us.
7.2 Event Temple and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Event Temple ensures the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
8. Governing law
8.1 This Data Processing Agreement shall be governed by and construed in accordance with the same laws as specified in the governing law clause of the main Agreement between the parties, to which this DPA is supplementary.
9. Conflict
Except as amended by this DPA, the Terms of Use will remain in full force and effect. If there is a conflict between the Terms of Use and this DPA, the terms of this DPA will control.
10. Changes to the Terms of Use and the Service
Event Temple reserves the right to update this DPA from time to time, at our discretion and without notice. Each new version will be made available on our Website and it is your responsibility to regularly check our Website for new versions. Your continued use of the Services following the publishing of an updated DPA means that you accept and agree to the changes.
Annex
Details of the Processing of Customer Personal Data
This Annex includes certain details of the processing of Customer Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Customer Personal Data
The Customer Personal Data will be subject to the following basic processing activities: transmitting, collecting, storing and analyzing data in order to provide the Service to the Customer, and any other activities related to the provision of the Service or specified in the Agreement.
The types of Customer Personal Data to be processed
The Customer Personal Data concern the following categories of data: names; email addresses; personal and professional information; and any other personal data provided by the Customer in connection with its use of the Service.
The categories of data subject to whom the Customer Personal Data relates
Any categories of individuals whose data the Customer extracts, transfers, and/or loads onto the Service, which may include but is not limited to:
- Past, present and prospective clients, business relationship contacts, and outside contacts of the Customer.
The obligations and rights of the Customer
The obligations and rights of the Customer are as set out in this DPA.
