Last Updated: 2nd May 2018
This Data Processing Addendum ("DPA") applies to Merchants that are subject to the EU General Data Protection Regulation (2016/EC/679) or "GDPR"), or equivalent legislation, including any amending or replacement legislation from time to time ("Applicable Data Protection Laws"), which require Music Glue to process Personal Data on their behalf as part of Merchant's use of the Services.
With respect to provisions regarding Processing of Personal Data, in the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control. In the event of a conflict between this DPA and any other provision of the Agreement between you and us, this DPA will control; except where Merchant and Music Glue have individually negotiated data processing terms that are different from this DPA and which meet the requirements of Applicable Data Protection Law in full, in which case those negotiated terms will control.
"Data Controller", "Data Processor", "Data Subject", "Processing" and "Personal Data" shall have the meanings ascribed to them in Applicable Data Protection Laws;
"Data Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Personal Data transmitted, stored or otherwise Processed; and
"Technical and Organisational Security Measures" means security measures implemented by Music Glue appropriate to the type of Personal Data being Processed and the Services being provided by Music Glue to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.
1. Applicability of DPA and scope of data processing activities.
1.1 In using Music Glue's Services, for the purposes of Applicable Data Protection Laws, Merchant is a Data Controller of the Personal Data associated with an individual using Music Glue Services to register for or purchase a ticket to attend such Merchant's event ("Customer"). Merchant agrees to Process such Personal Data in accordance with Merchant's obligations under Applicable Data Protection Laws.
1.2 Where Music Glue Processes the Personal Data of Customers on behalf of Merchant as part of the Services, Music Glue is a Data Processor in performing such Processing and Merchant is the Data Controller. This includes circumstances where Music Glue obtains Personal Data as a result of the provision of its core “Direct to Consumer” service (the “Direct Service”) (for example, where Music Glue facilitates Customer the provision of customer support at the request of Merchants, Processes payments, or provides event reports and tools to enable Merchants to gain insights into the effectiveness of various marketing channels).
In respect of some Processing of Customers' Personal Data, Music Glue may act as a Data Controller, for example, where Customers have engaged with aspects of Music Glue's Applications beyond those relating to Merchant's eCommerce store or where Customers' Personal Data is Processed by Music Glue to conduct research and analysis to enable Music Glue to improve its products and features.
To the extent that Music Glue Processes Personal Data as a Data Processor on behalf of Merchant, Section 2 of this DPA shall apply, however, when Music Glue is acting as a Data Controller of Customers' Personal Data, Music Glue's Processing shall not be subject to this DPA.
1.3 Details about the Personal Data to be Processed by Music Glue and the Processing activities to be performed under the Agreement are as follows:
(i) duration - as set out in the Agreement; (ii) nature, purpose and subject matter - to enable Merchant to sell products including event tickets, digital content and physical products (“Items”) to your customers (“Customers”) via Music Glue’s Direct Service; (iii) data categories - name, email address, billing and payment information, information, and any other Personal Data that Merchant requests of its Customers; (iv) data subjects - Customers.
2. Data processing clauses.
2.1 Whenever Music Glue Processes Personal Data on behalf of Merchant, Music Glue shall:
2.1.1 Process Personal Data only on the documented instructions of Merchant, unless required to do otherwise by applicable law. Music Glue shall inform Merchant of the legal requirement before Processing Personal Data other than in accordance with Merchant's instructions, unless that same law prohibits Music Glue from doing so on important grounds of public interest. Music Glue will notify Merchant if in its opinion an instruction is in breach of Applicable Data Protection Laws. Merchant hereby instructs Music Glue, and Music Glue hereby agrees, to Process Personal Data as necessary to perform Music Glue's obligations under the Agreement and for no other purpose;
2.1.2 Implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;
2.1.3 Notify Merchant in the event of a Data Security Breach without undue delay and provide co-operation and assistance to Merchant to enable Merchant to comply with its obligations as a Data Controller in relation to data breach notification requirements;
2.1.4 Ensure that its personnel are subject to binding obligations of confidentiality with respect to Personal Data;
2.1.5 In the course of providing the Direct Services, you acknowledge and agree that Music Glue may use Sub processors to Process the Personal Data. Music Glue’s use of any specific Sub processor to process the Personal Data must be in compliance with Data Protection Legislation and must be governed by a contract between Music Glue and Sub processor.
2.1.6 Provide reasonable assistance to Merchant in responding to subject access and rights requests under Applicable Data Protection Laws, complaints, or other communications received from any data protection authority or individual who is the subject of any Personal Data Processed by Music Glue. In the event that a Customer submits a Personal Data deletion request to Music Glue, Merchant hereby instructs and authorises Music Glue to delete or anonymize the Customer's Personal Data on Merchant's behalf;
2.1.7 Upon Merchant's written request, make available to Merchant all information reasonably necessary to demonstrate its compliance with the obligations set out in this Section 2, and allow for and co-operate with any audits. Any on-site audits shall be:
(i) permitted only on reasonable advance notice to Music Glue; (ii) subject to appropriate confidentiality undertakings; and (iii) limited to once every three (3) years and only in order to evaluate a specific suspected deficiency after exhausting all other reasonable means as determined by Music Glue; and
2.1.8 Except for that Personal Data with respect to which Music Glue acts as a Data Controller, return, delete, or destroy (at Merchant's election), the Personal Data and copies thereof, at Merchant's request (unless applicable law requires the storage of such Personal Data).