Data Processing Addendum

This Data Processing Agreement ("DPA") applies to event Organisers that are subject to the EU General Data Protection Regulation (2016/EC/679) or "GDPR"), or equivalent legislation, including any amending or replacement legislation from time to time ("Applicable Data Protection Laws"), which require Music Glue to process Personal Data on their behalf as part of their use of the Services.

In this DPA references to "you" and “your” means the Organiser of the event and references to "we", "us", "our" and "Music Glue" means Music Glue Limited, a company incorporated in England and Wales under company number 05946870.

NOTE: To learn more about Music Glue's Terms and Conditions, take a look here and to learn more about our Privacy Policy see here.

Overview.

"Data Controller", "Data Processor", "Data Subject", "Processing" and "Personal Data" shall have the meanings ascribed to them in Applicable Data Protection Laws;

"Data Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Personal Data transmitted, stored or otherwise Processed; and "Technical and Organisational Security Measures" means security measures implemented by Music Glue appropriate to the type of Personal Data being Processed and the Services being provided by Music Glue to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.

1. Applicability of DPA and scope of data processing activities.

1.1 In using Music Glue's Services, for the purposes of Applicable Data Protection Laws, Organiser is a Data Controller of the Personal Data associated with an individual using Music Glue Services to register for or purchase a ticket to attend such Organiser's event ("Customer"). Organiser agrees to Process such Personal Data in accordance with Organiser's obligations under Applicable Data Protection Laws.

1.2 Where Music Glue Processes the Personal Data of Customers on behalf of Organiser as part of the Services, Music Glue is a Data Processor in performing such Processing and Organiser is the Data Controller. This includes circumstances where Music Glue obtains Personal Data as a result of the provision of its core “Direct to Consumer” service (the “Direct Service”) (for example, where Music Glue facilitates Customer the provision of customer support at the request of Organisers, Processes payments, or provides event reports and tools to enable Organisers to gain insights into the effectiveness of various marketing channels).

In respect of some Processing of Customers' Personal Data, Music Glue may act as a Data Controller, for example, where Customers have engaged with aspects of Music Glue's Applications beyond those relating to Organiser's eCommerce store or where Customers' Personal Data is Processed by Music Glue to conduct research and analysis to enable Music Glue to improve its products and features.

To the extent that Music Glue Processes Personal Data as a Data Processor on behalf of Organiser, Section 2 of this DPA shall apply, however, when Music Glue is acting as a Data Controller of Customers' Personal Data, Music Glue's Processing shall not be subject to this DPA.

1.3 Details about the Personal Data to be Processed by Music Glue and the Processing activities to be performed under the Agreement are as follows: (i) duration - as set out in the Agreement; (ii) nature, purpose and subject matter - to enable Organiser to sell products including event tickets, digital content and physical products (“Items”) to your customers (“Customers”) via Music Glue’s Direct Service; (iii) data categories - name, email address, billing and payment information, information, and any other Personal Data that Organiser requests of its Customers; (iv) data subjects - Customers.

2. Data processing clauses.

2.1 Whenever Music Glue Processes Personal Data on behalf of Organiser, Music Glue shall:

2.1.1 Process Personal Data only on the documented instructions of Organiser, unless required to do otherwise by applicable law. Music Glue shall inform Organiser of the legal requirement before Processing Personal Data other than in accordance with Organiser's instructions, unless that same law prohibits Music Glue from doing so on important grounds of public interest. Music Glue will notify Organiser if in its opinion an instruction is in breach of Applicable Data Protection Laws. Organiser hereby instructs Music Glue, and Music Glue hereby agrees, to Process Personal Data as necessary to perform Music Glue's obligations under the Agreement and for no other purpose;

2.1.2 Implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;

2.1.3 Notify Organiser in the event of a Data Security Breach without undue delay and provide co-operation and assistance to Organiser to enable Organiser to comply with its obligations as a Data Controller in relation to data breach notification requirements;

2.1.4 Ensure that its personnel are subject to binding obligations of confidentiality with respect to Personal Data;

2.1.5 In the course of providing the Direct Services, you acknowledge and agree that Music Glue may use Sub processors to Process the Personal Data. Music Glue’s use of any specific Sub processor to process the Personal Data must be in compliance with Data Protection Legislation and must be governed by a contract between Music Glue and Sub processor.

2.1.6 Provide reasonable assistance to Organiser in responding to subject access and rights requests under Applicable Data Protection Laws, complaints, or other communications received from any data protection authority or individual who is the subject of any Personal Data Processed by Music Glue. In the event that a Customer submits a Personal Data deletion request to Music Glue, Organiser hereby instructs and authorises Music Glue to delete or anonymize the Customer's Personal Data on Organiser's behalf;

2.1.7 Upon Organiser's written request, make available to Organiser all information reasonably necessary to demonstrate its compliance with the obligations set out in this Section 2, and allow for and co-operate with any audits. Any on-site audits shall be:(i) permitted only on reasonable advance notice to Music Glue; (ii) subject to appropriate confidentiality undertakings; and (iii) limited to once every three (3) years and only in order to evaluate a specific suspected deficiency after exhausting all other reasonable means as determined by Music Glue; and

2.1.8 Except for that Personal Data with respect to which Music Glue acts as a Data Controller, return, delete, or destroy (at Organiser's election), the Personal Data and copies thereof, at Organiser's request (unless applicable law requires the storage of such Personal Data).