All terms and conditions can be found Here
In this article
- Overview and Definitions.
- 1. Applicability of DPA and scope of data processing activities.
- 2. Data processing clauses.
- 3. Cross-Border Transfers.
Overview and Definitions.
The terms of this DPA are hereby incorporated into the Humanity Circle’s Terms of Service, Privacy Policy or any other applicable services agreement between you and Humanity Circle (the “Agreement”).
With respect to provisions regarding Processing of Personal Data, in the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control. In the event of a conflict between this DPA and any other provision of the Agreement between you and us, this DPA will control; except where Organizer and Eventbrite have individually negotiated data processing terms that are different from this DPA and which meet the requirements of applicable Data Protection Laws in full, in which case those negotiated terms will control.
“CCPA” means the California Consumer Privacy Act (as amended by the California Privacy Rights Act) and associated regulations.
“Data Protection Laws” means all applicable laws or regulations related to the privacy, confidentiality and security of Personal Data.
“Business,” “Data Controller,” “Data Processor,” “Data Subject,” “Processing,” “Personal Data,” and “Service Provider” shall have the meanings ascribed to them in applicable Data Protection Laws.
“Data Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data Processed by Eventbrite on Organizer’s behalf as part of Organizer’s use of the Services.
“New EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Services” means any services provided by Eventbrite to Organizer, as defined in the Humanit Circle Terms of Service of any other applicable services agreement between Organiser and Humanity Circle.
“Technical and Organizational Security Measures” means reasonable security measures implemented by Humanity Circle appropriate to the type of Personal Data being Processed on Organiser’s behalf and the Services being provided by Humanity Circle designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.
“UK SCC Addendum” means the United Kingdom International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers version B1.0 issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act of 2018 and entering into force on 21 March 2022, as updated, amended, or replaced from time to time.
1. Applicability of DPA and scope of data processing activities.
1.1 In using HumanityCircle’s Services, Organiser acts as a Business and is a Data Controller of the Personal Data associated with an individual using Humanity Circle’s Services, or on whose behalf an individual is using Humanity Circle’s Services, to register for or purchase a ticket to attend such Organiser’s event (“Consumer”). Organiser represents and warrants that it has provided any necessary notices and if required, obtained any necessary consents related to the collection of such Personal Data from the Consumer and Organiser has the right to share such Personal Data with Humanity Circle.
1.2 Where Humanity Circle Processes the Personal Data of Consumers on behalf of Organiser as part of the Services, Humanity Circle is a Data Processor or Service Provider in performing such Processing and Organiser is the Data Controller or Business. This includes circumstances where Humanity Circle obtains Personal Data as a result of the provision of its core ticketing services (for example, where Humanity Circle facilitates the transmission of emails to Consumers at the request of Organisers, processes payments, or provides event reports and tools to enable Organisers to gain insights into the effectiveness of various sales channels).
In respect of some processing of Consumers’ Personal Data, Humanity Circle may act as a Data Controller or Business, for example, where Consumers have engaged with aspects of Eventbrite’s Applications beyond those relating to Organiser’s event or where Consumers’ Personal Data is Processed by Humanity Circle to conduct research and analysis to enableHumanity Circle to improve its products and features and provide targeted recommendations. With regard to such processing, Eventbrite is an independent Data Controller and not a joint Data Controller with Organiser.
To the extent that Humanity Circle processes Personal Data as a Data Processor or Service Provider on behalf of Organiser, Section 2 of this DPA shall apply, however, when Humanity Circle is acting as a Business or Data Controller of Consumers’ Personal Data, Eventbrite’s processing shall not be subject to this DPA.
1.3 Details about the Personal Data to be processed by Eventbrite and the Processing activities to be performed under the Agreement are as follows: (i) duration – as set out in the Agreement; (ii) nature, purpose and subject matter – to enable Organiser to organize and promote events and manage ticketing using Humanity Circle Services; (iii) data categories – name, email address, billing and payment information, information related to events booked and attended, relationship to Organizer and any other Personal Data that Organiser requests of its Consumers; (iv) data subjects – Consumers.
2. Data processing clauses.
2.1 Whenever Humanity Circle processes Personal Data on behalf of Organiser, Humanity Circle shall:
2.1.1 Process Personal Data only on the documented instructions of Organiser, unless required to do otherwise by applicable law. Humanity Circle shall inform Organiser of the legal requirement before processing Personal Data other than in accordance with Organiser’s instructions, unless that same law prohibits Humanity Circle from doing so on important grounds of public interest. Organiser will ensure that its instructions comply with all laws, regulations and rules applicable to the Personal Data, and that Humanity Circle’s processing of such Personal Data will not cause Humanity Circle to violate any applicable law, regulation or rule, including Data Protection Laws. Humanity Circle will notify an Organiser, if in its opinion, an instruction is in breach of applicable Data Protection Laws. Organiser hereby instructs Humanity Circle, and Humanity Circle hereby agrees, to process Personal Data as necessary to perform Humanity Circle’s obligations under the Agreement and for no other purpose, unless otherwise specified in this DPA or required to comply with the law or other binding governmental order. In the event that this DPA or any actions to be taken or contemplated in performance of this DPA do not or would not satisfy either party’s obligations under applicable Data Protection Laws, the parties shall negotiate in good faith upon an appropriate amendment to this DPA;
2.1.2 Comply with all applicable provisions of Data Protection Laws and provide the same level of protection for Personal Data as required of Organiser under Data Protection Laws. Humanity Circle will process Personal Data only as necessary to perform Humanity Cirlce’s obligations under the Agreement, or as otherwise permitted by Data Protection Laws. Without limiting the foregoing, Humanity Circle will not (i) “sell” or “share” the Personal Data, as such terms are defined in the CCPA; (ii) Eventbrite shall not retain, use, or disclose any such data outside of the direct business relationship between Organiser and Humanity Circle unless permitted by Data Protection Laws, or (iii) retain, use or disclose Personal Data for any purpose other than the business purposes specified in this DPA or otherwise permitted by Data Protection Laws. Humanity Circle shall comply with any applicable restrictions under Data Protection Laws on combining Personal Data with personal data that Eventbrite receives from, or on behalf of, another person or persons, or that Eventbrite collects from any interaction between it and any individual.
2.1.3 Have in place Technical and Organizational Security Measures which include, but are not limited to, the measures described here: Security
2.1.4 Notify Organiser in the event of a Data Security Breach without undue delay, unless otherwise prohibited by law or otherwise instructed by a law enforcement or data protection authority. In the event of any Data Security Breach, Eventbrite, in its sole discretion, may provide data breach notification to affected data subjects directly. Where HumanityCircle does not provide such notification, Humanity Circle shall provide reasonable assistance, where required by applicable Data Protection Laws and at Organiser’s request, to enable Organiser to comply with its data breach obligations as a Data Controller or Business;
2.1.5 Ensure that its personnel are subject to binding obligations of confidentiality with respect to Personal Data of Consumers Processed by Eventbrite on Organiser’s behalf;
2.1.6 Impose obligations on its sub-processors that have access to Personal Data of Consumers Processed by Eventbrite on Organiser’s behalf that are the same as or equivalent to those set out in this Section 2 by way of written contract, and remain fully liable to Organiser for any failure by a sub-processor to fulfill its obligations in relation to such Personal Data;
2.1.7 Provide reasonable assistance to Organiser in responding to individual rights requests or other communications received under applicable Data Protection Laws from any applicable data protection authority or Consumer who is the subject of any Personal Data processed by Humanity Circle on Organiser’s behalf. In the event that a Consumer submits a Personal Data deletion request to Huamnity Circle, Organiser hereby instructs and authorizes Humanity Circle to delete or anonymize the Consumer’s Personal Data on Organiser’s behalf. Where necessary, Organiser shall inform Humanity Circle of any other individual rights request that Humanity Circle must comply with, and provide the information necessary forHumanity Circle to comply with the request.;
2.1.8 Upon Organiser’s written request, make available to Organiser all information reasonably necessary to demonstrate its compliance with the obligations set out in this Section 2, provide reasonable assistance with privacy and data protection impact assessments and related consultations of data protection authorities, and allow for and co-operate with any audits. Any on-site audits shall be: (i) permitted only on reasonable advance notice to Eventbrite; (ii) subject to appropriate confidentiality undertakings; and (iii) limited to once every three (3) years and only in order to evaluate a specific suspected deficiency after exhausting all other reasonable means; and
2.1.9 Except for that Personal Data with respect to which Eventbrite acts as a Data Controller or Business, return, delete, or destroy (at Organiser’s election) the Personal Data of Consumers processed on Organiser’s behalf and copies thereof, at Organiser’s request (unless applicable law requires the storage of such Personal Data).
2.2 Organiser hereby consents and authorizes Eventbrite to disclose or transfer Personal Data to, or allow access to Personal Data by, Humanity Circle’s current sub-processors (i.e. those listed on Eventbrite’s website on the Effective Date of this DPA or the Agreement, whichever is later) (“Current Sub-Processors”) to process Personal Data on Organizer’s behalf.
2.3 Organizer hereby consents to Humanity Circle’s appointing additional and replacement sub-processors (“Replacement Sub-Processors”) to process Personal Data on Organiser’s behalf. Humanity Circle shall give notice to Organiser of the identity of intended Replacement Sub-Processors (i) via email where Organiser has opted in to receive such email notifications and (ii) by updating Humanity Circle’s website (Organiser is responsible for regularly checking and reviewing Humanity Circle’s website for any such changes). Humnaity Circle shall also give the Organiser the opportunity to object to such changes that take place after the Effective Date of the Agreement, in accordance with the terms that follow in Section 2.4 of this DPA.
For the avoidance of doubt, any termination rights available herein shall only apply in the instance of objections to Replacement Sub-Processors appointed after the Effective Date of this DPA that are not remedied in accordance with the terms herein, and shall not apply in relation to Current Sub-Processors.
2.4 Organiser shall raise any objection to the appointment of Replacement Sub-Processors within ten (10) days of Humanity Circle posting the changes on its website. Organiser shall send its objection to support@wellness.humanitycircle.com with the subject line ‘Objection to Replacement Sub-Processor’.
Provided that Organiser’s objection: (i) concerns the Replacement Sub-Processor’s ability to allow Humanity Circle to materially comply with its data protection obligations under this DPA; and (ii) includes sufficient detail to support its objection and provides specific examples, Eventbrite will then use commercially reasonable efforts to review and respond to Organiser’s objection within thirty (30) days of receipt of Organiser’s objection with Humanity Circle’s determined method of accommodation.
If Humanity Cirlce’s determines in its sole discretion that it cannot reasonably accommodate Organiser’s objection, upon notice from Huamnity Circle, Organiser may choose to terminate the Agreement by providing written notice to Humanity Circle, and complying with the terms herein, which shall be Organiser’s sole and exclusive remedy. Without limiting the generality of the foregoing, Organiser’s termination right under this Section 2.4 will be deemed an additional termination right of Organiser under the “Term and Termination” Section of the Agreement (if any) and if exercised will be deemed a termination pursuant to such Section. Such written notice must be sent to support@wellness.humanitycircle.com and must specifically reference this Section 2.4 of the DPA. The day Humanity Circle receives an Organiser’s written termination notice under this Section 2.4 will be referred to as the “Objection Date” in this DPA. Should Organiser choose to terminate the Agreement as a result of a Replacement Sub-Processor, then nothing in this Section 2 shall relieve Organiser from any of its payment and/or repayment obligations to Humanity Circle under the Agreement.
Without limiting Humanity Circle’s other rights and remedies, if Organiser terminates the Agreement pursuant to this Section 2.4, then Organiser will immediately pay to Humanity Circle (1) all amounts accruing and owed to Humanity Circle, including, without limitation, obligations to pay and/or repay Humanity Circle for Fees, Sponsorship Payments, Advances, and/or Advance payments of Event Registration Fees, as such terms are defined in the Agreement and only to the extent applicable to Organiser, (2) if the Agreement includes a minimum number of tickets Organiser must sell, a minimum amount of Event Registration Fees or Humanity Circle Services Fees that must be processed (each such sales or processing threshold, a “Minimum Threshold”), and/or a requirement to pay Humanity Circle the portion of Service Fees Eventbrite would have received had a Minimum Threshold been met, then Organiser agrees to pay HumanityCircle an amount equal to (x) the amount that HumanityCircle would have received in Service Fees had the Minimum Threshold been met in each year of the term up to the date of such termination (with such Minimum Threshold prorated as to any partial year of the Term), less (y) the amount that Huamnity Circle actually received in Service Fees attributable to Organiser’s sales during the Term up to the date of such termination; and (3) 80% of the anticipated Fees Eventbrite would have earned during the remainder of the Term had the Agreement not been terminated with respect to (x) events on sale on the Site as of the Objection Date, and (y) any future events contemplated under the Agreement intended to go live in the ninety (90) days following the Objection Date.
2.5 Huamnity Circle hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them. Humanity Circle will notify Organiser if Humanity Circle makes a determination that it can no longer meet its obligations under Data Protection Laws.
2.6 Organiser shall have the right, upon fourteen (14) business days’ notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Eventbrite.
3. Cross-Border Transfers.
3.1 Organiser agrees that Humanity Circle may transfer Personal Data of Consumers to various locations in connection with providing the Services. Transfers will be made in accordance with legally enforceable transfer mechanisms where required by applicable Data Protection Laws. Humanity Circle’s exclusive transfer mechanism for data exported from the European Economic Area.
3.2 UK Transfers. With respect to Humanity Circle Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCC Addendum forms part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCC Addendum, unless the United Kingdom issues updates to the UK SCC Addendum, in which case the updated UK SCC Addendum will control. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCC Addendum. Organizer hereby agrees to enter into the UK SCC Addendum.
3.4. EEA Transfers. With respect to Personal Data transferred from the European Economic Area, the New EU SCCs incorporated herein shall apply and form part of this DPA. In the event of a conflict between any provision of the New EU SCCs and any provision of this DPA, the New EU SCCs will control to the extent of conflicts.