Data Processing Agreement

This Data Processing Addendum (“DPA”) applies to a Promoter who is subject to the EU General Data Protection Regulation (EU) 2016/679 or “GDPR”, or any similar and applicable legislation, and who requires Nevent to process Personal Information (which is subject to the GDPR) on their behalf as part of the Promoter’s use of Nevent’s Services.

In this DPA references to “you” means the Promoter and references to “we”, “us”, “our” and “Nevent” means Nevent Pty Ltd, an Australian company ABN 96 606 311 095.

NOTE: To learn more about the applicable terms for a Promoter’s use of Nevent’s Services go to Nevent’s Terms of Service (PROMOTERS).

1) General

a) The terms of this DPA are hereby incorporated in to Nevent’s Terms of Service (PROMOTERS) or any other applicable services agreement between you and Nevent (the “Agreement”).

b) With respect to provisions regarding Processing of Personal Information, this Agreement is supplemental to the Agreement and in the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail unless the Promoter and Nevent have individually negotiated data processing terms that are different from this DPA and which meet the requirements of the GDPR in full, in which case those negotiated terms will control.

“Data Controller”, “Data Processor”, “Data Subject”, and “Processing” shall have the meanings ascribed to them in GDPR;

“Personal Information” shall mean the same meaning ascribed to “Personal Data” in the GDPR.

“Data Security Breach” means a breach of security which causes the destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Personal Information transmitted, stored or otherwise Processed; and

“Services” means a Campaign or Audience Manager (both of which are described and accessible on our Site) or other tools or services offered by Nevent to the Promoter from time to time.

“Technical and Organisational Security Measures” means security measures implemented by Nevent appropriate to the type of Personal Information being Processed and the Services being provided by Nevent to protect Personal Information against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.

2) Applicability Of DPA And Scope Of Data Processing Activities

a) In using Nevent’s Services and for the purposes of GDPR, the Promoter is a Data Controller of the Personal Information associated with an individual (a “Fan”) who:

i) uses Nevent’s Site to register for a Campaign conducted by the Promoter; or

ii) is otherwise recorded in the Promoter’s database when the Promoter’s database is uploaded to, or integrated with Audience Manager.

The Promoter agrees to Process a Fan’s Personal Information in accordance with the Promoter’s obligations under GDPR and any other applicable data protection laws including the Australian Privacy Act 1988 (Cth). The Promoter indemnifies Nevent against all costs, claims, damages and expenses incurred by Nevent or for which Nevent may become liable due to any failure by the Promoter or the Promoter’s employees or sub-contractors to comply with any obligations under this Agreement, applicable Data Protection Laws, or our instructions.

b) When Nevent Processes the Personal Information of Fans on behalf of the Promoter as part of the Services, Nevent is a Data Processor in performing such Processing and the Promoter is the Data Controller. This includes circumstances where Nevent obtains Personal Information as a result of enabling the Promoter to import the Personal Information of Fans into Audience Manager.

c) In respect of some Processing of Fans’ Personal Information, Nevent will act as a Data Controller, for example, where Fans have engaged with a Campaign and Personal Information is Processed by Nevent.

d) To the extent that Nevent Processes Personal Information as a Data Processor on behalf of the Promoter, clause 3) of this DPA shall apply. When, and to the extent that Nevent is not acting as a Data Processor on behalf of the Promoter, Nevent’s Processing shall not be subject to this DPA.

e) Details about the Personal Information to be Processed by Nevent and the Processing activities to be performed under the Agreement are as follows:

i) duration – as set out in the Agreement;

ii) nature, purpose and subject matter – to enable the Promoter to conduct a Campaign (including the promotion of the Promoter’s products and/or services) or use Audience Manager;

iii) data categories – Personal Information as described in the Privacy Policy.

3) Data Processing Clauses

a) Whenever Nevent Processes Personal Information on behalf of the Promoter, Nevent shall:

i) Process Personal Information according to the Promoter’s documented instructions, unless required to do otherwise by applicable law. Nevent shall inform the Promoter before Processing Personal Information if there is some legal requirement to Process other than in accordance with the Promoter’s instructions, unless that same law prohibits Nevent from doing so. Nevent will notify the Promoter if in its opinion an instruction is in breach of GDPR. The Promoter hereby instructs Nevent, and Nevent hereby agrees, to Process Personal Information as necessary to perform Nevent’s obligations under the Terms of Service (PROMOTERS) relevant to Campaigns and Audience Manager;

ii) Have in place Technical and Organisational Security Measures to protect Personal Information;

iii) Notify the Promoter in the event of a Data Security Breach without undue delay and assist the Promoter to enable the Promoter to comply with its obligations as a Data Controller in relation to data breach notification requirements;

iv) Ensure its employees have committed themselves to keeping Personal Information confidential by signing binding confidentiality undertakings in the terms of their engagement;

v) Impose obligations on its sub-processors that have access to Personal Information that are the same as or equivalent to those set out in this clause 3) by way of written contract;

vi) Provide reasonable assistance to the Promoter in responding to rights requests under GDPR, complaints, or other communications received from any data protection authority or a Fan. In the event that a Fan submits a Personal Information deletion request to Nevent with respect to their Personal Information controlled by the Promoter, then the Promoter hereby authorises Nevent to delete or anonymize the Fan’s Personal Information on the Promoter’s behalf;

vii) Upon the Promoter’s written request, make available to the Promoter information which is reasonably necessary to demonstrate its compliance with the obligations set out in this clause ; and

viii) Except for that Personal Information with respect to which Nevent acts as a Data Controller, return, delete, or destroy (at the Promoter’s election), the Personal Information and copies thereof, at the Promoter’s request (unless applicable law requires the storage of such Personal Information).

4) Sub-processors

a) The Promoter hereby consents to Nevent’s current sub-processors (i.e. those third parties described in Nevent’s Privacy Policy,) (“Current Sub-Processors”) to Process Personal Information on its behalf.

b) The Promoter hereby consents to Nevent appointing additional and replacement sub-processors (“Replacement Sub-Processors”) to Process Personal Information on its behalf. Nevent shall:

i) notify the Promoter if there is a Replacement Sub-Processor via Nevent’s website. (The Promoter should regularly check and review Nevent’s website for any such changes because Nevent’s website shall be the sole means of Nevent notifying any such changes); and

ii) give the Promoter the opportunity to object to such changes that take place after the Effective Date of the Agreement.

c) For the avoidance of doubt, any termination rights available herein shall only apply in the instance of objections to Replacement Sub-Processors appointed after the Effective Date of this DPA that are not remedied in accordance with these terms and shall not apply in relation to Current Sub-Processors.

d) The Promoter shall raise any objection to the appointment of Replacement Sub-Processors within ten (10) days of Nevent posting the changes on its website by sending its objection to privacy@audiencerepublic.com with the subject line ‘Legal Objection to Replacement Sub-Processor’.

e) Provided that the Promoter’s objection:

i) concerns the Replacement Sub-Processor’s ability to allow Nevent to materially comply with its data protection obligations under this DPA; and

ii) includes sufficient detail to support its objection and provide specific examples,

Nevent will then use commercially reasonable efforts to review and respond to the Promoter’s objection within thirty (30) days. If Nevent does not view the objection as providing sufficient supporting detail, the objection shall be deemed invalid and Nevent has no further obligations.

f) If Nevent determines in its sole discretion that it cannot reasonably accommodate the Promoter’s objection, upon notice from Nevent, the Promoter may choose to terminate the Agreement by providing written notice to Nevent, and complying with these terms, which shall be the Promoter’s sole and exclusive remedy. Should the Promoter choose to terminate the Agreement as a result of a Replacement Sub-Processor, then nothing in this clause shall relieve the Promoter from any of its payment and/or repayment obligations to Nevent under the Agreement. Without limiting Nevent’s other rights and remedies, if the Promoter terminates the Agreement pursuant to this clause f), then the Promoter will immediately pay to Nevent all amounts accruing and owed to Nevent, including, without limitation, obligations to pay and/or repay Nevent for any Fees otherwise payable under the Agreement.

Updated July 2018