Data Processing Agreement:
CUSTOMER/USER IS THE DATA CONTROLLER AND EVENTKINGDOM IS THE DATA PROCESSOR.
EventKingdom GmbH (EventKingdom) is not in the business of sharing or selling your information. We consider this information to be a vital part of our relationship with you.
Numerous customers of EventKingdom collect, process and use personal data within the meaning of the GDPR. Art. 28 of the EU General Data Protection Regulation (GDPR) obliges these customers, in the case of the collection, processing or use of this data by contractually bound contractors (contracted service providers), to comply with Art. 28 GDPR with the requirements stated therein to commit in writing. EventKingdom offers its customers numerous services (invitation mailing online, guest management, check in services, paper cards, tickets, etc.). It takes the view that the majority of these services offered do not involve the collection, processing or use of personal data within the meaning of the GDPR; Incidentally, in the majority of these services, offered access to such personal data by employees of EventKingdom is excluded. Without abandoning this legal view, EventKingdom complies fully with Art 28 GDPR and is prepared to avoid legal uncertainty in favor of its customers, as a contractor to additionally conclude a fee-based agreement in writing.
Data Controller and the Data Processor have entered into a separate SERVICE agreement known as Services Agreement, beginning with the registration at the Data Processor website TO PROVIDE ONLINE INVITATIONS, SAVE THE DATE CARDS, CARDS, GUEST MANAGEMENT & CHECK IN SERVICES known as Services.
- This Agreement is to ensure the protection and security of Personal Data that is the subject of the separate agreement, including all Personal Data passed from the customer/user (Data Controller) to the Supplier (Data Processor) for processing, or accessed by the Supplier on Data Controller’s authority for processing, or otherwise received by the Supplier for processing on Data Controller’s behalf;
- The Data Protection Laws place certain obligations upon a Data Controller to ensure that any Data Processor it engages provides sufficient guarantees to ensure that the processing of the Personal Data carried out on its behalf is secure;
- This Agreement exists further to ensure that there are sufficient security guarantees in place and that the processing complies with obligations equivalent to those required by the Data Protection Laws;
- This Agreement further defines certain service levels to be applied to all uses of Personal Data and all Personal Data related services provided by the Supplier.
- Definitions in this Background have the meanings given in the Agreement and/or the Data Protection Laws.
Definitions in this Agreement:
Data means all Personal Data collected, generated or otherwise processed by the Supplier as a result of, or in connection with, the provision of the Services.
Data Protection Laws: means:
- prior to 25 May 2018, the Data Protection Act 1998;
- from 25 May 2018, the General Data Protection Regulation (EU 2016/679) (GDPR);
- the Electronic Communications (EC Directive) Regulations 2003, together with any legislation which replaces it; and
Data Subject means an individual who is the subject of personal data.
EEA means the European Economic Area.
Losses means costs, claims, demands, actions, awards, judgments, settlements, expenses, liabilities, damages and losses (including all interest, fines, penalties, management time and legal and other professional costs and expenses).
Personal Data has the meaning given to it under the Data Protection Laws.
Records means the records referred to in Clause 1.7.1.
Services means the provision of online invitations, save the date cards, cards, guest management and check in services.
Services Agreement is described in background.
Sub Processor has the meaning set out in Clause 1.4.1.
Supervisory Authority means any data protection authority with jurisdiction over the processing of the Data.
- The Data Processor shall comply with the requirements of the Data Protection Laws in respect of the activities which are the subject of the Agreement and shall not knowingly do anything or permit anything to be done which might lead to a breach by Data Controller of the Data Protection Laws.
- The Data Processor may only process Data to the extent it relates to:
- the types of Data
- the categories of Data Subject;
- the nature and purpose,
- Without prejudice to Clause 1.2.1 the Data Processor shall:
- process the Data only in accordance with the written instructions of Data Controller, unless the Data Processor is required to process the Data for other reasons under the laws of the European Union (or a member state of the European Union) to which the Data Processor is subject. If the Data Processor is required to process the Data for these other reasons, the Data Processor shall inform Data Controller before carrying out the processing, unless prohibited by relevant law.
- immediately inform Data Controller if it believes that Data Controller’s instructions infringe the Data Protection Laws;
- have in place, and maintain throughout the term at all times in accordance with the then current good industry practice, all appropriate technical and organisational security measures against:
- unauthorised or unlawful processing, use, access to or theft of the Data; and
- loss or destruction of or damage to the Data,
- ensure that all persons authorised by the Data Processor to process Data are bound by obligations equivalent to those set out in this Clause 1;
- ensure that access to the Data is limited to:
- those the Data Processor personnel who need access to the Data to meet the Data Processor's obligations under the Agreement; and
- in the case of any access by any the Data Processor personnel, such Data as is strictly necessary for performance of that the Data Processor personnel's duties;
- if required under the Data Protection Laws, appoint a Data Protection Officer.
- the Data Processor shall provide such assistance as Data Controller requires in order for Data Controller to:
- respond to requests relating to the Data Processor's data processing from Data Subjects;
- ensure compliance with Data Controller's obligations under the Data Protection Laws, including in relation to:
- the security of processing; and
- with the preparation of any necessary data protection impact assessments and the undertaking of any necessary data protection consultations.
Transfers Outside of the EEA
- the Data Processor shall not allow any Data to be processed or transferred to any country outside of the EEA unless:
- it notifies Data Controller in writing that it intends to transfer any Data outside of the EEA
- Data Controller provides its written consent to such transfer (which consent it may give or withhold in its absolute discretion); and
- it provides in advance of a transfer authorised under Clause 1.3.1(b) evidence to the Data Controller’s satisfaction of appropriate safeguards, as required by Data Protection Laws.
- Failure to comply with this Clause 1.3 shall be deemed a material breach of this Agreement incapable of remedy.
- The Data Processor shall not engage any third party [except OR including a member of Data Processor’s group], including a member of the Data Processor's group, to carry out processing in connection with the Services (Sub Processor) without Data Controller’s prior written consent. For the avoidance of doubt, this Clause 1.4.1 shall also apply to any replacement Sub Processor.
- Prior to allowing a Sub Processor authorised in accordance with Clause 1.4.1 to process any Data, the Data Processor shall enter into a written agreement with the Sub Processor under which Sub Processor is obliged to comply with the terms of this Clause 1. The Data Processor remains fully liable to Data Controller for any acts or omissions of any Sub Processors.
Information Provision and Data Protection Audits
- On request and at no additional charge, the Data Processor shall provide to Data Controller all information required by Data Controller to assess the Data Processor's compliance with Clause 1 and the Data Protection Laws and, to the extent possible, all information necessary for Data Controller to demonstrate Data Controller's compliance with the Data Protection Laws; and
- In order that Data Controller [and/or its authorised representative] and any Supervisory Authority may audit the Data Processor's compliance with the Data Protection Laws and the terms of this Clause 1, on request and at no additional charge the Data Processor shall provide Data Controller with:
- reasonable access to all relevant information, premises, Data, employees, agents, the Data Processor Sub Processors and assets at all locations from which obligations of [Supplierparty] under this Clause 1 are being or have been or should have been carried out; and
- all reasonable assistance in carrying out the audit,
Dealings with Supervisory Authorities
- the Data Processor shall promptly provide all assistance and information which is requested by any Supervisory Authority.
- the Data Processor shall immediately notify Data Controller of any request that it receives from any Supervisory Authority for assistance or information, unless prohibited by relevant law.
- the Data Processor shall maintain records of all processing activities carried out on behalf of Data Controller, including:
- the information described in Clause 1.5;
- where applicable, the name and contact details of the Data Protection Officer of the Data Processor and of any sub processors;
- the different types of processing being carried out (if applicable);
- any transfers of Data outside of the EEA [or UK], including the identification of the relevant country or international organisation and any documentation required to demonstrate suitable safeguards;
- a description of the technical and organisational security measures referred to in Clause 1.2.3,
- The Records shall be in written electronic form.
- the Data Processor shall provide the Records to Data Controller promptly on request.
On request, the Data Processor shall take all necessary action and provide Data Controller with all reasonable assistance necessary for Data Controller to comply with Data Controller’s obligations under the Data Protection Laws in relation to:
- the provision of information to Data Subjects;
- the rectification of inaccurate Data in relation to a Data Subject
- the erasure of a Data Subject's Data; and
- the retrieval and transfer of the Data of a Data Subject.
- The Data Processor shall notify Data Controller immediately after becoming aware of any unauthorised or unlawful processing, use of, or access to the Data, or any theft of, loss of, damage to or destruction of the Data or any other Security Incident or any breach of this Clause 1. Failure to notify Data Controller shall be deemed a material breach of the Service Agreement incapable of remedy
- In the event of a Security Incident, the Data Processor shall provide Data Controller with full co operation and assistance in dealing with the Security Incident, in particular in relation to:
- resolving any data privacy or security issues involving any Data; and
- making any appropriate notifications to individuals affected by the Security Incident or to a Supervisory Authority.
- the Data Processor shall investigate the Security Incident in the most expedient time possible and shall then provide Data Controller as soon as possible thereafter with a detailed description of the Security Incident, the type of data that was the subject of the Security Incident, and any other information that Data Controller may request concerning the Security Incident.
- the Data Processor shall take all steps necessary to prevent a repeat of the Security Incident and shall consult with and agree those steps with the Data Controller unless immediate steps need to be taken and it is impractical to consult with Data Controller in that respect.
Return or Destruction of Data
the Data Processor shall, at Data Controller’s discretion, destroy or return all Data to Data Controller on termination of this Agreement, and shall destroy or delete all copies it holds of the Data, unless relevant local law to which the Data Processor is subject requires that Data to be retained.
If it is or becomes a requirement that, under the Data Protection Laws or other Applicable Laws, Clause 1 must be governed by the laws of a member state of the European Union.
- The Data Processor warrants that:
- it will process the Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments, including the Data Protection Laws; and
- it will take appropriate technical and organisational measures against the unauthorised or unlawful processing of Data and against the accidental loss or destruction of, or damage to Data to ensure Data Controller’s compliance with the Data Protection Laws.
- The Supplier shall notify Data Controller immediately if it becomes aware of:
- any unauthorised or unlawful processing, loss of, damage to or destruction of the Data;
- any advance in technology and methods of working which mean that Data Controller should revise the security and technical measures in place in order to protect the Data as well as the processing of the Data.
- Data Controller warrants that:
- it will provide the Data Processor with all Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments, including Data Protection Laws; and
- the Data which it supplies or discloses to the Data Processor, has been obtained fairly and lawfully; and
- it will obtain all necessary consents from persons whose Data is being processed and registrations with authorities to permit Data Controller to transfer Personal Data to third parties pursuant to its obligations under this Agreement
The Data Processor shall on demand indemnify Data Controller from and against all Losses incurred by Data Controller or any member of its Group or any of their respective, its employees, officers, agents and contractors as a result of any breach by the Data Processor or any entity or individual appointed by the Data Processor to carry out its obligations of Clause 1.
The Data Processor shall comply with this Agreement in addition to its obligations under any other contract with the Data Controller (whether currently in force or entered into in the future). Where there is any inconsistency between the two, in relation to data protection law and/or confidential information this Agreement shall prevail, unless the Data Controller notifies the Data Processor otherwise in writing.
Type of Data to be Processed
The type of data to be processed results from the Service Agreement
The type of data to be processed is the execution of the following services or tasks by Data Controller – invitations, save the date cards, cards and guest management & check in services.
Categories of Data Subject whose Data will be Processed
The Categories of Data Subjects comprise:
- Potential Customers
- Authorized Agents
- Contact Persons
Nature and Purpose of Processing
To create online invitations, save the date cards and cards for a wide variety of events. To use guest management and check in services for a wide variety of events.
Duration of Processing
The Services Agreement is authorised for an unlimited period and can be cancelled by either Party with a notice period of one week. This does not prejudice the right to termination of the contract without notice in accordance with the Services Agreement. This does not change the billing agreements entered by purchasing a service.
We use various technologies to collect information from your computer and about your activities on our site.
- We may use standard Internet technology, such as web beacons and other similar technologies, to track your use of our site. We also may include web beacons in promotional or other email messages or newsletters to determine whether messages have been opened and acted upon. EventKingdom may store such information itself or such information may be included in databases owned and maintained by EventKingdom affiliates, agents or service providers. The site may use and share such information and pool it with other information to track, for example, the total number of visitors to our site, the number of visitors to each page of our site, and the domain names of our visitors' Internet service providers. It is important to note that the information we gather through the use of tracking technologies will not be matched with any personal data.
- We automatically collect information from your browser when you visit our site. This information may include your IP address, your browser type and language, access times, the content of any undeleted cookies that your browser previously accepted from us (see "Cookies" below), and the referring website address.
- In an ongoing effort to better understand and serve the users of the EventKingdom services, EventKingdom may conduct research on its customer demographics, interests and behavior based on the personal data and other information provided to us. This research may be compiled and analyzed on an aggregate basis, and EventKingdom may share this aggregate data with its affiliates, agents and business partners. This aggregate information does not identify you personally. EventKingdom may also disclose aggregated user statistics in order to describe our services to current and prospective business partners, and to other third parties for other lawful purposes.
With whom we share your information:
EventKingdom is not in the business of sharing or selling your information. We consider this information to be a vital part of our relationship with you. There are, however, certain circumstances in which we may share your personal data with:
- Other Users/Event guests: Users and/or guests invited to the same events as you may be able to view your name on the guest list unless you request removal from the event host or by emailing firstname.lastname@example.org.
- Authorized service providers: We may also share your personal data with our authorized service providers for purposes consistent with this Data Protection Policy. These service providers may have access to personal information needed to perform their functions but are not permitted to share or use such information for any other purposes.
- Business Transfers: As we continue our business, we might sell, buy or merge businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, personal data may be part of the transferred assets.
- Agents, Consultants and Related Third Parties: EventKingdom may hire other companies to perform certain business-related functions. Examples of such functions include maintaining databases and processing payments. When we employ another company to perform a function of this nature, we only provide them with the information needed to perform their specific function.
- Other Situations. We also may disclose your information:
- In response to a subpoena or similar investigative demand, a court order, or a request for cooperation from a law enforcement or other government agency; to establish or exercise our legal rights; to defend against legal claims; or as otherwise required by law. In such cases, we may raise or waive any legal objection or right available to us.
- We may disclose your personal data when we believe this is appropriate in connection with efforts to investigate, prevent, or take other action regarding illegal activity, suspected fraud or other wrongdoing; to protect and defend the rights or property of EventKingdom, users or the site, our employees, or others; to comply with applicable law or cooperate with law enforcement; or to enforce our Terms of service or other agreements or policies.
This Data Protection Policy applies only to EventKingdom. The site may contain links to third party websites which do not operate under this Data Protection Policy. These third-party websites may independently solicit and collect information, including personal information, from you and, in some instances, provide us with information about your activities on those websites. We suggest contacting those websites directly for information on their Data Protection policies.
How you can access your information
If you have an online account at EventKingdom, you can review and update your personal data by logging into your account. You can also review and update your personal data by contacting us. Please see the bottom of this Data Protection Policy to contact us.
If you have an online account with us, you may close your account at any time by contacting us via the "contact" link at the bottom of each page. After you close your account, you will not be able to sign in to our site or access any of your personal data. You can of course open a new account at any time. If you close your account, we may still retain certain information associated with your account for analytical purposes and recordkeeping integrity, as well as to prevent fraud, collect any fees owed, enforce our Terms of Service, take actions we deem necessary to protect the integrity of our web site or our users, or take other actions otherwise permitted by law. In addition, if certain information has already been provided to third parties as described in this Data Protection Policy, retention of that information will be subject to those third parties' policies.
You can use the site without providing any personal data when you receive EventKingdom products or other correspondence. If you choose not to provide any personal data, you will not be able to use certain EventKingdom services, such as sending EventKingdom products or other correspondence.
EventKingdom is a general audience site, and we do not knowingly collect personal information from children under the age of 13. If you are under the age of 13, please refrain from submitting any personal data through the site.
This Data Protection Policy does not apply to any personal data collected by EventKingdom other than personal data collected through the site. This Data Protection Policy shall not apply to any unsolicited information you provide to EventKingdom through this site or through any other means. This includes, but is not limited to, information posted to any public/open areas of the site, any ideas for new products or modifications to existing products, and other unsolicited submissions. All unsolicited Information shall be deemed to be non-confidential and EventKingdom shall be free to reproduce, use, disclose, and distribute such unsolicited information to others without limitation or attribution.
Every recipient of sendings via EventKingdom has the right to opt-out of such sendings. Each sending to recipients contains an unsubscribe link in the bottom left corner of the email. Each recipient can click on the unsubscribe link and unsubscribe from the sender of the email. If a recipient does this, sendings from this sender will no more be sent to the recipient's email address and marked accordingly in the recipient list.
Changes to this Data Protection Policy
It may seem necessary to occasionally update this Data Protection Policy to reflect changes in our site and business. EventKingdom therefore reserves the right to modify this Data Protection Policy at any time. When changes to this Data Protection Policy are made, we will revise the "last updated" date at the top of this Data Protection Policy. If we make any material changes in the way we collect, use, and/or share your personal information, we will notify you by sending an email to the email address you provided us in your account. We recommend that you check our Data Protection Policy from time to time to inform yourself of any changes in this Data Protection Policy and especially before you profide any personal data.
How to contact us and further questions
If you have any questions about our Data Protection Policy or wish to sign a General Data Protection Agreement (which costs a one time payment of 99,- EUR) please feel free to contact us at:EventKingdom GmbH
+49 30 91565745