This Data Processing Agreement applies to the activities that Stager B.V. (Processor) performs within the framework of the Main Agreement concluded with the Client (Controller) with regard to the processing of personal data. With this Data Processing Agreement, Stager B.V. offers a uniform set of conditions to its customers with the aim of supporting the Client in the fulfillment of their obligations arising from existing laws and regulations in the field of the protection of personal data. Should the need arise to make divergent agreements, then the Client should contact Stager B.V.
Taking into account that:
a. The Controller runs a company which organizes events and for this purpose uses software and services from the Processor;
b. The Processor is a supplier of an (online) system for the planning of events, the management of relations and the purchase, handling, processing and settlement of tickets;
c. The Parties have entered into an agreement (hereafter: the Main Agreement), whereby, in the execution thereof, it is foreseeable that the Processor will (likely) process personal data on behalf of the Controller;
d. The Parties intend to enable the Controller to fulfill his / her obligations in the role of the Controller within the meaning of the General Data Protection Regulation (hereafter: GDPR) and to ensure compliance with the obligations of the Processor to the Controller.
The words in this Data Processing Agreement have the following meaning:
a. Processor: the private company with limited liability Stager B.V. established in Rotterdam at Delftsestraat 11 (3013 AB), registered number 55142648 at the Chamber of Commerce and VAT-nummer NL851582953B01.
b. Controller: the natural person or legal entity, with whom Processor has concluded the Main Agreement for the provision of services. .
c. Personal Data: any data regarding an identified or identifiable natural person, which are or will be processed by the Processor in any way whatsoever in the context of the Agreement.
d. Main Agreement: the document, or (digital) form or any other means which constitute the agreement between Processor and Controller. The Controller provides his services or extra services to Processor, based on the terms and conditions of the Main Agreement.
e. GDPR: General Data Protection Regulation.
f. Data breach: A security incident which leads to unintentional access to Personal Data and/or the illegitimate processing of Personal Data.
g. Supervisory Authority: The Dutch 'Autoriteit Persoonsgegevens' supervises compliancy with privacy legislation.
h. Processing: any activity or combination of activities involving Personal Data, in any event including the collecting, recording, organising, storing, updating, amending, accessing, consulting, using, providing by way of forwarding, distributing or any other form of supplying, compiling, linking, as well as safeguarding, deleting or destroying of data.
i. Sub-Processor: a third party engaged by the Processor who processes Personal Data on the instructions of the Processor.
1.1 Processer processes personal data (hereafter referred to as: "the data") on behalf of the Controller, these being activities described in the framework of execution of the Main Agreement. The data is processed using the planning, customer relationship management, and ticketing system operated by the Processor on behalf of the Controller as well as the requisite payment processing and email infrastructure.
1.2 The Processor is obliged to process the data exclusively within the scope of the cooperation referred to in Article 1.1, exclusively within the territory of the European Economic Area (EEA) and to keep it for no longer than instructed by the Controller.
1.3 The Controller and the Processor are obliged to mutually and jointly draw up a continuity plan and a security plan that meet the requirements of the GDPR and maintain them. The recording of these continuity and security plans takes place through inclusion in the appendix [Appendix 3] to this Data Processing Agreement.
1.4 The Controller is willing to create with the Processor a uniform set of security and continuity measures. In the absence of a continuity and security policy provided by the Controller, the Processor will endeavour to realise an appropriate level of security, at the discretion of the Processor.
1.5 After the discovery of a Data breach, the Processor shall report this to the Controller as soon as possible, but no later than 48 hours, in order to enable him / her to meet his / her reporting obligations.
1.6 The Processor accepts that non-compliance with regard to the security and / or continuity of data processing as well as the non-compliance with the continuity plan and / or security plan as referred to in Article 1.3 or non-compliance with direct instructions from the Controller in respect of data processing may be the ground for the Controller to terminate the Main Agreement, without the Controller being obliged to pay any compensation. The Controller can only invoke this authorisation of termination after written notice of default to the Processor, stating a reasonable recovery period.
1.7 If the Main Agreement between the Controller and the Processor ends for any reason, the Processor is willing to cooperate in the transfer of the personal data to the Controller, and / or the destruction thereof at the request, and on behalf of the Controller.
1.8 The Controller, involved in the processing of Personal Data, is liable for damages caused by the processing of Personal Data which processing contravenes the terms as set out in article 82 of the GDPR.
1.9 Processor can only be held liable for damages or based on article 82 of the GDPR if the damages are a result of non-compliance with this Processing Agreement, including non-compliance with obligations specific for the processing of Personal Data of the GDPR or if and when Controller has processed Personal Data beyond the instructions duly given by the Controller. The amount of damages to be paid is limited to the amount invoiced by the Processor under the Main Agreement, in the twelve months prior to the event causing the damage.
2.1 Parties will inform each other of facts - including new laws and regulations in the field of protection of personal data - which they reasonably expect to affect the processing of personal data by the other party.
2.2 The Controller will immediately inform the Processor if the processed personal data concerns so-called special personal data.
2.3 The Processor will inform the Controller as soon as possible of any incident or unprecedented risk of incidents that could foreseeably affect or compromise the confidentiality of the data processing. The Processor will explicitly enable the Controller to fulfill his / her statutory reporting obligations of such incidents and / or those involved in order to enable them to limit identity theft or other damage.
3.1 The Processor will ensure for the training of all employees, who have access to the personal data, for the care for and protection of this data, and can demonstrate this on request. The Processor will require its employees who have access to the processed personal data to sign a confidentiality agreement, if and insofar that the relevant employees are not already subject to a professional secret.
3.2 At the first request of the Controller, the Processor will provide insight into the planning, maintenance and performance of the continuity and security measures relating to data processing, both technically and organisationally.
4.1 A Processor may use Sub-processors. The Controller agrees with the use of Sub-processors by signing this agreement. An overview of current contracted Sub-processors can be found in Appendix 2.
4.2 When changing Sub-processors, the Processor will inform the Controller about this and the Controller has the right to objectively argue against the deployment of the new Sub-processors, provided this is done within two (2) weeks after being informed about this change.
4.3 The Processor will have a written agreement with the Sub-processor, stating that Sub-processor must act in accordance with all provisions of this Processor Agreement with regard to the processing of personal data (including the Annexes of the Processor Agreement).
5.1 The Controller is entitled within the framework of this agreement periodically and / or if there are reasonable grounds to demand inspection, to request access for third parties appointed by the Controller with regard to compliance with the provisions of this agreement and / or the Wbp and the related laws and regulations arising from the obligations of the Processor. This is at the expense of the Controller and under a duty of confidentiality for any independent third party (s) involved.
5.2 The Processor is aware of the independent control powers of the Authority and will grant this supervisor access and cooperate in an investigation with regard to the personal data processed on the basis of this agreement.
5.3 The Processor is obliged to provide the Controller with full access to the data so that he / she is able to fulfill his / her obligations towards the relevant data with regard to inspection, correction and deletion.
6.1 Both parties will periodically evaluate the state of affairs concerning the security of the data processing procedure, at the request of the Controller.
6.2 Both parties are prepared to amend this agreement if the evaluations referred to above, developments in the field of legislation and regulations and / or advanced insights from supervisory authorities or changes in the state of the art so require; at the cost of the Controller.
6.3 Stager is at all times entitled to complement, modify and / or replace this Data Processing Agreement (whether or not by electronic means) and / or to declare special conditions applicable. Stager will inform the Controller at least 30 days before the implementation of such an addition, amendment and / or replacement and / or the special conditions (whether or not by electronic means).
7.1 This agreement comes into force through its inclusion in the Main Agreement and terminates by operation of law as soon as the Main Agreement between the Parties ends.
7.2 Obligations which by their nature are intended to continue after the termination of this agreement shall continue to apply after termination of the agreement.
7.4 The Processor shall make all personal data available to the Controller at the time of termination and shall then proceed with the destruction of all personal data whereby the destruction acts will be documented, and this latter documentation made available to the Controller, all this at the request and at the expense of the Controller.
Stager B.V. processes the personal details of the Client, listed below.
The Account Holder is the owner of the Stager account. In addition to data relating to the organisation such as the name of the organisation, VAT, Chamber of Commerce and IBAN number, Stager also processes personal data of the Account Holder, namely:
The Client is given the opportunity to create so-called Users. Users are employee (s) designated by the Client who are authorised to log into the Account and manage it. The personal data to be processed by Users concern:
Stager offers the Client the opportunity to store and manage the personal data of Visitors, being buyers of Tickets, persons who register for newsletters, designated employees and volunteers and suppliers and other types of Client relations by means of a so-called CRM system. The personal data to be processed is understood to mean:
The Processor uses the following Sub-processors and third parties:
a) Amazon Web Services: This Sub-processor provides the hosting of the Stager application in data centres located in Frankfurt (Germany) and Dublin (Ireland). A standard agreement has been concluded with this Sub-processor, stating that the management of personal data will only be carried out by the Processor.
b) Cash: This is a linked accounting package in which transaction data of all Vistors is stored in a data centre located in the Netherlands. The Personal Data that is stored; full name.
c) Multisafepay: The payment service provider processes payments with the Visitor. Personal data that is stored: surname, last name, address, city, country, e-mail address, bank account number.
d) Zendesk: The Processor uses Zendesk to process all support questions and chat conversations from Stager users and ticket buyers. An agreement has been concluded with this Sub-processor that complies with the GDPR.
e) Sendgrid: E-mail service provider to send emails generated with Stager. The personal data that is stored includes email address, surname, last name. An agreement has been concluded with this Sub-processor that complies with the GDPR.
f) Intercom: Application to answer ticket buyers’ and Stager users’ support questions via chat and to send important updates via in-app messages and mailings to Stager users. Personal data that is stored: surname, last name, email address, phone number. A separate Processor Agreement has been concluded with this Sub-processor.