Last updated: 1 June 2021
This Data Processing Agreement applies to the activities that Stager B.V. (Processor) performs within the framework of the Main Agreement concluded with the Client (Controller) with regard to the processing of personal data. With this Data Processing Agreement, Stager B.V. offers a uniform set of conditions to its customers with the aim of supporting the Client in the fulfillment of its obligations in the role of Controller, within the meaning of the General Data Protection Regulation.
Taking into account that:
* The Controller runs a company which organises Events and for this purpose uses System and Services from the Processor;
* The Processor is a supplier of an (online) system for the planning and marketing of Events, the management of its relations and the sale of Tickets;
* The parties have entered into an agreement (hereafter: the Main Agreement), whereby, in the execution thereof, it is foreseeable that the Processor will (likely) process personal data on behalf of the Controller;
* The parties intend to enable the Controller to fulfill his / her obligations in the role of the Controller within the meaning of the General Data Protection Regulation (hereafter: GDPR) and to ensure compliance with the obligations of the Processor to the Controller.
Declare the following to be agreed:
The words in this Data Processing Agreement have the following meaning, providing that when terms are equal or similar to terms used in the GDPR they shall have the same meaning as in the GDPR:
a. Processor: the private company with limited liability Stager B.V. established in Rotterdam at Zomerhofstraat 82 (3032 CM), registered under number 55142648 at the Chamber of Commerce and VAT-number NL851582953B01.
b. Controller: the natural person or legal entity, with whom Processor has concluded the Main Agreement for the provision of Services.
c.System: the platform made available online by Stager to the Controller for the planning and marketing of Events to be organized by or on behalf of the Controller, the management of its relations, and the sale of Tickets.
d. Services: the provision of the System by Stager via the internet including the management, maintenance and hosting thereof, as well as the development of new versions of the System, whereby (new) components of the System are not developed or maintained specifically for the Controller.
e. Additional Services: services provided by Stager, not being the Services.
f. Ticket(s): the admission ticket of an Event organized by or on behalf of the Controller or products and services related to the Event that is offered to Visitors by means of the System by the Controller.
g. Event: the public or private Event organized by or on behalf of the Controller.
h. The Visitor: the legal entity or natural person who purchases a Ticket from the Controller for an Event via the System.
i. Personal Data: any data regarding an identified or identifiable natural person, which are or will be processed by the Processor in any way whatsoever in the context of the Main Agreement.
j. Main Agreement: the document, or (digital) form or any other means which constitute the agreement between Processor and Controller. The Controller provides his Services or extra services to the Processor, based on the terms and conditions of the Main Agreement.
k. GDPR: General Data Protection Regulation.
l. Data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
m. Supervisory Authority: The applicable Data Protection Authority that supervises compliance with privacy legislation, in general the Dutch ‘Autoriteit Persoonsgegevens’.
n. Processing: any activity or combination of activities involving Personal Data.
o. Sub-Processor: a third party engaged by the Processor who processes Personal Data for the Controller.
a. Processor processes personal data (hereafter referred to as: "the data") solely on behalf and on instruction of the Controller, these being activities described in the framework of execution of the Main Agreement. The data is processed using the System operated by the Processor on behalf of the Controller as well as the requisite payment processing and email infrastructure. The types of personal data are specified in the appendix [Appendix 1] to this Data Processing Agreement. The Controller will immediately inform the Processor if the processed personal data concerns so-called special personal data.
b. The Processor is obliged to process the data exclusively within the scope of the cooperation referred to in Article 1.a and to keep it for no longer than instructed by the Controller. The data is processed within the territory of the European Economic Area (EEA), or by sub-processors and third parties that process data outside the EEA in countries that guarantee an appropriate level of protection and respect the rules on the transfer of personal data to such countries. The Processor shall not process any data on its own behalf or for its own objectives.
c. The Controller and the Processor are obliged to mutually draw up a security plan that meets the requirements of the GDPR and maintain them. The recording of this security plan takes place through inclusion in an appendix to this Data Processing Agreement.
d. The Processor accepts that non-compliance with regard to the security of data processing as well as the non-compliance with the security plan as referred to in Article 1.c or non-compliance with direct instructions from the Controller in respect of data processing may be the ground for the Controller to terminate the Main Agreement, without the Controller being obliged to pay any compensation. The Controller can only invoke this authorisation of termination after written notice of default to the Processor, stating a reasonable recovery period.
e. In case applicable privacy legislation requires a Privacy Impact Assessment (“PIA”) to be conducted before the intended processing under the Main Agreement and this Data Processing Agreement may be carried out, then the Processor shall provide the Controller with assistance to the extent necessary and reasonable. The Processor may charge reasonable costs for the aforementioned assistance.
a. In the event of a security leak and/ or the leaking of data, as referred to in article 4 (12) of the GDPR, the Processor will endeavor, to the best of its ability, to notify the Controller thereof within 72 hours after discovery, after which the Controller shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). The Processor will endeavor that the furnished information is complete, correct and accurate.
b. If required by law and/or regulation, the Processor shall cooperate in notifying the relevant authorities and/or Data subjects. The Controller remains the responsible party for any statutory obligations in respect thereof.
c. The duty to report includes in any event the duty to report the fact that a leak has occurred, including details regarding:
I. the (suspected) cause of the leak;
II. the (currently known and/or anticipated) consequences thereof;
III. the (proposed) solution;
IV. the measures that have already been taken.
a. The Processor will require its employees who have access to the processed personal data to sign a confidentiality agreement, if and insofar that the relevant employees are not already subject to professional confidentiality.
b. At the first request of the Controller, the Processor will provide insight into the planning, maintenance and performance of the security measures relating to data processing.
a. The Controller hereby gives the Processor permission to use Sub-processors in the processing of personal data under this Data Processing Agreement. An overview of current contracted Sub-processors can be found in Appendix 2.
b. When changing Sub-processors, the Processor will inform the Controller about this and the Controller has the right to objectively argue against the deployment of the new Sub-processors, provided this is done within two (2) weeks after being informed about this change. When the Controller objects, the parties shall cooperate to find a solution.
c. The Processor will have a written agreement with the Sub-processor, stating that Sub-processor must act in accordance with all provisions of this Data Processing Agreement with regard to the processing of personal data (including the Appendixes of the Data Processing Agreement). The Processor shall remain fully liable to the Controller for the performance of the Sub-processor’s obligations.
a. The Controller has the right to have audits performed by an independent third party bound by confidentiality to check Processor’s compliance with this Data Processing Agreement.
b. Such audits may only take place after: the Controller has requested (from the Processor) the similar audit reports from independent third parties that are already in Processor’s possession; and the Controller has reviewed the aforementioned audit reports and can provide legitimate reasons to initiate an audit as mentioned in article 5.a.
c. An audit, as mentioned in 5.a, may only be undertaken once per calendar year. At least two weeks before an audit can take place, the Controller shall inform the Processor of the audit.
d. The Processor shall cooperate with the audit and provide all information reasonably relevant for the audit, including supporting data such as system logs as promptly as possible.
e. The findings further to the audit conducted will be assessed by the parties in mutual consultation and, following on from this, may or may not be implemented by one of the parties or by both parties together.
f. The costs of the audit, including the costs that the Processor has to make to cooperate with the audit, shall be borne by the Controller.
g. Aside from the audit, the Controller is at any time obliged to provide the Processor with any information the Processor deems necessary for its performance under this Data Processing Agreement.
a. Where a data subject submits a request to the Processor regarding his/her personal data (for example, to inspect, correct or delete the data, or to receive a copy of the data), the Processor will forward the data subject to the Controller and the request will then be dealt with by the Controller. The Processor may notify the data subject hereof. On request of the Controller, the Processor will provide assistance with handling such a request to the extent necessary and reasonable. The Processor may charge reasonable costs for such assistance.
a. The liability of the Processor towards the Controller on any grounds whatsoever is limited per event (whereby a series of related events counts as one event) to the amounts paid by the Controller to the Processor (based on the Main Agreement) in the six months prior to the event that caused the damage, subject to a maximum of the amount of damages actually covered by the data security insurance of the Processor.
b. Liability on the part of the Processor for any indirect losses or damages, including consequential damage, is excluded.
c. Liability on the part of the Processor for an attributable failure to comply with this data processing agreement only arises if the Controller provides the Processor with a proper notice of default in writing without delay, while providing the Processor a reasonable term to remedy the failure, and the Processor remains in default with regard to its obligations under this Data Processing Agreement after that term as well.
d. The previous paragraphs of this article and any other exoneration or limitation of liability stated in this Data Processing Agreement is not applicable in the event of willful misconduct or deliberate recklessness on the part of the management of the Processor.
a. This Data Processing Agreement may only be amended by the parties subject to mutual consent.
b. Both parties are prepared to amend this Data Processing Agreement if the developments in the field of legislation and regulations and / or new insights from supervisory authorities or changes in the state of the art require so.
a. This agreement comes into force through its inclusion in the Main Agreement and terminates by operation of law as soon as the Main Agreement between the parties ends.
b. Obligations which by their nature are intended to continue after the termination of the Main Agreement shall continue to apply after termination of the Main Agreement.
c. The Processor shall make all personal data available to the Controller at the time of termination and shall then proceed with the destruction of all personal data whereby the destruction acts will be documented, and this latter documentation made available to the Controller, all this at the request and at the expense of the Controller.
a. This Data Processing Agreement is governed by the laws of the Netherlands.
b. All disputes arising from or in connection with this Data Processing Agreement will exclusively be submitted to the competent court in Rotterdam.
a. If one or more of the provisions of this Data Processing Agreement is null and void or is nullified, the other provisions of this Data Processing Agreement will remain in full force. The Processor and Controller shall replace the relevant provision by a new, comparable provision.
Stager B.V. processes the personal details for the Controller, listed below.
The Controller is given the opportunity to create so-called Users. Users are employee(s) designated by the Controller who are authorised to log into the System and manage it. The personal data to be processed by Users concern:
Stager offers the Controller the opportunity to store and manage the personal data of Visitors, being buyers of Tickets, persons who register for newsletters, designated employees and volunteers and suppliers and other types of Controller relations by means of a so-called CRM system. The personal data to be processed is understood to mean:
The Processor uses the following Sub-processors and third parties: