GDPR Addendum

Last updated: April 20, 2018

This GDPR Addendum is hereby incorporated into YAPSODY’s Terms of Use located at www.yapsody.com/ticketing/terms-of-use and applies to Sellers that are subject to the EU General Data Protection Regulation (“GDPR”) (“GDPR Sellers”). In the event of a conflict between this GDPR Addendum and any portion of YAPSODY’s Terms of Use as related to GDPR Sellers, the GDPR Addendum shall control.

Definitions

The following definitions shall apply throughout this GDPR Addendum.  Any capitalized term not defined herein shall be given the definition set forth in the Terms Of Use.

  • Data Controller: An entity that determines the purposes, conditions and means of the processing of Personal Data.
  • Data Processing: Any operation (automated or manual) performed on Personal Data including its collection, use, recording, etc.  This includes YAPSODY’s facilitation or transmission of emails, processing of payment transactions, and providing reports containing Personal Data
  • Data Processor: Refers to YAPSODY, which is the entity that engages in Data Processing on behalf of the Data Controller
  • Data Sub-processors: Refers to third parties (generally API Services) authorized by YAPSODY to conduct Data Processing on behalf of YAPSODY or a GDPR Seller, a list of which can be found at www.yapsody.com/ticketing/gdpr/sub-processors (“Data Sub-processor Webpage”).
  • Personal Data: Any information which (i) is related to, and that can be used to directly or indirectly identify a User (Customer or Seller) and (ii) is collected through and/or processed via YAPSODY.  This includes data such as names, addresses, email addresses, phone numbers, and Electronic Payment Data.
  • Personal Data Breach: A breach of security resulting in the accidental or unlawful processing, use, misappropriation, corruption, or loss of Personal Data
  • Personal Data Security Measures: Measures implemented by YAPSODY to prevent a Personal Data Breach.

Scope and Applicability

GDPR Seller acts as a Data Controller with respect to Personal Data on a GDPR Seller’s Customers and its use of that data for communicating or transacting with those Customers. Similarly, YAPSODY acts as a Data Controller with respect to Personal Data on Users collected during a User’s engagement with YAPSODY and its use of that data for communicating or transacting with those Users. Both GDPR Seller and YAPSODY agree not to engage in, request or permit Data Processing in any manner that contravenes the GDPR.

Data Processing

The following shall apply only insofar as YAPSODY is acting as a Data Processor (as opposed to a Data Controller).

YAPSODY shall engage in Data Processing on behalf of GDPR Sellers only upon a GDPR Seller’s documented request or as otherwise required to by law (in which case YAPSODY would first inform GDPR Seller of such legal requirements unless legally prohibited from doing so). However, if YAPSODY believes that a GDPR Seller’s request is a potential breach of the GDPR, YAPSODY shall notify the GDPR Seller thereof in writing, and GDPR Seller agrees that YAPSODY may, in its sole discretion, refuse to honor GDPR Seller’s request to the extent required to remain in compliance.

YAPSODY shall have Personal Data Security Measures in place to protect Personal Data. YAPSODY will ensure that its employees, contractors, agents, and Data Sub-processors are aware of and contractually bound to the legal obligations to maintain confidentiality of Personal Data and their responsibility to YAPSODY and GDPR Sellers for any breach of those obligations. In the event of a Personal Data Breach, YAPSODY shall promptly notify GDPR Sellers whose Customers were, or may have been, affected. In such cases, YAPSODY shall work with and assist GDPR Sellers in any manner reasonably required to enable such GDPR Sellers to satisfy their obligations as Data Controllers, which includes notifying relevant Customers of the Personal Data Breach.

In the event that a Customer submits a written request for his/her Personal Data to be deleted (which request must be authenticated before any action is taken), GDPR Seller hereby instructs and authorizes YAPSODY to delete the Personal Data or otherwise modify it to the extent required by law so that the Customer cannot be identified. Furthermore, GDPR Seller agrees to forward to YAPSODY any requests or complaints related to Personal Data received from Customers and regulatory agencies; and YAPSODY agrees to assist GDPR Seller in its response thereto. GDPR Seller acknowledges that YAPSODY may have no obligation to delete, block or modify any Personal Data for which YAPSODY acts as Data Controller.

YAPSODY shall make available to GDPR Sellers reasonable evidence of its compliance under GDPR by cooperating with requests for audits, provided that such audits are conducted on site, scheduled with reasonable advance notice, conducted in adherence to Personal Data Security Measures, limited in scope to the investigation of a specific suspected breach, and limited to once every 3 years; and also provided that other reasonable investigative means have been exhausted — all of the foregoing as reasonably determined by YAPSODY.

Data Sub-processors

GDPR Seller hereby consents to YAPSODY’s use of Data Sub-processors. The list of Data Sub-processors, including notification of changes which will occur from time to time, can be found on the Data Sub-processor Webpage. It is GDPR Seller’s responsibility to regularly check and review the Data Sub-processor Webpage for such changes.

GDPR Sellers may raise objections to changes in Data Sub-processors by sending notices thereof to YAPSODY within 10 days of such changes being posted on the Data Sub-processor Webpage. YAPSODY will use commercially reasonable efforts to respond to a GDPR Seller’s objection within 30 days of receipt thereof provided that the objection includes sufficient detail and examples to support reasonable concerns that a change interferes with YAPSODY’s ability to comply with its obligations under the GDPR. Objection notices that do not meet this requirement shall be considered invalid.

If YAPSODY determines in its sole discretion that it cannot reasonably accommodate a GDPR Seller’s objection, then upon notice from YAPSODY, GDPR Seller’s sole and exclusive remedy shall be to terminate any agreements for the use of YAPSODY by refraining from further use of YAPSODY. Notwithstanding anything to the contrary, such termination shall not relieve GDPR Seller of any payment obligations to YAPSODY incurred prior to the termination.

Notices

All notices from GDPR Sellers to YAPSODY pursuant to this GDPR Addendum shall be sent via email to GDPR@yapsody.com.