Data Processing Organisers Additional Notes

This Data Processing Addendum (“DPA”) applies to Organisers that are subject to the EU General Data Protection Regulation (2016/EC/679) or “GDPR”), or equivalent legislation, including any amending or replacement legislation from time to time (“Applicable Data Protection Laws”), which require Flame Concepts Ltd using or any of its sites to process Personal Data on their behalf as part of Organiser’s use of the Services.

In this DPA references to “you” means the Organiser and references to “we”, “us”, “our” and “Flame Concepts Ltd” or “Flame” or “Flame Concepts” or “” means Flame Concepts Ltd and any owned and managed services you have with us (or our sites) owned and managed us including and not limited to or .   Flame Concepts Ltd is Registered in England and Wales 7994559 at Arkle House, 31 Lonsdale Street, Carlisle, CA1 1BJ with a trading address of Unit 5D Lakeland Business Park, Cockermouth, Cumbria, CA13 0QT.
The terms of this DPA are hereby incorporated in to the Flame Concepts Ltd Terms of Service or any other applicable services agreement between you and Flame Concepts Ltd (the “Agreement”).

With respect to provisions regarding Processing of Personal Data, in the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control. In the event of a conflict between this DPA and any other provision of the Agreement between you and us, this DPA will control; except where Organiser and Flame Concepts have individually negotiated data processing terms that are different from this DPA and which meet the requirements of Applicable Data Protection Law in full, in which case those negotiated terms will control.

“Data Controller”, “Data Processor”, “Data Subject”, “Processing” and “Personal Data” shall have the meanings ascribed to them in Applicable Data Protection Laws;

“Data Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, Personal Data transmitted, stored or otherwise Processed; and

“Technical and Organisational Security Measures” means security measures implemented by Flame Concepts Ltd appropriate to the type of Personal Data being Processed and the Services being provided by Flame Concepts to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure.
1. Applicability of DPA and scope of data processing activities.
1.1 In using Flame Concepts’ Services, for the purposes of Applicable Data Protection Laws, Organiser is a Data Controller of the Personal Data associated with an individual using Flame Concepts Services to register for or purchase a ticket to attend such Organiser’s event or venue (“Consumer”). Organiser agrees to Process such Personal Data in accordance with Organiser’s obligations under Applicable Data Protection Laws.

1.2 Where Flame Concepts Processes the Personal Data of Consumers on behalf of Organiser as part of the Services, Flame Concepts is a Data Processor in performing such Processing and Organiser is the Data Controller. This includes circumstances where Flame Concepts obtains Personal Data as a result of the provision of its core ticketing services (for example, where Flame facilitates the transmission of emails to Consumers at the request of Organisers, Processes payments, or provides event reports and tools to enable Organisers to gain insights into the effectiveness of various sales channels).

In respect of some Processing of Consumers’ Personal Data, Flame Concepts may act as a Data Controller, for example, where Consumers have engaged with aspects of Flame Concepts Applications beyond those relating to Organiser’s event or where Consumers’ Personal Data is Processed by Flame Concepts Ltd to conduct research and analysis to enable Flame Concepts to improve its products and features and provide targeted recommendations.

To the extent that Flame Concepts Processes Personal Data as a Data Processor on behalf of Organiser, Section 2 of this DPA shall apply, however, when Flame is acting as a Data Controller of Consumers’ Personal Data, Flame Concepts’ Processing shall not be subject to this DPA.

1.3 Details about the Personal Data to be Processed by Flame Concepts and the Processing activities to be performed under the Agreement are as follows: (i) duration – as set out in the Agreement; (ii) nature, purpose and subject matter – to enable Organiser to organise and promote events and manage ticketing using Flame Concepts Services; (iii) data categories – name, email address, billing information, information related to events booked and attended, relationship to Organiser and any other Personal Data that Organiser requests of its Consumers; (iv) data subjects – Consumers.
2. Data processing clauses.
2.1 Whenever Flame Concepts Processes Personal Data on behalf of Organiser, Flame Concepts shall:

2.1.1 Process Personal Data only on the documented instructions of Organiser, unless required to do otherwise by applicable law. Flame Concepts shall inform Organiser of the legal requirement before Processing Personal Data other than in accordance with Organiser’s instructions, unless that same law prohibits Flame Concepts Ltd from doing so on important grounds of public interest. Flame Concepts Ltd will notify Organiser if in its opinion an instruction is in breach of Applicable Data Protection Laws. Organiser hereby instructs Flame Concepts Ltd, and Flame Concepts Ltd hereby agrees, to Process Personal Data as necessary to perform Flame Concepts obligations under the Agreement and for no other purpose;

2.1.2 Have in place Technical and Organisational Security Measures to protect Personal Data;

2.1.3 Notify Organiser in the event of a Data Security Breach without undue delay and provide co-operation and assistance to Organiser to enable Organiser to comply with its obligations as a Data Controller in relation to data breach notification requirements;

2.1.4 Ensure that its personnel are subject to binding obligations of confidentiality with respect to Personal Data;

2.1.5 Impose obligations on its sub-processors that have access to Personal Data that are the same as or equivalent to those set out in this Section 2 by way of written contract, and remain fully liable to Organiser for any failure by a sub-processor to fulfil its obligations in relation to the Personal Data;

2.1.6 Provide reasonable assistance to Organiser in responding to rights requests under Applicable Data Protection Laws, complaints, or other communications received from any data protection authority or individual who is the subject of any Personal Data Processed by Flame Concepts Ltd. In the event that a Consumer submits a Personal Data deletion request to Flame Concepts Ltd, Organiser hereby instructs and authorises Flame Concepts Ltd to delete or anonymize the Consumer’s Personal Data on Organiser’s behalf;

2.1.7 Upon Organiser’s written request, make available to Organiser all information reasonably necessary to demonstrate its compliance with the obligations set out in this Section 2, and allow for and co-operate with any audits; and

2.1.8 Except for that Personal Data with respect to which Flame Concepts Ltd acts as a Data Controller, return, delete, or destroy (at Organiser’s election), the Personal Data and copies thereof, at Organiser’s request (unless applicable law or other Organisers may requires the storage of such Personal Data).

2.2 Organiser hereby consents to Flame Concepts Ltd’s current sub-processors (i.e. those companies utilised by Flame for the support and delivery of its goods and services to Orangisers on the Effective Date of this DPA, (“Current Sub-Processors”) to Process Personal Data on its behalf.

2.3 Organiser hereby consents to Flame Concepts Ltd appointing additional and replacement sub-processors (“Replacement Sub-Processors”) to Process Personal Data on its behalf.

Last updated 28th April 2018