Last updated: November 15, 2023
This Data Processing Addendum (including its appendices) (“DPA”) forms part of and is incorporated in the Agreement between Client and Victory Live. As used herein, “Agreement” refers to an agreement or terms of service, and any associated contractual document between the parties, applicable to software and services provided by Victory Live, Inc. and/or any of its subsidiaries, affiliates and divisions as may change from time to time (collectively, “Victory Live”). As used herein, “Client” refers to the individual or entity subject to the Agreement.
This DPA will be effective as of the effective date of the Agreement. To the extent of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA will govern.
1. Definitions.For purposes of this DPA:
a. “Data Privacy Laws”means all laws ,regulations and other legal requirements means all applicable laws, regulations, and other legal or self-regulatory requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., including its regulations and the amendments made by the California Privacy Rights Act of 2020 (“CCPA”), other U.S. federal or state privacy laws (together with the CCPA, “U.S. Privacy Laws”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”), and the Swiss Federal Act on Data Protection (“FADP”). For the avoidance of doubt, each party is only responsible for the Data Privacy Laws applicable to it.
b. “Data Subject”means an identified or identifiable natural person about whom Personal Data relates.
c. “EU SCCs” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, located at http://data.europa.eu/eli/dec_impl/2021/914/oj, completed as set forth in this DPA.
d. “Personal Data” includes “personal data,” “personal information,” “personally identifiable information,” and similar terms, and such terms shall have the same meaning as defined by applicable Data Privacy Laws, that is Processed in relation to the Agreement.
e. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
f. “Process,” “Processed,” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
g. “Sub processor”means any Victory Live affiliate or subcontractor engaged by Victory Live for the Processing of Personal Data.
h. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/media/for- organisations/documents/4019539/international-data-transfer-DPA.pdf), completed as set forth in this DPA.
This DPA applies to the Personal Data that Victory Live receives from Client, or otherwise Processes for or on behalf of Client, through the ticket management services that Victory Live provides under the Agreement (the “Services”).
3. Roles of the Parties; Client Responsibilities
a. Client acknowledges that it is either (i) using the Services as the lawful owner of a physical or virtual ticket allowing entry into an event (“Ticket”) and, therefore, is considered to be a “controller” or “business” under Data Privacy Laws and that Victory Live is a “processor” or “service provider” under Data Privacy Laws; or (ii) using the Services as a “processor” or “service provider” under Data Privacy Laws, in which case Victory Live acts as Client’s processor (i.e. subprocessor) or service provider.
b. Client will comply with all applicable laws, including that it will establish legal bases for its and Victory Live’s Processing of Personal Data and obtain any consents required under Data Privacy Laws for Victory Live to Process the Personal Data and provide the Services.
4. Purposes of Processing
a. Victory Live will Process Personal Data solely: (1) to fulfill its obligations to Client under the Agreement, including this DPA; (2) on Client’s behalf; and (3) in compliance with Data Privacy Laws. Except as explicitly permitted by Data Privacy Laws, Victory Live will:
i. not retain, use, or disclose the Personal Data outside of the direct business relationship between Client and Victory Live except as explicitly permitted by Data Privacy Laws;
ii. not “sell” or “share” any Personal Data, as such terms are defined in applicable U.S. Privacy Laws, to any third party;
iii. not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data without Client’s express written permission;
iv. not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Client;
v. comply with any applicable restrictions under Data Privacy Laws on combining the Personal Data with personal data that Victory Live receives from, or on behalf of, another person or persons, or that Victory Live collects from any interaction between it and any individual;
vi. provide the same level of protection for the Personal Data as is required under Data Privacy Laws applicable to Client;
vii. not otherwise engage in any Processing of the Personal Data that is prohibited or not permitted by “processors” or “service providers” under Data Privacy Laws; and
viii. promptly notify Client if Victory Live determines that (a) it can no longer meet its obligations under this DPA or Data Privacy Laws; or (b) it has breached this DPA, and shall cooperate to remediate such breach; or (c) in Victory Live’s opinion, an instruction from Client infringes Data Privacy Laws.
b. Client retains the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including any use of Personal Data not expressly authorized in this DPA.
5. Personal Data Processing Requirements. Victory Live will:
a. Ensure that the persons Victory Live authorizes to Process the Personal Data are subject to a written confidentiality agreement covering such data or are under an appropriate statutory obligation of confidentiality.
b. Assist Client by appropriate technical and organizational measures, in so far as this is possible, for the fulfillment of Client’s obligation to honor requests by individuals (or their representatives) to exercise their rights under the Data Privacy Laws (such as rights to access or delete their Personal Data).
c. Notify Client of (i) any third-party or Data Subject complaints regarding the Processing of Personal Data; or (ii) any government or Data Subject requests for access to or information about Victory Live’s Processing of Personal Data, unless prohibited by applicable law. If Victory Live receives a third-party, Data Subject, or governmental request, Victory Live will, subject to legal obligations, await written instructions from Client on how, if at all, to assist in responding to the request. Victory Live will provide Client with reasonable cooperation and assistance in relation to any such request.
d. Assist Client in its performance of a data protection impact assessment of Processing or proposed Processing of Personal Data, when required by applicable Data Privacy Laws, by providing Client with access to documentation for the Services. Additional support for data protection impact assessments will require a statement of work and mutual agreement on fees, the scope of Victory Live’s involvement, and any other terms that the parties deem appropriate.
e. Assist Client in its consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Victory Live under Data Privacy Laws to consult with a regulatory authority in relation to Victory Live’s Processing or proposed Processing of Personal Data, by providing Client with access to documentation for the Services. Additional support for consultation with regulators is available at Client expense and will require a statement of work and mutual agreement on fees, the scope of Victory Live’s involvement, and any other terms that the parties deem appropriate.
6. Sub processors.
Victory Live may subcontract the collection or other Processing of Personal Data only in compliance with Data Privacy Laws and any additional conditions for subcontracting set forth in the Agreement. Prior to a Sub processor’s Processing of Personal Data, Victory Live will impose contractual obligations on the Sub processor that are substantially the same as those imposed on Victory Live under this DPA. A current list of Sub processors for the services Client obtains under the Agreement is set forth as Exhibit C. Subject to Client’s registration of an email address to receive notices (to be sent to Victory Live at [email protected] ), Victory Live will provide Client with at least fifteen (15) days’ notice of any new Sub processor added to the list prior to transferring Personal Data to such new Sub processor; provided, however, Victory Live may provide a shorter notice period where new Sub processors are necessary for security purposes. Victory Live remains responsible for its Subprocessors and liable for their performance under the Agreement and this DPA. This paragraph constitutes Client’s consent to both Victory Live’s use of the Sub processors and its sub processing under the EU SCCs and UK SCCs, as applicable.
a. Victory Live will assist Client in ensuring Client’s compliance with the security obligations of the GDPR and other Data Privacy Laws, as relevant to Victory Live’s role in Processing the Personal Data, taking into account the nature of Processing and the information available to Victory Live, by complying with this Section 7 and, if available in the Services, by providing configurable security options.
b. To protect the Personal Data, Victory Live shall implement appropriate technical and organizational measures that comply with Exhibit B, without prejudice to Victory Live’s right to make future updates to the measures that do not lower the level of protection of Personal Data.
c. Client is solely responsible for reviewing the available security documentation and evaluating for itself whether the Services and related security will meet Client’s needs, including Client’s security obligations under Data Privacy Laws. Client agrees that the security commitments in this DPA will provide a level of security appropriate to the risk in respect of the Personal Data.
8. Personal Data Breach Notification.
Victory Live will comply with the Personal Data Breach-related obligations directly applicable to it under the GDPR and other Data Privacy Laws. Taking into account the nature of Processing and the information available to Victory Live, Victory Live will assist Client in complying with those obligations applicable to Client by informing Client of a confirmed Personal Data Breach without undue delay.
9. Data Transfers
a. Client agrees and will ensure that Client and its affiliates are entitled to transfer the Personal Data to Victory Live so that Victory Live and its Sub processors may lawfully Process the Personal Data in accordance with the Agreement and this DPA.
b. Client authorizes Victory Live and its Sub processors to make international transfers of the Personal Data in accordance with Data Privacy Laws and this DPA.
c. To the extent legally required, by entering into this DPA, Client and Victory Live are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Section 9(d) and (e) below) will be deemed completed as follows:
i. Module 2 of the EU SCCs applies to transfers of Personal Data from Client (as a controller) to Victory Live (as a processor) and Module 3 of the EU SCCs applies to transfers of Personal Data from Client (as a processor) to Victory Live (as a sub-processor);
ii. Clause 7 of Modules 2 and 3 (the optional docking clause) is not included;
iii. Under Clause 9 of Modules 2 and 3 (Use of sub-processors), the parties select Option 2 (General written authorization);
iv. Under Clause 11 of Modules 2 and 3 (Redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
v. Under Clause 17 of Modules 2 and 3 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third- party beneficiary rights). The parties select the law of Ireland;
vi. Under Clause 18 of Modules 2 and 3 (Choice of forum and jurisdiction), the parties select the courts of Ireland;
vii. Annex I(A) and I(B) of Modules 2 and 3 (List of Parties) is completed as set forth in Exhibit A of this DPA;
viii. Under Annex I(C) of Modules 2 and 3 (Competent supervisory authority), the parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
ix. Annex II of Modules 2 and 3 (Technical and organizational measures) is completed with Exhibit B of this DPA; and
x. Annex III of Modules 2 and 3 (List of subprocessors) is not applicable as the parties have chosen General Authorization under Clause 9.
d. To the extent legally required, by entering into this DPA, the parties are deemed to be signing the UK SCCs, which form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs. The Tables within the UK SCCs are deemed completed as follows:
i. Table 1: The parties’ details shall be the parties and their affiliates to the extent any of them is involved in such transfer, and the Key Contact shall be the contacts set forth in the Agreement.
ii. Table 2: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the parties and completed in Section 9(c) of this DPA.
iii. Table 3: Annexes I and II are set forth in Exhibits A and B below, respectively. Annex III is inapplicable.
iv. Table 4: Either party may end this DPA as set out in Section 19 of the UK SCCs.
v. By entering into this DPA, the parties are deemed to be signing the UK SCCs.
e. For transfers of Personal Data that are subject to the FADP, the EUSCCs form part of this DPA as set forth in Section 9(c) of this DPA, but with the following differences to the extent required by the FADP: (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).
10.Return or Destruction
a. Victory Live will, at the choice of Client, return to Client and/or destroy all Personal Data after the end of the provision of services relating to Processing except to the extent applicable law requires storage of the Personal Data.
b. Nothing will oblige Victory Live to delete Personal Data from files created for security, backup and business continuity purposes sooner than required by Victory Live’s data retention processes. If Client requires earlier deletion of such Personal Data, and such deletion is commercially feasible, Client must first pay Victory Live’s reasonable charges for such deletion, which may include costs for business interruptions associated with such a request.
a. Victory Live will allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client, as follows:
i. If the requested audit scope is addressed in an ISO or similar audit report issued by a third party auditor within the prior twelve (12) months and Victory Live provides such report to Client confirming there are no known material changes in the controls audited, Client agrees to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.
ii. In the event an audit report is not provided, any audit, whether by Client or a third party, must be limited to no more than once per twelve (12) month period, and Client will (i) conduct the audit only on an agreed date during normal business hours (9:00 am – 5:00 pm local time); (ii) limit its audit to only one business day; and (iii) pay Victory Live’s then-current audit fee.
iii. If a third party is to conduct the audit, Client will provide at least thirty (30) days’ advance notice. The third-party auditor must be mutually agreed to by the parties (without prejudice to any governmental authority’s audit power). Victory Live will not unreasonably withhold its consent to a third-party auditor requested by Client, unless such third- party auditor is a competitor or another customer of Victory Live’s Any third-party auditor must execute a written confidentiality agreement acceptable to Victory Live.
iv. Client must promptly provide Victory Live with the results of any audit, including any third-party audit report. All such results and reports, and any other information obtained during the audit (other than Client’s Personal Data) is confidential information of Victory Live.
b. Nothing here in will require Victory Live to disclose or make available:
i. any data of any other customer of Victory Live;
ii. Victory Live’s internal accounting or financial information;
iii. any trade secret of Victory Live;
iv. any information that, in Victory Live’s reasonable opinion, could (i) compromise the security of Victory Live systems or premises; or (ii) cause Victory Live to breach its obligations under applicable law or its security and/or privacy obligations to Client or any third party; or
v. any information sought for any reason other than the good faith fulfilment of Client’s obligations under the Standard Contractual Clauses or Data Privacy Laws.
c. In addition, to the extent required by Data Privacy Laws, including where mandated by Client’s Supervisory Authority, Client or Client’s Supervisory Authority may perform, at Client’s expense, a broader audit, including inspections of the data center facility that Processes Personal Data. Victory Live will contribute to such audits by providing Client or Client’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Services.
d. Client must provide Victory Live with any audit reports generated in connection with this DPA, unless prohibited by applicable law. Client may use the audit reports only for the purposes of meeting Client’s regulatory audit requirements and/or confirming compliance with the terms of this DPA.