Data Protection Addendum
LAST UPDATED: February 1, 2024
This Data Protection Addendum (the “Addendum” or “DPA”) forms part of the Services Agreement, or other written (“Agreement”) between the Organizer (herein referred to as the “Company”) or its Affiliates and Expo Pass, LLC (“Service Provider”), each a “Party” and collectively the “Parties”. The Parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. In case of any discrepancy or conflict between this DPA and the Agreement, this DPA shall prevail, subject at all times to our Terms of Use available at https://expopass.com/terms-of-use/. Any capitalized terms not defined herein shall have the meanings set forth in the Agreement.
Service Provider provides the Services (as defined in the Agreement) to Company which may include the Processing of Personal Data by Service Provider during the provision of the Services. Service Provider agrees to comply with this DPA and applicable Data Protection Laws with respect to any Company Personal Data Processed by Service Provider in the provision of the Services.
- DEFINITIONS. In this DPA, the following terms shall have the meanings set out below:
- “Affiliates” means any entity which is controlled by, controls, or is in common control with a Party.
- “Company Personal Data” means Personal Data provided by or on behalf of Company to be Processed by Service Provider in connection with providing the Services.
- “Data Owner” means the entity which determines the purposes and means of the Processing of Personal Data.
- “Service Provider” means the entity which Processes Personal Data on behalf of the Data Owner.
- “Data Protection Laws” means the laws and regulations which are applicable to the Processing of Personal Data under the Agreement including but not limited to the California Consumer Privacy Act, Cal, Civ. Code 1798.100 et seq., (“CCPA”), including any amendments and implementing regulations that become effective on or after the effective date of this DPA.
- “Data Subject” means an individual whose Personal Data is being processed by the Data Service Provider under the Agreement.
- “Personal Data” means any information relating to an identified or reasonably identifiable person, device, or household.
- “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
- “Sell,” “Selling,” “Sale,” and “Sold” shall have the meanings provided under applicable Data Protection Laws.
- “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data transmitted, stored, or otherwise processed by Service Provider.
- “Sub-processor” means any third party or contractor acting on behalf of Service Provider relative to the Processing of Personal Data for the provision of Services under this Agreement.
- PROCESSING OF COMPANY PERSONAL DATA.
- The Parties agree that with regard to the Processing of Company Personal Data, Company is the Data Owner and Service Provider is the Data Service Provider solely as a processor.
- During the term of the Agreement (including, without limitation, any renewal or extension thereof) and Service Provider’s provision of the Services, Service Provider shall only Process Company Personal Data on behalf of Company and in accordance with the Agreement, this DPA and our Privacy Policy available at https://expopass.com/privacy-policy/, unless required to do so by law and then shall inform the Company of the legal requirement before Processing, unless prohibited by law.
- Company instructs Service Provider to Process Company Personal Data for the following limited and specified purposes: (i) Processing in accordance with the Agreement (including, without limitation, any renewal or extension thereof), any applicable statements or work or orders, and Data Protection Laws; and (ii) Processing to comply with other reasonable instructions provided by Company where such instructions are consistent with the terms of the Agreement and Data Protection Laws. Service Provider shall not Sell or share Company Personal Data for targeted advertising and other purposes, except as expressly instructed by Company. Service Provider shall not combine Company Personal Data with other Personal Data except as permitted by Data Protection Laws.
- The objective of Processing Company Personal Data by Service Provider shall be limited to the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in ANNEX I.
- If Service Provider determines that it can no longer comply with Data Protection Laws, Service Provider will notify Company within five (5) business days of making such determination.
- ASSISTANCE TO COMPANY AND RIGHTS OF DATA SUBJECTS.
- To the extent Company, in its use or receipt of the Services, does not have the ability to take steps required to comply with Data Protection Laws, including without limitation correcting, amending, restricting, blocking or deleting Company Personal Data, and implementing reasonable security procedures or practices designed to protect Company Personal Data, as and to the extent required by the Data Protection Laws, Service Provider will use commercially reasonable efforts to comply with reasonable requests by Company to facilitate such actions to the extent Service Provider is legally permitted to do so, taking into account the nature of the Processing of Company Personal Data and the information available to Service Provider.
- Service Provider shall, to the extent legally permitted, promptly notify Company if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of that person’s Personal Data. Service Provider shall not respond to any such Data Subject request without Company’s prior written consent except to confirm that the request relates to Company or as otherwise required by Data Protection Laws. Service Provider shall provide Company with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request, to the extent legally permitted and to the extent Company does not have access to such Company Personal Data through its use or receipt of the Services, taking into account the nature of the Processing of Company Personal Data and the information available to Service Provider.
- SERVICE PROVIDER PERSONNEL.
- Service Provider shall ensure that its personnel engaged in the Processing of Company Personal Data are subject to obligations of confidentiality.
- Service Provider shall ensure that access to Company Personal Data is limited to those personnel who require such access to perform the Services.
- SUB-PROCESSORS.
- Service Provider shall not transfer or otherwise make available Company Personal Data to any third party without Company’s prior written authorization.
- Upon signing of the DPA, Company gives its general authorization to Service Provider to use Service Provider Affiliates as Sub-processors; and third-party Sub-processors in connection with the provision of the Services provided that the following conditions are met:
- Service Provider shall ensure that obligations not materially less protective than those set out in this DPA are imposed on Sub-processors by way of a written contract;
- Service Provider remains liable towards Company for the work of its Sub-processors as if and to the extent such work was performed by Service Provider;
- Service Provider shall provide the list of its Sub-processors (included herein as ANNEX II); and
- Service Provider shall inform Company of any intended changes to Sub-processors concerning the addition or replacement of Sub-processors. To the extent required by Data Protection Laws, Service Provider shall thereby give Company the opportunity to object to such changes by notifying Service Provider in writing within 30 days after the receipt of Service Provider’s notice about the changes, and if, within 20 days of receipt of that notice, Company notifies Service Provider in writing of any objections on reasonable grounds to the proposed engagement of a Sub-processor, Service Provider shall not use that proposed Sub-processor to Process Company Personal Data until reasonable steps have been taken to address the objections raised by Company and Company has been provided with a reasonable written explanation of the steps taken.
- SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS.
- Service Provider shall maintain technical and organizational measures designed to protect of the security, confidentiality, and integrity of Company Personal Data. Service Provider shall maintain the technical and organizational measures outlined in ANNEX III for the duration of the Agreement.
- Company may engage a mutually agreed upon third party to, no less frequently than annually, audit Service Provider solely for the purposes of meeting its audit requirements pursuant to the Data Protection Laws. To request an audit, Company must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to security@expopass.com. The audit must be conducted during regular business hours, subject to Service Provider’s policies, and may not unreasonably interfere with Service Provider’s business activities. Any audits are at Company’s sole expense.
- Before the commencement of any such audit, Company and Service Provider shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Company shall be responsible. Company shall promptly notify Service Provider with information regarding any non-compliance discovered during an audit.
- Service Provider will reasonably cooperate with Company where Company is conducting a privacy impact assessment that is required by Data Protection Laws.
- The results of an audit will be shared with Service Provider, upon Service Provider’s written request, and any information collected or documentation prepared as a result of an audit shall be deemed the confidential information of both Service Provider and Company, which shall be kept confidential by Company, and which shall be subject to the confidentiality provisions of the Agreement.
- SECURITY BREACH MANAGEMENT AND NOTIFICATION.
- In the event of a Security Breach, Service Provider shall: (i) notify Company of the Security Breach without undue delay after becoming aware of the Security Breach and notification shall include at least the information required by the Data Protection Laws; (ii) investigate the Security Breach and provide Company with information about the Security Breach; and (iii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach and to allow Company to take reasonable and appropriate steps to do the same to the extent such steps are within Company’s control.
- Service Provider shall cooperate with Company, and with any third parties designated by Company, to respond to the Security Breach.
- RETURN AND DELETION OF COMPANY PERSONAL DATA.
- Service Provider shall provide functionality for Company to download Company Personal Data from the Services, to the extent possible, and/or delete Company Personal Data upon the written request of Company.
- SEVERANCE.
- Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
- LEGAL EFFECT.
- This DPA shall only become legally binding between Company and Service Provider when the Parties enter into the Agreement for the Services.
- LIMITATION OF LIABILITY.
- To the extent permitted by Data Protection Laws, Company’s remedies with respect to any breach by Service Provider of the terms of this DPA or Data Protection Laws will be subject to any aggregate limitation of liability that applies to Service Provider and/or Company under the Agreement (including, without limitation, our Terms of Use).
[ANNEXES FOLLOW]
ANNEX I
COMPANY PERSONAL DATA TRANSFERRED AND/OR TO BE PROCESSED
Company shall decide, in its sole discretion, what Personal Data is transferred to Service Provider and the purpose of Processing of such Personal Data which includes the data and processing activities described below. This Annex 1 constitutes Company’s Personal Data processing instructions to Service Provider.
Nature and Purpose of Processing Company Personal Data:
For the provision of Services as outlined in the Agreement; and generally, for the purpose of Service Provider performing event management services for Company operations and/or events.
Categories of Data Subjects whose Personal Data is to be Processed:
Individuals participating and/or in attendance at the Company’s event.
Categories & Types of Personal Data Transferred and/or Processed:
Personal Data collected is at the direction of the Company and will be specified by the Company when setting registration information or data requirements for registration and/or when the Company uploads data to the Expo Pass Platform. Service Provider expressly disclaims that the Services or Service Provider will, and the Company agrees that it will not cause Service Provider to, collect, transfer or process sensitive information as that term is defined in applicable Data Protection Laws, including but not limited to, health data, social security numbers, government identification data, or location data of or about Data Subjects. Expo does store Internet Cookies.
Duration/Frequency of Processing:
For the Term of the Agreement and an on-going basis during the term of the Agreement (including, without limitation, any renewal or extension thereof) and Service Provider’s provision of the Services.
Retention of Personal Data:
For the duration of the Agreement and thereafter until Company requests deletion of such information.
ANNEX II
LIST OF SUB-PROCESSORS
AWS Cloud Services (Privacy Notice available at http://aws.amazon.com/privacy)
Stripe.com (payment processing services) (Privacy Policy available at https://stripe.com/en-gb-us/privacy#1-personal-data-that-we-collect-and-how-we-use-and-share-it)
ANNEX III
TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Service Provider’s technical and organizational measures are available on request and will be subject to confidentiality obligations, including, but not limited to, confidentiality obligations under the Agreement.
* * * * *
4866-4170-2808, v. 9