DATA PROCESSING AGREEMENT
BANDSINTOWN, LLC
Bandsintown Processing Agreement
Last Updated: April 20, 2022
This DPA applies to any processing made by the Artist with the collaboration of Bandsintown subject to the application of EU regulations and, specifically, of Regulation (EU) 2016/679 (General Data Protection Regulation or “GDPR”). The processing operations carried out by the Parties will be subject to the GDPR if (i) the Artist is located in the EU and/or (ii) if the processing implies Personal Data from Fans residing in the EU.
The DPA is complementary to the provisions on the protection of Personal Data set out by the Terms of Use Artists.
This Data Processing Agreement (“DPA”) is agreed upon between the Artist and BANDSINTOWN, LLC, a corporation organized and existing under the laws of the US, with its principal office located at 348 West 57th street, Suite 107 New York, NY 10019, represented by M. Fabrice Sergent (“Bandsintown”).
Both the Artist and Bandsintown (the “Parties”) entered this DPA at the moment of registration of the Artist on the Bandsintown Platform in order to ensure their compliance with the provisions of EU Regulations and, in particular, with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation or “GDPR”).
Consequently, the Parties are undertaking specific commitments under this DPA regarding the protection of Data subjects’ Personal Data and privacy, which complements their rights and obligations set out by the Terms of Use Artists.
In the event of any contradiction between the provisions of this DPA and the Terms of Use Artists or any other document agreed between the Parties, the provisions of this DPA shall prevail.
ARTICLE 1. DEFINITIONS
Capitalized terms shall have the meaning given to them in this Article, whether they are used in plural or singular form.
CCPA: means the California Consumer Privacy Act of 2018 and the regulations promulgated thereunder.
EU Data Protection Laws: means any applicable data protection law or regulation under an EU Member State and European regulations, including GDPR.
GDPR: means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data.
Personal Data: means any information relating to an identified or identifiable natural person (“Data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
All capitalized terms that are not described in this Article or the Terms of Use Artists shall have the meaning given to them by Article 4 of the GDPR.
ARTICLE 2. PURPOSE OF THE DPA
This DPA aims to ensure that both Bandsintown and the Artist comply with their legal obligations regarding the protection of the privacy of Data subjects.
It also aims to determine their qualifications under GDPR and, therefore, their responsibilities towards the Data subjects and competent Supervisory Authorities.
Finally, the DPA will serve as a reminder for the Artist on the precautions and commitments undertaken to ensure his/her compliance.
ARTICLE 3. DESCRIPTION OF PROCESSING AND QUALIFICATIONS OF THE PARTIES
By using Bandsintown Platform and Tools, both Parties may collect and process Personal Data. Specifically, the Artist may collect and use Personal Data when using:
The contact functionality of the Platform to access an Opt-in list of Fans following the Artist on the Platform.
The new fan acquisition flow widget plugged on the Artist’s website(s) to collect Personal Data from Fans giving consent to receive news and other marketing emails from the Artist.
Marketing tools made available by Bandsintown on the Platform (including retargeting tools), etc.
Bandsintown also collects and processes Personal Data related to Data subjects and Artists registered on the Platform.
The main categories of processing concerning both Parties are the following:
Collection of Personal Data (specifically through the use of the fan acquisition flow widget(s)) to enable the distribution of marketing communications and newsletters. In this case, the processing is made possible with the cooperation of both Parties regarding the implementation of means for the processing. Both Parties have identified the purpose of the processing. Therefore, the Artist and Bandsintown act as Joint Data Controllers according to the GDPR.
Use of Data subjects’ Personal Data throughout the use of the Platform by the Artist (to enable the publication of messages, have access to statistics regarding his/her fans, etc.) for the purpose of optimising and improving the Artist’s visibility and relations with Data Subjects. For this processing, the Artist is acting as an independent Data Controller according to the GDPR.
Use of the Artist and Data Subjects’ Personal Data by Bandsintown in the conditions set out in the Privacy Policy published on the Platform. The purpose of such processing is to allow both the Artist and the Data subjects to fully use the Platform and/or Tools made available by Bandsintown. For this processing, Bandsintown is acting as an independent Data Controller according to the GDPR.
Depending on their qualifications, the Parties may undertake different commitments and have different responsibilities regarding the processing of Personal Data.
ARTICLE 4. OBLIGATIONS AND COMMITMENTS OF THE ARTIST AS A DATA CONTROLLER
The Artist undertakes to comply with the EU Data Protection Laws, including all provisions set out by the GDPR and concerning Data Controllers.
In particular, when the Artist handles Personal Data as a Data Controller (e.g. download of Personal Data through the Platform, creation of an Opt-in list for the diffusion of advertising contents to Data subjects, etc.), the Artist shall:
Ensure that the collection of Personal Data is fair and lawful.
Ensure the confidentiality, security and integrity of the Personal Data processed, in particular according to Article 32 of the GDPR. This means that the Artist must implement adequate technical and organizational measures to guarantee the protection of the Personal Data processed.
Ensure a fair use of the Personal Data according to the initial purpose of the processing.
Refrain from communicating Personal Data to third parties unless such communication is lawful (e.g. the Data subject has given explicit consent for such communication).
Make sure the Data subjects are informed on the processing carried out by the Artist, especially ensure that all information as listed by Articles 13 and/or 14 of the GDPR are given in a clear and understandable way to the Data subjects.
Create and maintain data bases containing valid Opt-in Data subjects’ contacts (which means that the consent must still be valid). If the Data subject has objected to the reception of communications by the Artist, his/her Personal Data should not be used further for the same purpose. In the same way, if the Artist did not have a contact with the Data subject for the past 3 years, the Artist should stop using the Personal Data of this Data subject.
The fans Opt-in List made available on the Artist’s environment on the Platform will inform the Artist on the date of the last contact between the Fan and Bandsintown.
Make sure the Data subjects are able to exercise their data protection rights according to the GDPR (e.g. right to access, to object, withdrawing of consent, etc.). This means, for example, inserting an “unsubscribe” link in all email communications sent to Data subjects. A generic email address should also be provided to Data subjects to allow them to send their request to exercise their rights to the Artist.
Only keep Personal Data for an adequate and proportionate retention period. Such retention period may be identified by local laws, local recommendations from the Supervisory Authority of the country where the Artist is located or identified by the Artist according to the purpose of the processing carried out.
ARTICLE 5. OBLIGATIONS AND COMMITMENTS OF BANDSINTOWN AS A DATA CONTROLLER
Bandsintown undertakes to comply with EU Data Protection Laws, including with all provisions set out by the GDPR and concerning Data Controllers.
In particular, where Bandsintown acts as a Data Controller (e.g. regarding processing established for the performance of the Platform), Bandsintown undertakes to:
Ensure that the collection of Personal Data is fair and lawful.
Ensure the confidentiality, security and integrity of the Personal Data processed through its Platform and Tools. In particular, Bandsintown has implemented technical and organizational measures according to Article 32 of the GDPR in order to (i) prevent Personal Data from getting distorted, damaged or communicated illegitimately, (ii) to minimize the risks of any misuse or fraudulent use of the Personal Data and (iii) to prevent any loss, unwanted destruction or alteration of the Personal Data.
Ensure a fair use of the Personal Data according to the initial purpose of the processing.
Refrain from communicating Personal Data to third parties unless such communication is lawful (e.g. the Data subject has given explicit consent for such communication).
Make sure the Data subjects are informed on the processing carried out on the Platform or via the Tools, according to Articles 13 and/or 14 of the GDPR (e.g. information on forms collecting Personal Data, Privacy Policy kept updated on the Platform, information notices at the end of emails, etc.).
Make sure the Data subjects are able to exercise their data protection rights according to the GDPR (e.g. right to access, to object, withdrawing of consent, etc.). Bandsintown has appointed a Data Protection Officer (“DPO”) who will handle Data subjects’ rights. The DPO can be reached at the following address: dpo@bandsintown.com.
Only keep Personal Data for an adequate and proportionate retention period, according to the restrictions set out by the EU Data Protection Laws.
ARTICLE 6. OBLIGATIONS AND COMMITMENTS OF THE PARTIES AS JOINT DATA CONTROLLERS
6.1 Cooperation of the Parties
In any event, the Parties undertake to cooperate closely and in good faith on the scope of the processing operations they carry out jointly, to the fullest extent possible. This collaboration is essential to ensure the compliance of each Party with its obligations under the EU Data Protection Laws.
6.2 Instructions regarding the purpose of the processing
The Parties agree that they process Personal Data jointly for marketing purposes and/or to allow the distribution of their newsletters to consenting Data subjects.
Therefore, Bandsintown is editing specific widgets allowing for the acquisition of data both by Bandsintown and/or the Artist depending on the consent of the Data subject.
The Artist allows for the implementation/activation of the widget(s) on his/her environment on the Platform and/or on his/her websites.
6.3 Lawfulness, fairness and proportionality of processing operations
The lawfulness of the processing operations carried out jointly by the Parties is based on the collection of the Data subjects’ consent. Bandsintown is responsible for the lawfulness of the processing operations in that it is technically editing the widget(s) allowing for the collection of Personal Data. Therefore, Bandsintown ensures that its widget(s) are GDPR compliant, in particular regarding the information of Data subjects and the collection of their valid consent.
Once the Personal Data is communicated or accessed by the Artist, the Artist will be in charge of informing the Data subject and allow them to unsubscribe or withdraw their consent for the processing.
6.4 Security and confidentiality of the Personal Data
Both Parties should implement, on their scope, technical, material and organizational measures to:
Prevent the Personal Datadata collected from being distorted, damaged or communicated to unauthorised recipients.
Avoid any misuse or fraudulent use of the Personal Data they collect or receive.
Protect the Personal Data against loss, unwanted destruction or alteration.
Ensure that only authorized recipients may access the Personal Data and that these authorized recipients are subject to a confidentiality clause and are made aware of the importance of data protection matters.
Remedy and handle any Personal data breach occurring on their scope and notify the other Party of such incident in writing at the earliest opportunity and, where possible, 72 hours at the latest after becoming aware thereof. The Parties will then cooperate, where applicable, to comply with GDPR requirements regarding the notification of the data breach to the competent Supervisory authority and/or the information of Data subjects on the data breach. Notification of the breach must specify a description of :
The type of breach of Personal data;
The probable consequences of the breach of Personal data;
The measures taken to remedy the breach of Personal data.
Bandsintown is responsible for the technical security of its Tools and the Platform (including the widget(s)). However, the Artist is responsible for maintaining the security and confidentiality of the Personal Data once received by and/or made accessible to the Artist.
Where a transfer of Personal Data is carried out by one Party to the other, the Parties agree to use only a secured means of communication (e.g. use of HTTPS or FTP protocols, data encryption, etc.).
The Artist shall cooperate with Bandsintown and shall refrain from disrupting the implementation of the security measures planned for the processing operations that the Parties carry out jointly. In case a vulnerability is suspected or discovered by the Artist on the security of the processing carried out jointly with Bandsintown, the Artist undertakes to inform Bandsintown as soon as possible in order to allow it to correct the vulnerability.
6.5 Data subjects’ rights
Bandsintown is in charge of informing the Data subjects on the Platform and/or on its Tools according to the information listed by Article 13 and 14 of the GDPR.
It is specified that the Data subjects have the right to contact either or both of the Parties in the context of a request to exercise their rights.
In order to ease the processing of such request, the Parties agreed to mention a generic email address in the information given to the Data subjects for the processing they carry jointly: dpo@bandsintown.com.
The Parties undertake to cooperate actively with each other and, in particular, to communicate to each other any request for the exercise of rights which is directly addressed to them, as soon as possible.
Regarding the right to withdraw consent given to Data subjects, Bandsintown has implemented a specific privacy setting allowing the Fans to withdraw consent through his/her account on the Platform. This withdrawal will automatically update the fan Opt-in List made available to the Artist.
In the event of a complaint made directly by a Data subject to the Artist about the lawfulness of the processing operations, the Parties agree:
The Artist may communicate this request to Bandsintown which will be responsible for responding to the Data subject with the adequate evidence relating to the collection of his/her consent.
The Artist may ask Bandsintown to communicate as soon as possible the elements of proof related to the collection of the Data subjects’ consent and choose to answer directly.
It is reminded to the Parties that: (a) Article 12.3 of the GDPR provides that the Data subject must be provided with information on the measures taken in response to a request to exercise his or her rights as soon as possible and in any event within one (1) month of receiving the request; and (b) under CCPA, a business must complete a consumer’s request within 45 days of receiving a verifiable consumer request from the consumer.
The Parties shall use their best endeavours to comply with the legal time limits and to respond effectively to any request for the exercise of rights made by a Data subject/consumer.
6.6 Sub-processing to third parties
Each of the Parties may use Sub-processors in the context of the processing operations they carry out jointly.
ARTICLE 7. BANDSINTOWN REPRESENTATIVE IN THE EUROPEAN UNION
As part of its activity, Bandsintown collects through its Platform and Tools Personal Data of users located in the European Union.
In compliance with article 27 of the GDPR, Bandsintown has designated a representative established in the European Union.
Bandsintown's representative's main mission is to facilitate the communication between data subjects and Bandsintown, in order to make the exercise of data subjects’ rights effective.
Moreover, the representative performs its tasks according to the mandate received from Bandsintown, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with the GDPR. In practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations of Bandsintown, and the representative shall be able to facilitate any informational or procedural exchange between a requesting supervisory authority and Bandsintown.
Bandsintown's representative contact is as follow:
Perspectives Lawfirm
Email: contact@forperspectives.com
Address: 6, rue Halevy 75009 Paris, FRANCE
ARTICLE 8. LIABILITY
Each Party is fully liable for its compliance with the EU Data Protection Laws with respect to its processing activities.
Bandsintown shall in no event be held responsible for a breach of the Artists’ obligations under this Agreement and/or applicable law. The Artist shall indemnify Bandsintown against any claim or action brought upon by a Data subject, a competent Supervisory authority or any other third party concerning any such breach by the Artist.
ARTICLE 9. TERM – COMING INTO FORCE
This DPA comes into force at the moment of the registration of the Artist on the Bandsintown Platform and shall remain in force as long as the Artist is using the Platform.