Data Processing Agreement

Definitions

The Data Controller is the one who determines the purpose and means of the processing of personal data. The Data Controller is responsible for ensuring that information is processed in accordance with the requirements of the Personal Data Act.

A processing of personal data is any use of personal data, such as collection, recording, compilation, storage, and disclosure or a combination of such uses.

A Data Processor is the one who processes personal data on behalf of the Data Controller. The Data Processor has an independent responsibility for having satisfactory information security and for protecting the personal data processed on behalf of the Data Controller. The Data Processor shall only process personal data in accordance with what has been agreed with the Data Controller.

A Participant is the one who buys a ticket to an event, arranged by the Data Controller.

1. Objective of the agreement

The objective of this agreement is to regulate the parties' rights and obligations under the new Personal Data Act and GDPR of 25 May 2018. The agreement shall ensure that personal data about data subjects is not used unlawfully or comes into the hands of unauthorized persons. The agreement regulates the Data Processor's use of personal data on behalf of the Data Controller, including collection, recording, compilation, storage, disclosure, or combinations of such uses.

2. Purpose

The purpose of processing personal data on behalf of the Data Controller is to be able to perform the services offered by the Data Processor – an online ticketing and payment system, as well as marketing and analysis/business intelligence.

The Data Processor collects two types of personal data:

• Those necessary to process in order to perform the services

• Those that are optional to gain access to extended services within marketing and analysis/business intelligence.

The following personal data are processed and covered by the agreement:

Data Controller's Personal Data 

Collection of Anonymous Personal Data for Analysis Purposes:

In order to improve our products and services through analysis, the Data Processor collects and analyses anonymous personal data when individual users at the Data Controller use the service.

The following anonymized data is collected from the individual's use of the service:

• Websites (often called URLs) the Data Controller uses in Hoopla's organiser solution, as well as the time these pages were used.

• Websites the Data Controller uses on Hoopla's website (hooplatickets.com), as well as the time these pages were used.

• The website the Data Controller came from when visiting a page in Hoopla's organiser solution or website, often called a referrer page or "referrer."

• The Data Controller's browser, operating system, and type of device, e.g., iPhone, PC, MAC used to interact with the organiser solution or website.

None of this information will in principle be able to identify the Data Controller user's identity, and the individual will remain anonymous in the Data Processor's analyses. For a more detailed description of how data is anonymized, please contact privacy@hooplatickets.com.

Participant's Personal Data

Collection of Anonymous Personal Data for Analysis Purposes:

To be able to improve our products and services, we collect anonymized personal data when a potential participant visits pages on hooplatickets.com or completes a ticket purchase on hooplatickets.com.

When visiting hooplatickets.com, the following anonymized personal data is collected and analysed:

• Websites (often called URL) the potential participant visits on hooplatickets.com, as well as the time these pages were visited.

• The website (often called URL) the potential participant came from when visiting a page on hooplatickets.com (often called referrer page or referrer).

• The potential participant's browser, operating system, and type of device, e.g., iPhone, PC, MAC, etc., used when visiting hooplatickets.com.

When purchasing tickets on hooplatickets.com, the following anonymized personal data is collected and analysed:

• Information the participant enters as part of their ticket purchase, which is required for us to deliver the ticket to the ticket purchaser: First name, Last name, Email, and Phone number.

• Information the participant enters as part of their ticket purchase, which the Data Controller collects through custom forms in the purchase process. These vary from organiser to organiser, but may, for example, be choice of hotel room.

• Type of ticket the participant purchased.

• Which payment method the participant used (card or invoice).

• Participant's browser, operating system, and type of device (e.g., iPhone, PC, MAC, etc.).

In addition to anonymized personal data we collect about you when you visit hooplatickets.com or make a ticket purchase, we may also use information obtained from third parties by linking to your anonymized information. None of this information will be able to identify the participant as a person, and the individual will always remain anonymous in our or our customers' analyses.

3. Data Controller's Obligations and Rights

• The Data Controller is responsible for ensuring that personal data is processed in accordance with the GDPR and the Personal Data Act (cf. Article 24).

Specifically about the Form Builder

The Data Controller can build a form that contains either optional and/or mandatory fields on the sales page. The Data Controller is obliged to only make fields mandatory where the collection of personal data is absolutely necessary to carry out an agreement with the participant. Collection of sensitive personal data is not permitted.

• The Data Controller has both the right and an obligation to determine the purposes and means to be used in the processing.
• The Data Controller shall provide the Data Processor with documented instructions for how personal data shall be processed (cf. Article 28(3)(a)).
• The Data Controller has the right to terminate the agreement if the Data Processor does not meet the legal requirements according to Article 28(1).

4. Data Processor's Obligations

4.1 Only process personal data according to written instructions from the Data Controller

• The Data Processor shall only process personal data according to documented instructions from the Data Controller, and generally adheres to the documented instructions described in this document.

The exception is if Norwegian law imposes a specific processing of personal data on the Data Processor. In such a case, the Data Processor shall notify the Data Controller of this before the processing is initiated, unless the law prohibits such notification for reasons of important public interest.

• The Data Processor must immediately notify the Data Controller if the Data Processor believes an instruction is in conflict with the GDPR or other provisions on the protection of personal data or national law (cf. Article 28(3) last paragraph).

4.2 Obligation that authorized persons treat personal data confidentially

• The Data Processor shall ensure that authorized persons are obliged to treat personal data confidentially, or are subject to a statutory duty of confidentiality.
• The Data Processor shall, upon request from the Data Controller, be able to demonstrate that the authorized persons are subject to confidentiality or duty of confidentiality – for example by documentation (cf. Article 23(b) and (h)).
• The duty of confidentiality also applies after the data processing assignment has been completed.
• The Data Processor shall ensure that only authorized persons have access to the information and that the Data Processor revokes access if the authorization expires or for other reasons no longer applies to that person.
• The Data Processor shall only authorize persons who must have access to the personal data for necessary reasons.

4.3 Obligation to have satisfactory security measures

• The Data Processor implements all measures necessary according to Article 32 of the Personal Data Act.
• The Data Processor is obliged to provide the Data Controller with access to its security documentation and assist so that the Data Controller can fulfill its own responsibility under law and regulation. For a description of minimum requirements for security measures, see: Appendix A.

5. Use of Sub-processors

• The Data Processor has the Data Controller's general approval to use other data processors. However, the Data Processor must notify the Data Controller of any plans to replace or use new data processors. The Data Controller must receive such notification at least 3 weeks before the change takes effect. The Data Controller shall have the opportunity to object to the changes, and notify the Data Processor of this no later than 1 week after the notification has been received.
• All those who, on behalf of the Data Processor, carry out assignments that include the use of the relevant personal data, are subject to the same obligations as set out in this data processing agreement through a written data processing agreement with the sub-processor.

An overview of the Data Processor's sub-processors will be provided upon request.

• If the sub-processor does not fulfill its obligations regarding the protection of personal data, the Data Processor has full responsibility towards the Data Controller.

6. Assistance in responding to requests regarding the data subject's rights

• The Data Processor assists the Data Controller by means of appropriate technical and organizational measures to fulfill the obligation to respond to requests from data subjects regarding the exercise of their rights. The obligation applies as far as possible, and the nature of the processing must be taken into account:
• In the event of a request for erasure, the Data Processor shall within 5 days inform the Data Controller that a request for erasure has been received from a data subject.
• In the event of a request for access, the Data Processor must assist by collecting the information stored about the data subject. The Data Processor must make the information available to the Data Controller so that the Data Controller can assess the request for access.

7. Assistance to the Data Controller

• The Data Processor has an obligation to assist the Data Controller in complying with the obligations under Articles 32-36 that are relevant in the specific contractual relationship.
• The Data Processor must immediately notify the Data Controller if a personal data security breach has occurred or is occurring (cf. Article 33(2)).
• If the breach entails a risk to the rights and freedoms of the data subjects, the notification to the Data Controller must contain the information required for the Data Controller to be able to give a comprehensive description of the breach to the supervisory authority (cf. Article 33(3)).
• If the breach means that the Data Controller must notify the data subjects (cf. Article 34), the Data Processor must provide the information required for the Data Controller to be able to fulfill the obligation to give such notification in a clear manner, and in accordance with Article 33(3)(b), (c), and (d).
• If the Data Controller is to carry out a data protection impact assessment and possibly prior consultations according to Articles 35 and 36, the Data Processor shall contribute to assessing security measures that can help manage the risk the processing entails for the data subject.

8. Agreement Duration

• The agreement applies as long as the Data Processor processes personal data on behalf of the Data Controller.
• In case of a breach of this agreement or GDPR, the Data Controller may instruct the Data Processor to stop further processing of the data with immediate effect.
• The agreement can be terminated by both parties with a mutual notice period in accordance with the current agreement between the parties. The agreement must be terminated in writing.

9. Termination of the Agreement

• Upon termination of services related to the processing of personal data, the Data Processor is obliged to delete or return the personal data at the Data Controller's request, unless this conflicts with the Data Processor's legal basis for processing personal data in other legislation.
• The Data Processor shall demonstrate that the information has actually been deleted when the data processing assignment is terminated. Either by the Data Processor being able to document this, or by inspection from the Data Controller (cf. Article 28(3)(g) and (h)).
• Deletion shall occur by anonymizing the personal data.

10. Making Information Available to the Data Controller

• The Data Processor must be able to make available all information necessary to demonstrate that the obligations in Article 28 have been met for the Data Controller.
• The Data Processor must enable and contribute to audits such as inspections carried out by the Data Controller or another inspector, on behalf of the Data Controller.
• The procedure for the Data Controller's supervision of the Data Processor is described in Appendix B.

11. Security

Both the Data Controller and the Data Processor are obliged to report deviations. The Data Processor shall immediately notify the Data Controller if they discover a deviation. The Data Controller has a deadline to report security breaches within 72 hours after becoming aware of the breach.

Beyond this, both the Data Processor and the Data Controller shall comply with applicable requirements for deviation handling and information to those affected.

12. Notices

Notices under this agreement shall be sent in writing to privacy@hooplatickets.com.

13. Choice of Law and Jurisdiction

The agreement is subject to Norwegian law and the parties adopt Trondheim District Court as the legal venue. This also applies after the termination of the agreement.

---

Appendix A

The Data Processor has an independent obligation to implement appropriate security measures in accordance with Article 32, but must at a minimum implement the following measures, as agreed with the Data Controller: 

Technical and Organizational Measures to Protect Personal Data During Transfer/Disclosure.

The Data Processor transfers personal data to the following recipients:

• The Data Controller

• Participants 

Transfer and disclosure of personal data occurs via our sub-processors as specified in section 5.

For all sub-processors, a written data processing agreement is entered into. If personal data is transferred to sub-processors in the USA, it is only transferred to recipient businesses that have certified under the Privacy Shield agreement. To secure personal data during transfer/disclosure in accordance with our privacy guidelines.

Personal data that the Norwegian Data Protection Authority deems necessary for confidentiality will be encrypted according to the description in the next point.

Anonymization and Encryption

Anonymization

The Data Processor has implemented routines and methods for anonymization of personal data for all personal data used for analysis purposes. These routines and methods are:

• Separation of application environment and analysis environment, where persons developing and operating the application environment do not have access to the analysis environment, and vice versa.

• Personally identifiable information such as name, phone number, etc., is not transferred to the analysis environment.

• Replacement of natural primary keys with a surrogate key in the Data Processor's analysis environment. A surrogate key in the analysis environment has no identification value and cannot be used to identify individuals in analyses, through linking with data in the application environment or other internal administration tools.

Encryption

The Data Processor encrypts the following personal data:

• Sensitive personal data

• Social security numbers

• Personal data concerning many individuals (participant lists)

• Personal data classified as requiring protection by the Data Controller

Personal data is encrypted in the following cases:

• When using data communication:

  • between the Data Processor and the Data Controller

  • between the Data Processor and the Data Processor's sub-processors, or

  • between the Data Processor's data centers

• When transferring email

• Transfer of individual files

• Password encryption

Securing Stored Personal Data

The Data Processor secures personal data with usernames and encrypted passwords, and 2FA where possible.

Appendix B 

The Data Controller, or a representative of the Data Controller, may, if necessary, conduct a physical inspection at the Data Processor's premises to ensure that the data processing agreement is complied with.

Please contact privacy@hooplatickets.com to arrange a time. Kindly state the organiser account concerned. The inquiry must be sent from an administrator of the organiser account, or with a written confirmation from the administrator attached if the inquiry comes from a representative of the Data Controller.