Data Processing Agreement

1. Definitions

• Data Controller: The entity that determines the purposes and means of processing personal data (event organizers, businesses using EventMaps)
• Data Processor: EventMaps, which processes personal data on behalf of the Data Controller
• Data Subject: Individual whose personal data is processed (event attendees, users)
• Personal Data: Any information relating to an identified or identifiable natural person
• Processing: Collection, storage, organization, use, disclosure, or deletion of personal data
• GDPR: General Data Protection Regulation (EU) 2016/679
• Data Breach: Unauthorized access, loss, or disclosure of personal data

2. Scope of Processing

2.1 Categories of Personal Data

• Identity Data: Names, usernames, profile information
• Contact Data: Email addresses, phone numbers
• Event Data: Event attendance, preferences, RSVPs
• Payment Data: Transaction records, billing information (processed by Stripe)
• Technical Data: IP addresses, device information, usage analytics
• Location Data: Event locations, user location (with consent)
• Image Data: Profile pictures, event photos (with consent)

2.2 Categories of Data Subjects

• Event attendees and registered users
• Event organizers and venue representatives
• Ticket purchasers
• Website visitors and potential customers
• Business contacts and partners

2.3 Purposes of Processing

• Event management and attendee registration
• Ticket sales and payment processing
• Communication with event participants
• Platform functionality and user experience
• Analytics and performance monitoring
• Customer support and issue resolution
• Legal compliance and dispute resolution

3. Processor Obligations

3.1 Processing Instructions

• Process personal data only on documented instructions from the Data Controller
• Immediately inform the Data Controller if instructions appear to violate GDPR
• Not use personal data for any purpose other than those specified by the Data Controller
• Ensure processing is lawful and complies with applicable data protection laws

3.2 Security Measures

• Implement appropriate technical and organizational security measures
• Encrypt personal data in transit and at rest using industry standards
• Maintain access controls and authentication procedures
• Regular security assessments and vulnerability testing
• Staff training on data protection and security procedures
• PCI-DSS compliant payment processing through Stripe

3.3 Confidentiality

• Ensure all personnel authorized to process personal data are bound by confidentiality
• Limit access to personal data on a need-to-know basis
• Maintain confidentiality even after termination of this agreement

4. Data Subject Rights

5. Data Breach Notification

5.1 Breach Notification Contents

• Nature of the breach and categories of data affected
• Approximate number of data subjects affected
• Name and contact details of data protection officer
• Likely consequences of the breach
• Measures taken or proposed to address the breach

5.2 Cooperation

• Assist Data Controller in fulfilling breach notification obligations
• Document all breaches including facts and remedial actions
• Implement measures to prevent recurrence of similar breaches

6. Sub-processors and Data Transfers

6.1 Authorized Sub-processors

6.2 Changes to Sub-processors

• Data Controller will be notified of any intended changes to sub-processors
• 30-day notice period for new or replacement sub-processors
• Data Controller may object to new sub-processors on reasonable grounds
• All sub-processors bound by equivalent data protection obligations

7. Data Retention and Deletion

7.1 Retention Periods

7.2 Data Return and Deletion

Upon termination of this agreement:

• Return or delete all personal data within 7 days of instruction
• Provide data in structured, commonly used format if requested
• Securely delete all copies and backups unless legal retention required
• Provide written confirmation of data deletion

8. Audits and Compliance

8.1 Audit Rights

• Data Controller may conduct reasonable audits of processing activities
• 30 days advance notice required for audit requests
• Audits limited to once per year unless breach or compliance issue
• EventMaps will provide necessary information and assistance

8.2 Documentation

• Maintain records of all processing activities
• Document security measures and access controls
• Keep evidence of staff training and certifications
• Maintain incident response and breach notification records

9. Liability and Indemnification

9.1 Processor Liability

• EventMaps liable for damages caused by unauthorized processing
• Liability limited to direct damages up to €100,000 per incident
• No liability for damages resulting from Data Controller's instructions
• Force majeure events exclude liability

9.2 Data Controller Responsibilities

• Ensure lawful basis for all processing instructions
• Obtain necessary consents from data subjects
• Provide accurate and complete processing instructions
• Handle data subject rights requests and communications

10. Term and Termination

10.1 Agreement Term

• This DPA remains in effect while EventMaps processes personal data
• Automatically renewed with service agreements or contracts
• Either party may terminate with 30 days written notice
• Immediate termination for material breach after 7-day cure period

10.2 Post-Termination Obligations

• Data return or deletion within 30 days of termination
• Continued confidentiality obligations
• Cooperation with ongoing investigations or legal proceedings
• Survival of liability, confidentiality, and governing law clauses

11. Contact and Dispute Resolution

11.1 Data Protection Contacts

11.2 Governing Law

This DPA is governed by Spanish law and GDPR. Any disputes will be resolved in the courts of Barcelona, Spain. Data subjects retain the right to lodge complaints with their local supervisory authority.