1. Introduction
This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Use / Subscription Agreement (the “Agreement”) between the customer (“Company” or “Controller”) and Berlin 3 Services GmbH, Brückenstrasse 1, 10179 Berlin, represented by Stephan Rombach, registered in Berlin (HRB 117025 B) (“Supplier” or “Processor”).
The DPA sets forth the terms and conditions under which the Supplier will process personal data on behalf of the Company in connection with the services provided under the Agreement.
This DPA applies to all personal data processing activities carried out by the Supplier, including but not limited to the collection, storage, analysis, and transfer of personal data, as necessary to provide and support the Details Service. The processing of personal data will be in accordance with the applicable laws and regulations, particularly the General Data Protection Regulation (GDPR).
By agreeing to the Terms of Use / Subscription Agreement, the Company also agrees to the terms and conditions of this DPA.
2. Subject Matter
This DPA governs the processing of personal data by the Supplier on behalf of the Company in connection with the provision of services under the Agreement. The Supplier agrees to process personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679.
3. Nature and Purpose of Processing
The Supplier will process personal data solely for the purpose of providing the Details Service, including but not limited to data hosting, IT support, and related services as described in the Agreement.
The Supplier will perform the following data processing activities on behalf of the Company in connection with the provision of the Details Service:
3.1 Data Storage and Management
- Data Storage: The Supplier will securely store personal data provided by the Company in its databases, ensuring the data is protected from unauthorized access, loss, or corruption. This includes implementing regular backups, encryption, and redundancy measures to safeguard data integrity.
- Data Organization: The Supplier will organize and categorize personal data, including contract data (e.g., legal matters, terms) and employee data (e.g., names, emails, phone numbers), to facilitate efficient retrieval and management, ensuring that the Company can access and utilize the data as needed for its operations.
3.2 Data Analytics and Reporting
- Sales Analytics:The Supplier will analyze sales data, including transaction histories, customer behavior, and revenue trends, to generate detailed analytical reports. These insights will help the Company optimize its sales strategies, identify market opportunities, and improve overall business performance.
- Royalty Gains: The Supplier will calculate and report on royalty gains from various revenue streams, providing detailed breakdowns by product, region, and other relevant criteria. This data will assist the Company in managing royalty reporting and ensuring accurate compensation for rights holders.
- Financial Statements Reporting: The Supplier will process financial data, including accounting and payment data (e.g., invoice details, bank details, payments, liabilities), to produce and deliver comprehensive financial statements, including balance sheets, income statements, and cash flow statements. These reports will be prepared in accordance with relevant financial reporting standards and be available for auditing and compliance purposes.
3.3 Customer Support and Communication
- Customer Support: The Supplier will process personal data, including employee data, to provide customer support services, including responding to user inquiries, troubleshooting issues, and offering guidance on using the Details Service. Support interactions may occur via email, phone, or within the application.
- Data Organization: The Supplier will organize and categorize personal data, including contract data (e.g., legal matters, terms) and employee data (e.g., names, emails, phone numbers), to facilitate efficient retrieval and management, ensuring that the Company can access and utilize the data as needed for its operations.User Notifications: The Supplier will use personal data to send users notifications related to account activities, service updates, and other relevant communications. This includes sending reminders, alerts, and confirmations directly related to the user’s interaction with the service.
3.4 Provision of Travel and Itinerary Information
- Travel Arrangements: The Supplier will process personal data related to travel arrangements, such as itineraries, bookings, and travel preferences. This information will be used to provide users with accurate and up-to-date travel plans through the Details Service.
- Itinerary Updates: Although not currently offered, the Supplier may in the future provide a service to notify users of any changes to their travel plans, such as delays, cancellations, or alternative arrangements. This would involve processing and updating their itinerary information accordingly.
3.5 Online Application Services
- User Account Management: The Supplier will manage user accounts, including registration, authentication, and access control, ensuring secure and personalized access to the Details Service.
- Data Retrieval and Display: The Supplier will process and display relevant data within the online application, allowing users to view and interact with their data, such as sales figures, financial statements, royalty gains, and itinerary information.
- Sales and Royalty Analytics: The Supplier will provide detailed sales and royalty analytics through the online application, enabling users to filter, sort, and visualize data based on various criteria, such as product type, region, and time period.>
3.6 Data Security and Compliance
- Security Monitoring: The Supplier will continuously monitor the security of personal data, identifying potential threats and vulnerabilities. This includes implementing security patches, conducting regular security assessments, and maintaining up-to-date encryption standards.
- Compliance Assurance: The Supplier will ensure that all data processing activities comply with applicable data protection laws, including GDPR, and will assist the Company in demonstrating compliance with these regulations.
4. Categories of Data
The Supplier will process the following categories of personal data on behalf of the Company in connection with the provision of the Details Service:
4.1 Customer Staff Information
- Staff Names: Full names of the customer’s staff members, including first and last names.
- Contact Information: Phone numbers and email addresses of the customer’s staff, used for communication and coordination of services.
4.2 Customer Client Information
- Client Addresses: Physical and mailing addresses of the customer’s clients, including street addresses, city, state, postal code, and country.
- Communication Information: Email addresses, phone numbers, and other contact details of the customer’s clients, used for notifications, billing, and service-related communications.
4.3 Customer Supplier Information
- Supplier Addresses: Physical and mailing addresses of the customer’s suppliers, including street addresses, city, state, postal code, and country.
- Communication Information: Email addresses, phone numbers, and other contact details of the customer’s suppliers, used for procurement, orders, and service-related communications.
4.4 Personal Artist Information
- Artist Names: Full names of artists associated with the customer, including stage names or pseudonyms where applicable.
- Catering and Travel Requirements: Specific dietary preferences, meal plans, and travel arrangements for artists, including accommodations, transportation, and special requests.
4.5 User Information
- IP Addresses: Anonymized IP addresses of users accessing the Details Service, used for security monitoring and analytics.
- Browsing Behavior: Logs of user interactions with the online application, including page views, clicks, navigation paths, and session durations, to understand user engagement and improve service delivery.
- User Logs: Detailed records of user activities within the application, including login times, account changes, and data access, used for auditing, security, and troubleshooting.
4.6 Communication Data
- Emails and Messages: Copies of emails, in-app messages, and other forms of communication between the customer, their clients, and suppliers, processed to ensure smooth service operation and customer support.
- Support Requests: Records of customer support interactions, including the content of requests, responses provided, and resolutions achieved.
4.7 Financial and Transactional Data
- Sales Data: Information on transactions processed through the Details Service, including sales amounts, dates, and related financial details.
- Royalty Data: Details of royalty payments, including calculations, disbursement schedules, and associated financial records.
- Billing Information: Data related to billing, including invoices, payment records, and customer account balances.
4.8 Other Data
- Geolocation Data: When relevant, approximate geolocation data may be processed based on IP addresses or other user-provided information, for regional compliance or service customization.
- Event Participation Data: Information on participation in events, such as webinars, workshops, or conferences organized by the Company, including registration details and attendance records.
5. Duration of Processing
The Supplier shall process personal data on behalf of the Company for the duration of the Agreement. Upon termination of the Agreement, the following retention policies shall apply:
- Retention of Data in Databases: Personal data stored in active databases will be retained for a period of one (1) year following the termination of the Agreement. This is to allow for any necessary processing related to the termination of services, such as final billing or customer support. After this period, the data will be securely deleted or anonymized, unless applicable law requires longer retention.
- Retention of Customer-Related Business Documents: Business documents, including but not limited to invoices, contracts, and communications, that contain personal data will be retained for a period of ten (10) years in compliance with German legal requirements (e.g., as mandated by the German Commercial Code (HGB) and the German Fiscal Code (AO)). These documents will be securely archived and protected from unauthorized access during the retention period.
After the expiration of these retention periods, all personal data will be securely deleted or anonymized, ensuring that it can no longer be used to identify individuals.
6. Obligations of the Processor
The Supplier shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of data processing, in accordance with Article 32 of the GDPR. These measures are designed to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
As a Software-as-a-Service (SaaS) provider hosted on Amazon Web Services (AWS), the Supplier adheres to the AWS Shared Responsibility Model. Under this model:
- AWS’s Responsibilities: AWS is responsible for the security of the cloud infrastructure, including the physical security of data centers, network infrastructure, and virtualization layers.
- Supplier’s Responsibilities: The Supplier is responsible for the security of the data within the cloud environment, including data encryption, access controls, and application-level security.
The specific measures implemented by the Supplier include, but are not limited to:
- Data Encryption: Encryption of personal data both in transit and at rest to ensure confidentiality.
- Access Controls: Implementation of robust access controls to restrict data access to authorized personnel only. This includes the use of multi-factor authentication (MFA) and role-based access controls (RBAC).
- Incident Management: Establishment of processes to detect, report, and respond to data breaches and other security incidents promptly.
- Regular Audits: Conducting regular security audits and vulnerability assessments to ensure ongoing compliance with security policies.
- Data Minimization: Ensuring that only the necessary personal data is collected, processed, and retained for the purposes specified.
For a comprehensive list of the technical and organizational measures in place, please refer to the Technical and Organizational Measures (GDPR) article on our helpdesk.
6.2 Assistance with GDPR Obligations
The Supplier shall assist the Company in ensuring compliance with its obligations under the GDPR, including but not limited to the following:
-
Responding to Data Subject Requests:
The Supplier shall provide the Company with the necessary tools and support to respond to requests from data subjects exercising their rights under the GDPR, such as requests for access, rectification, erasure, or data portability. This includes facilitating the export of personal data in a structured, commonly used, and machine-readable format.
-
Data Protection Impact Assessments (DPIAs):
The Supplier shall assist the Company in conducting Data Protection Impact Assessments when required by the GDPR, by providing relevant information regarding the processing activities and associated risks. This includes supplying details on the data processing operations, the measures in place to mitigate risks, and any residual risks that may remain.
-
Security Incident Response:
In the event of a data breach or other security incident, the Supplier will promptly notify the Company and provide the necessary assistance to manage and mitigate the impact of the breach, including the preparation of any required notifications to supervisory authorities and affected data subjects.
-
Compliance Reviews and Audits:
The Supplier will make available to the Company, upon request, all information necessary to demonstrate compliance with the obligations set out in this DPA, including any audit reports or certifications relevant to the processing of personal data.
-
Consultation with Supervisory Authorities:
Where required, the Supplier shall assist the Company in consultations with supervisory authorities prior to processing activities that pose a high risk to the rights and freedoms of data subjects.
By adhering to these obligations, the Supplier ensures that the processing of personal data is conducted in a manner that complies with GDPR requirements, while also supporting the Company in its broader compliance efforts.
7. Sub-Processing
7.1 Approved Sub-Processors
The Supplier uses the following sub-processors to assist in the provision of the Services:
-
Amazon AWS (Application Hosting and Backups):
Responsible for the hosting of the application and storage of backups in a secure environment.
-
Google (Geo-locating Event Venues):
Provides geolocation services to identify and display event venue locations.
-
Flightstats (Travel Information):
Supplies travel-related information such as flight statuses and schedules.
-
Adyen (Payment Provider):
Facilitates payment processing for transactions within the platform.
-
PayPal (Payment Provider):
Provides payment services for transactions processed through PayPal.
-
EDICot (EDI Order Transformation and Transmission in France):
Manages electronic data interchange (EDI) for orders in France, transforming and transmitting order data as needed.
7.2 Notification of New Sub-Processors
The Supplier may engage new sub-processors as necessary to support the delivery of the Services. When doing so, the Supplier will notify the Company of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance. This notification will include the name of the sub-processor, the processing activities they will perform, and the location of their data processing operations.
The notification will be provided via email to the Company’s designated contact or published within the Service’s administrative interface. The Company may monitor these notifications for any changes to sub-processors.
7.3 Consent Procedures
The Company acknowledges and agrees that the Supplier has the right to engage sub-processors as listed in Section 7.1 and to add new sub-processors as outlined in Section 7.2. The Company does not have the right to reject or object to the use of these sub-processors. If the Company does not agree to the use of a sub-processor, the Company may choose to discontinue the use of the Services. The continued use of the Services by the Company after notification of a new sub-processor will be considered as acceptance of the sub-processor.
7.4 Responsibility for Sub-Processors
The Supplier remains fully responsible to the Company for the performance of any sub-processor in compliance with the obligations of this DPA. The Supplier will ensure that any sub-processor engaged by them agrees to provide the same level of data protection as required by this DPA and the GDPR.
8. Data Subject Rights
8.1 Notification of Data Subject Requests
The Supplier shall notify the Company within 5 business days upon receipt of any data subject request made under GDPR, including but not limited to requests for access, rectification, erasure, restriction of processing, data portability, or objection to processing, that relates to personal data processed by the Supplier on behalf of the Company.
8.2 Assistance in Responding to Data Subject Requests
Upon receiving a data subject request notification from the Company, the Supplier shall, within 10 business days, provide the necessary assistance to the Company to fulfill the data subject’s request. This assistance may include, but is not limited to:
-
Providing the Company with Relevant Data:
Providing the Company with relevant data in a structured, commonly used, and machine-readable format.
-
Assisting in Data Rectification or Deletion:
Assisting in the rectification or deletion of personal data.
-
Providing Information about Processing Activities:
Providing information about the processing activities relevant to the data subject’s request.
8.3 Company’s Responsibility
The Company remains responsible for responding to data subject requests in compliance with GDPR. The Supplier’s role is to assist the Company by providing the necessary information and tools to address such requests. It is the Company’s responsibility to ensure that it meets the legal deadlines for responding to data subject requests, typically within one month of receipt of the request, as stipulated by GDPR.
8.4 Escalation and Coordination
If the Supplier anticipates that it will be unable to meet the 10-business-day deadline to assist with a data subject request, it must immediately notify the Company and coordinate to prioritize the completion of the request within the GDPR timeframe. The Company and Supplier will work together to ensure that the data subject’s rights are upheld.
8.5 Billable Assistance
Any assistance provided by the Supplier to the Company in responding to data subject requests under GDPR may be billable to the Company. The Supplier will provide an estimate of costs for such assistance in advance, and the Company will be billed according to the Supplier’s standard rates for data protection services. The Supplier shall invoice the Company for the assistance provided, and payment terms shall follow those outlined in the main Agreement.
9. Data Breach Notification
9.1 Obligation to Notify
In the event of a data breach that affects personal data processed by the Supplier on behalf of the Company, the Supplier shall notify the Company without undue delay and, where feasible, not later than 24 hours after becoming aware of the breach. The Supplier’s notification obligations are governed by Articles 33 and 34 of the GDPR.
9.2 Method of Communication
The Supplier will use the following methods to notify the Company in the event of a data breach:
-
For Breaches Affecting a Single Client:
The Supplier will send an email to the designated contact person(s) at the Company. This email will include all relevant details regarding the breach, as specified in section 9.3.
-
For Breaches Affecting All Customers:
In addition to sending an email to the designated contact person(s) at the Company, the Supplier will issue an In-App Notification within the Company’s user interface. This notification will also be archived in the notification history for future reference.
9.2 Method of Communication
The Supplier will use the following methods to notify the Company in the event of a data breach:
-
Description of the Nature of the Data Breach:
Including the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
-
The Likely Consequences of the Data Breach:
An assessment of the potential risks to the data subjects affected.
-
Measures Taken or Proposed to Address the Breach:
Including, where appropriate, measures to mitigate its possible adverse effects.
-
Contact Details for the Supplier’s Data Protection Team:
The Company can use these details for further inquiries and coordination regarding the breach.
9.4 Ongoing Communication
The Supplier shall keep the Company informed of any new developments regarding the breach and the ongoing investigation, providing updates as new information becomes available or as requested by the Company. The Supplier will collaborate with the Company to ensure that any regulatory obligations are met, including notifying the relevant supervisory authority if required.
9.5 Post-Breach Review
Following the resolution of a data breach, the Supplier shall conduct a post-breach review in collaboration with the Company to evaluate the effectiveness of the response and to implement any necessary improvements to prevent future incidents.
10. Audit and Compliance
10.1 Right to Audit
The Company has the right to audit the Supplier’s compliance with the terms of this Agreement and applicable data protection laws, including the GDPR. However, to protect the Supplier’s intellectual property (IP) and proprietary information, any audit must be conducted by an independent third-party auditor agreed upon by both the Supplier and the Company.
10.2 Scope of Audits
Audits shall be limited to the data processing facilities, systems, and documentation relevant to the processing of personal data under this Agreement. The Supplier’s services are fully hosted on Amazon AWS, and as such, the scope of the audit shall exclude any physical on-premise inspections. The audit scope may include, but is not limited to:
-
The Supplier’s Data Processing Systems and Software:
Hosted on Amazon AWS.
-
Data Protection Policies and Procedures:
Details of the policies and procedures in place to protect personal data.
-
Records of Processing Activities:
Documentation of the data processing activities conducted by the Supplier.
-
Technical and Organizational Measures Implemented by the Supplier:
Measures taken to ensure data protection and security.
10.3 Frequency of Audits
Given the size and resources of the Supplier, the Company agrees that audits shall not be conducted more frequently than once per calendar year, except in cases where:
-
A Data Breach Has Occurred:
An audit or investigation may be required following a data breach.
-
A Supervisory Authority Requires an Audit:
An audit may be triggered by a request from a supervisory authority.
-
The Company Has Reasonable Grounds to Suspect Non-Compliance:
An audit or investigation may be initiated if the Company suspects that the Supplier is not in compliance with this Agreement or GDPR.
10.4 Notice and Scheduling
The Company shall provide the Supplier with at least 30 days’ prior written notice of any audit, specifying the proposed scope and date. Audits shall be conducted during regular business hours and in a manner that minimizes disruption to the Supplier’s operations.
10.5 Costs of Audits
The costs associated with audits, including the fees of the independent third-party auditor, shall be borne by the Company. The Supplier reserves the right to charge the Company for any internal costs incurred in preparing for and facilitating the audit, provided that these costs are reasonable and have been agreed upon in advance. The Company shall bear its own costs in connection with any audit.
10.6 Independent Certifications
To minimize the need for on-site audits, the Supplier may provide the Company with copies of relevant certifications, such as ISO/IEC 27001 or SOC 2 Type II, or other independent audit reports, as evidence of compliance with data protection obligations. These certifications may reduce the need for additional audits unless the Company has specific concerns that require further investigation.
10.7 Audit Reports and Remediation
The independent third-party auditor shall provide the Company with a written report of the findings of any audit, including any identified deficiencies and the Supplier’s proposed remediation measures. The Supplier shall promptly address any deficiencies identified during the audit in accordance with a mutually agreed remediation plan.
11. Governing Law and Jurisdiction
11.1 Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the Federal Republic of Germany. The application of the United Nations Convention on Contracts for the International Sale of Goods (CISG) is expressly excluded.
11.2 Jurisdiction
The parties agree that the exclusive place of jurisdiction for any disputes arising out of or in connection with this Agreement shall be the courts of Berlin, Germany. The Company and the Supplier hereby submit to the personal jurisdiction of these courts.
11.3 Language of Proceedings
All legal proceedings arising from this Agreement shall be conducted in German, unless otherwise agreed by both parties.
12. Miscellaneous
12.1 Amendments
Any amendments to this Data Processing Agreement (DPA) shall be made in writing and require mutual agreement between the Company and the Supplier. Amendments will be communicated to the Company via an In-App Announcement, which will be accessible in the Notices Archive within the application. The Company is responsible for regularly checking the Notices Archive for updates. Amendments shall be deemed accepted by the Company unless an objection is raised in writing within 30 days of the announcement. If the Company objects to the amendment, the Supplier may terminate the Agreement with 30 days’ notice.
12.2 Severability
Should any provision of this DPA be found invalid or unenforceable under applicable law, the remainder of the DPA shall remain valid and enforceable. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that most closely reflects the original intent of the parties. If a suitable replacement cannot be found, the provision will be severed, and the remaining provisions will continue in full force and effect.
12.3 Termination
This DPA will automatically terminate upon the termination of the Agreement between the Company and the Supplier, unless otherwise agreed by the parties. Upon termination of this DPA, the Supplier shall return or delete all personal data processed on behalf of the Company, as specified in the Agreement. The Supplier may retain personal data only to the extent required by applicable law or for the purposes of defending any legal claims.
If either party breaches any material provision of this DPA and fails to cure such breach within 30 days of receiving notice from the other party, the non-breaching party may terminate this DPA immediately upon written notice.
By signing up for the Details Service, the Company agrees to the terms of this Data Processing Agreement. |