Seat4events takes data privacy and security very seriously. We take steps to make sure that we comply with our data privacy law obligations in the EU (primarily, the General Data Protection Regulation “GDPR”, which took effect in May 2018), and our goal is to make it easy for our Organisers to comply with their respective obligations. Here are a few highlights of Seat4events’s GDPR compliance program.
Given that Seat4events processes a Consumer’s personal data both in providing its services to the Organiser, and in managing Seat4events’s direct relationship with Seat4events account-holding Consumer directly in his or her own use of Seat4events, Seat4events may be both a controller and a processor in relationship to a Consumer’s personal data and will be held to different processing obligations as a result.
a. Seat4events as a data controller: Where an Organiser creates an account with Seat4events to organise and ticket their events, Seat4events will be a data controller over the personal data that Organisers provide about themselves as part of their account creation process. Similarly, where a Consumer provides Seat4events with personal data while creating an account, Seat4events will be a data controller over the personal data provided to Seat4events directly by that Consumer. Seat4events will also be a data controller of the personal data that Seat4events obtains during an Organiser or Consumer’s use of Seat4events services, which Seat4events may then use, for example, to conduct research and analysis, improve our products and features, and provide targeted recommendations.
b. Seat4events as a data processor: Seat4events will be a data processor over a Consumer’s personal data that Seat4events obtains while providing its core ticketing services to our Organisers. For example, Seat4events may process Consumers’ personal data on behalf of Organisers to allow Organisers to learn more about their attendees during the ticket purchase, facilitate the transmission of emails to Consumers at the request of the Organiser, process payments, or provide event reports and tools so Organisers can gain insights into the effectiveness of various sales channels.
As a data processor processing Personal Data on behalf of the Organiser, Seat4events is subject to a Data Processing Addendum to our Terms of service with our Organiser. Our Data Processing Addendum (DPA) for Organisers (Attach hyperlink), incorporated in our Terms of Service, includes Seat4events’s legal obligations as a processor consistent with the GDPR.
We offer the ability for Organisers to email Consumers directly through our platform. This functionality was built to send service-related emails specific to an Organiser’s event attended by the recipient of such email. If an Organiser wants to use this function for marketing its products or events, the Organiser needs to secure its own compliant opt-in consents or ensure that they have the right to send marketing emails to individuals. Seat4events does not do this on an Organiser’s behalf.
As a data controller of our account-holding Consumers, Seat4events will honour Consumers’ requests with respect to the processing of their personal data, consistent with applicable law. For instance, Consumers can request access to their personal data that we process. They can also ask us to correct such personal data, provide such personal data in a portable format, or delete such personal data.
a. Access: Seat4events will honour a Consumer’s request that Seat4events confirm the existence of the processing of the Consumer’s personal data, if applicable, and grant the Consumer access to that data, consistent with applicable law. You can request your personal data in My Profile section of your Seat4events account.
b. Correction: Seat4events will honour a Consumer’s request that Seat4events correct the Consumer’s incomplete, inaccurate, or outdated personal data that we process, consistent with applicable law. You can update your personal data in My Profile section of your Seat4events account.
As a result, there may be a time when your Organiser dashboard will show anonymous personal data for a particular attendee, however the financial data associated with that attendee should remain as part of the event. Similarly, if Seat4events removes personal data on its own in accordance with our internal data retention policy, this same view within the dashboard will appear.
In the event that an Organiser’s data retention needs require that Seat4events no longer provide such Organiser with access to the personal data of its former attendees, the Organiser can accomplish this by removing the event from its dashboard (Attach hyperlink). Should the Organiser require access to the non-personal event data, it should first download the event to a .csv or text file as it sees fit.
Should one of your attendees ask you directly to have Seat4events remove that attendee’s personal data from our system, please forward the request to us at (company’s email address) Our support team may reach out to the Consumer directly to confirm the request.
In cases where we are a data controller (even if we are both a data processor and a data controller) over personal data that is impacted by a data security incident requiring notification to affected Consumers, we will notify the affected Consumers directly, rather than notifying the Organiser of each event associated with that Consumer. As a reminder, we are a data controller for all Organiser personal data, as well as for the personal data of Consumers who create an Seat4events account in the course of a ticket purchase.
When we are solely a processor of data, meaning we process the personal data of a Consumer who purchased tickets on Seat4events without creating an account with Seat4events directly, then we will notify the Organiser(s) we determine to be most likely in contact with that Consumer whose personal data has been impacted a data security incident requiring notification.
Seat4events physically stores personal data in the United States. In order to ensure that personal data can be lawfully transferred from the EU to our US-based servers, Seat4events agrees that it will be bound by the Controller-to-Processor Standard Contractual Clauses (Attach hyperlink) in the Annex to the European Commission Decision of February 5, 2010, as may be amended or replaced from time to time by the European Commission.
a. Training: We revamped our internal data privacy guidelines to make sure they’re in line with the GDPR, and we’re making sure that employees are trained on them appropriately. This means that everyone at Seat4events is expected to handle personal data in a legitimate and fair way.
b. Privacy by Design: We implemented enhanced guidelines to help design our systems and tools that collect and store personal data in a privacy-friendly way. By doing this, we aim to reduce privacy risks at the outset and offer our Organisers and Consumers more control over their information.
c. Data Privacy Impact Assessments: We implemented new internal protocols to enable certain activities involving personal data to go through a Privacy Impact Assessment, measuring compliance with the GDPR while also allowing for ease of record keeping.
e. Vendors: We reviewed our vendor and sub-processor contracts to make sure that they meet the requirements of the GDPR and are compliant with rules on international data