Region: Estonia
Language: English
Change

Personal Data Processing Agreement

1. General definitions

1.1. Personal data means any information concerning an identified or identifiable natural person (data subject) within the meaning of Article 4(1) of the GDPR.
1.2. GDPR means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.3. Data processing means actions carried out with Personal Data within the meaning of Article 4(2) of the GDPR.
1.4. Data processor means the person who processes personal data on behalf of the data controller within the meaning of Article 4(8) of the GDPR.
1.5. Data controller means the person who determines the purposes and means of processing the data within the meaning of Article 4(7) of the GDPR.
1.6. Organiser means a business or individual client who created an event in the Paysera Tickets system and sells or distributes tickets to it. The organiser’s details are provided in the Event Information.
1.7. Buyer means an individual client who buys/bought a ticket through the Paysera Tickets system to an event organised by the Organiser.
1.8. System is a software solution on Paysera-owned websites that is developed by Paysera and used to provide Paysera services.

2. General provisions

2.1. The Personal Data Processing Agreement (hereinafter – the Agreement) regulates the Buyer’s Personal data processing process, mutual obligations and responsibilities between the Organiser and Paysera. The purpose of this Agreement is to ensure the protection and security of the Buyer’s Personal Data, which the Organiser uses Paysera to process in accordance with the applicable personal data protection legislation.
2.2. The scope of this Agreement does not include Personal data processed by Paysera, which Paysera processes as a Data controller on the basis of Article 6(1)(c) of the GDPR, ensuring the provision of Paysera Tickets system services (see clauses 17, 19 of the Privacy Policy). The processing of this Personal data is governed by Privacy Policy of Paysera Tickets.
2.3. This Agreement is an annexe to the Terms of Use of the Paysera Tickets applicable to the Organisers. If the Organiser does not agree with this Agreement, they may not to use the services of Paysera Tickets.
2.4. The Organiser, as the Data controller, uses the Paysera Data processor to process the Buyers’ Personal data.
2.5. Paysera, as the Data processor, processes the Buyers’ Personal data on behalf of the Organiser, on the basis of this Agreement.
2.6. The contact details of the data protection officer appointed by Paysera are: dpo@paysera.com.

3. Conditions for processing personal data

3.1. The Organiser, using the technical integration in the Paysera Tickets system, determines which Personal data requests will be submitted to the Buyer, i.e. which Personal data of the Buyer will be collected.
3.2. Paysera processes the Buyer’s Personal data on behalf of the Organiser, by taking into account the Personal data requests enabled by the Organiser in the Paysera Tickets system.
3.3. The Organiser instructs Paysera to process the Buyers’ Personal data at their own discretion and initiative, therefore Paysera has no influence on the scope, categories, collection purposes, storage terms, etc. of the Buyers’ Personal data collected.
3.4. The Organiser instructs Paysera to perform the collection and storage of the Buyer’s Personal data, and to transmit it to the Organiser.
3.5. Paysera stores Personal data for 10 (ten) years from the date of receipt of Personal data.

4. Obligations of the Parties

4.1. The Organiser (Data controller) undertakes under this Agreement:
4.1.1. to ensure that the processing of Personal data is based on legitimate purposes and grounds, when it is necessary that the proper consent of the Buyer regarding the processing of personal data has been obtained;
4.1.2. to process Personal data in accordance with the principles related to the processing of Personal data established in Article 5 of the GDPR and the requirements established in legal acts;
4.1.3. to create suitable conditions for the Buyer to exercise all the rights of the data subject and to respond directly to the Buyer’s requests regarding the implementation of the data subject’s rights specified in Chapter III of the GDPR;
4.1.4. to adopt internal data processing rules, which must specify:
4.1.4.1. where required by applicable legal acts, the name and surname and contact details of the Data controller’s representative and the Data protection officer;
4.1.4.2. categories of Data processing performed;
4.1.4.3. where applicable, transfers of personal data to a third country or to an international organisation, including a reference to that third country or international organisation, documentation of appropriate safeguards;
4.1.4.4. a description of the technical and organisational security measures.
4.2. Paysera (Data processor) undertakes under this Agreement:
4.2.1. to process the Buyers’ Personal Data only to the extent and for the purposes set by the Organiser;
4.2.2. not to modify, edit, or change the Personal data, not to disclose and prevent disclosure of the Personal Data to any third party, unless it is necessary for the proper performance of other contractual obligations with the Organiser;
4.2.3. implement appropriate technical and organisational measures to ensure a level of security corresponding to the risk;
4.2.4. to assist the Organiser, as the Data controller, in fulfilling the obligation to respond to the data subject’s requests regarding the implementation of the data subject’s rights specified in Chapter III of the GDPR, taking into account the scope of the processed Personal data of the Buyer;
4.2.5. upon learning about a Personal data breach, immediately inform the Organiser so that the Organiser can fulfil the obligation of the Personal data controller to report the Personal data breach in accordance with the data protection legislation;
4.2.6. take the necessary measures to ensure the integrity of any employee, intermediary or contractor, sub-processor, other third party who may have access to Personal data, and that in each case such access is limited to those who need it, while ensuring entry into confidentiality agreements with them or to be bound by a legal obligation of confidentiality;

5. Sub-processing of Personal data

5.1. The Organiser agrees that Paysera may use other Personal data processors (sub-processors) for the processing of Personal data without a separate prior consent or transfer this data to third parties if such operation complies with the provisions of the Agreement.
5.2. Paysera undertakes to enter into a Personal Data Processing Agreement with such persons when transferring Personal Data to third parties or through sub-processors, which ensure standards of Personal data protection equivalent to those set forth in this Agreement.
5.3. At the request of the Organiser, Paysera undertakes to provide an up-to-date list of Personal data sub-processors.

6. Transfer of Personal data to third countries

6.1. The Organiser agrees that Paysera may transfer Personal data to entities outside the European Union or the European Economic Area without a separate prior consent, provided that such transfer complies with the provisions of the Agreement.
6.2. When transferring Personal Data to entities outside the European Union or the European Economic Area, Paysera undertakes to enter into Personal Data Processing Agreements with such entities to comply with the GDPR requirements for such agreements and ensure standards equivalent to the protection of Personal data set forth in this Agreement.
6.3. At the request of the Organiser, Paysera undertakes to provide an up-to-date list of recipients of Personal data outside the European Union or the European Economic Area, to whom the Buyers’ Personal data is transferred.

7. End of processing of Personal data

7.1. Upon expiry of the term of Personal data processing specified in clause 3.5 of the Agreement, Paysera undertakes to delete all stored Personal data and all possible copies thereof.

8. Other conditions

8.1. The Parties agree that the information received from the other Party in the implementation of this Agreement is confidential. During the validity of the Agreement and after the expiry of the Agreement, neither party shall have the right to disclose such information to any other third parties without a prior written consent of the other party, except for mandatory cases of disclosure of such information imperatively established in laws of the Republic of Lithuania. The obligations of the parties not to disclose confidential information shall remain in force indefinitely. A party in breach of its obligation to keep confidential information and not to disclose it must indemnify the other party for all damages.
8.2. All disputes arising from this Agreement shall be resolved through negotiations, failing which the disputes shall be settled in accordance with the laws of the Republic of Lithuania.
8.3. In the event of any inconsistency between the terms of this Agreement and other terms of the agreements between the parties governing the protection of personal data, the provisions of this Agreement shall apply.

9. Expiry date, amendments

9.1. The Agreement enters into force when the Organiser starts using the Paysera Tickets system.
9.2. The Agreement is an annexe to the Terms of Use of Paysera Tickets and may be changed by the unilateral decision of Paysera, by publishing the updated version on the tickets.paysera.com website and notifying the Organiser about changes to the Agreement by email.
9.3. This Agreement is a necessary condition for using the Paysera Tickets System, therefore, if the Organiser does not agree with this Agreement, they cannot be granted the right to use the Paysera Tickets System.