Eventmaster - GDPR Policy

EVENTMASTER PRIVACY AND GDPR POLICY

About Us

Eventmaster is a ticketing, fundraising and membership platform, powering some of Ireland’s largest events, charities and sporting national governing bodies.

The company registration number is 489410 and our address is Unit 27, Tait Business Centre, Dominic Street, Limerick V94YN60. Eventmaster is the owner of www.eventmaster.ie and we are committed to protecting your privacy and processing your personal data in accordance with the Data Protection Act (DPA) 1998 up to 24 May 2018 and the General Data Protection Regulation (GDPR) on and from 25 May 2018 (Data Protection Legislation).

This policy explains how any information we collect about you is used and kept securely. It also explains your privacy choices when using our website/services as well as your right to access your information under Data Protection Legislation. Our Privacy Notice has been designed with you in mind. How the notice applies to you will depend on the way in which you interact with us. If you visit a website operated by a third party through a link included on this Website, your information might be used differently by the operator of the linked website.

Definitions and Interpretation
1. Data Processer: Eventmaster acts as the data processor for our ticketing, membership, and fundraising products.
2. Data Controller: The person(s)/Organisation providing the service you require. For example, this could be an event organiser, charity, or membership provider.

What Information We Have & Where We Get It
1. When you create an account, or use any of our ticketing, fundraising or membership services, we will collect your information which depending on service we are providing, may include your contact and billing information.
2. When you use our platform services and website, we collect information such as the browser and device you're using, your IP address, your location, the site you came from, what you did and didn't use our site for, or the site you visit when you leave us. (See Section 11)
3. When you use a social media feature within our website or apps, and you post to social media platforms, the social media site will provide us with some information about you.
4. In the few instances where we collect personal information from children, we always seek parental consent and will only ever collect such information for the purposes specified when we collect it.

The type of personal data being processed
1. All online payments and order forms for the provision of services regarding ticketing, fundraising and membership. These may include details such as name, email address and other information as directed by the data controller.
2. Emails used for Newsletters sent via Eventmaster.
3. Payment Details for all orders
4. Permit applications – Details collected for the purpose of providing a permit for an event. This includes the event information and personal details of the permit applicant/event organiser.
5. Any documents uploaded to the platform as required by the data controller.

The categories of data subjects whose personal data is being processed
1. Members, Membership Administration Users, Permit Applicants, Event Organisers, Ticket Holders, Website visitors, Donors, Fundraisers and Charity Administration Users and any other account holder within the platform.

How We Use Your Information & Why
1. For the performance of our contract with you
2. We use your information when you enter into a contract with us (for example to buy membership, make a donation, buy a ticket or register for a sporting event) so we can:
  1. process your order
  2. take payment, and
  3. provide you with customer support.

For our legitimate business interests
1. To conduct market research and analysis which helps improve and customise our services.
2. For our marketing purposes (where consent is given).
3. To send you customer service emails including booking confirmations and event reminders.
4. To ensure the security of your and Data Controller operations.
5. To create an account allowing you to
  1. View/Edit your bookings and events
  2. .Manage your Memberships
  3. Manage your Fundraising/Benefactor Page
  4. Right Of Access
  5. Right To Be Forgotten

Where you’ve given your consent
1. For Eventmaster to contact you with information or offers regarding our upcoming events – we ask your permission during event registration.
2. You can also opt in by managing your preferences in the ‘My Account’ section of your Eventmaster account or via external opt in links where applicable.

Who We Share Your Data With & Why
1. Our third-party service providers such as cloud computing providers who provide the IT infrastructure on which our products and systems are built.
2. As a data processor, we share your information with the data controllers of the specific events/services that you have registered for so that they can fulfil your order and provide service. The data controller may then send you marketing or other communications, which may be subject to its own, separate privacy policy. Likewise, if you provide your mobile phone number, you may receive information messages related to the service in which you’ve expressed interest. Data controllers such as event organisers and membership providers can create registration pages to collect virtually any information from Consumers in connection with registration for their services. Eventmaster does not control this process nor the Personal Data that they collect. When you register for, or otherwise provide information to Eventmaster in conjunction with a Data controller’s event or service, whether that information is yours or a third party’s, in connection with a purchase, registration, or transfer, that data controller will receive and may use the information you provide. Any transmission of information or data is at your own risk.

Your Choices & Rights
1. Right to Opt-out of Marketing Communications - To stop receiving our marketing emails you can login to you manage my booking account and choose to “Unsubscribe” in the GDPR section or by clicking on the unsubscribe button in email newsletters sent via Eventmaster
2. To remove all your data from Eventmaster services you can login to your account and choose the “Right To Be Forgotten” in the GDPR section.
3. To see any personnel data that we have collected for you, login to your manage my booking account and chose the "Right Of Access"
4. Right to restriction of processing - You have a right to request that we refrain from processing your data where you contest its accuracy, or the processing is unlawful and you have opposed its erasure, or where we do not need to hold your data any longer but you need us to in order to establish, exercise or defend any legal claims, or we are in dispute about the legality of our processing your personal data.
5. Right to Portability - You have a right to receive any personal data that you have provided to us in order to transfer it onto another data controller where the processing is based on consent and is carried out by automated means. This is called a data portability request.
6. Right to Object - You have a right to object to our processing your personal data where the basis of the processing is our legitimate interests including but not limited to direct marketing and profiling.
7. Right to Withdraw Consent - You have the right to withdraw your consent for the processing of your personal data where the processing is based on consent.
8. Right of Complaint - You also have the right to lodge a complaint about any aspect of how we are handling your data with the

Data retention period
1. We will hold information in our data systems only for as long as we need it for the purpose for which we collected it, which is as follows:
  1. As long as you continue to log into your Eventmaster account or use our services (including entering events, making purchases or renewing memberships for example) we will retain and process information about you. In such cases, you will be considered to be an ‘active’ customer. If you have not been ‘active’ as a customer for a period of three years, your account will be deactivated, and the data removed unless otherwise instructed by the data controller of the services you have engaged with.
2. To remove all your data from Eventmaster services you can login to your account and choose the “Right To Be Forgotten” in the GDPR section. However, we may retain Personal Data for an additional period as is permitted or required under applicable laws for legal, tax or regulatory reasons or for legitimate and lawful business purposes.

IP addresses and cookies
1. We may collect information about your computer, including where available your IP address, operating system, and browser type, for system administration and to report aggregate information. This is statistical data about our users' browsing actions and patterns and does not identify any individual. For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer's hard drive.
2. In addition to the above we use third party cookies and pixels to advertise our products and services across the internet (for example via Google Ads, Facebook, Instagram and TikTok and other services). This will display relevant adverts tailored to you based on what events or webpages you have viewed in Eventmaster by placing a cookie on your machine. This does not in any way identify you or give access to your computer. These cookies and pixels allow us to tailor our marketing to better suit your needs and only display adverts that are relevant to you.
3. You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to the Eventmaster website.
4. Please note that our advertisers and data controllers may also use cookies, over which we have no control.

Email Communications
1. We allow Data Controllers to use our email tools to contact Consumers for their current and past events/services, so you may receive emails from our system that originate with such users that we send on their behalf. If you registered for an event or service, your email address is available to that data controller. However, data controllers may also import the email addresses they have from external sources and send communications through to those email addresses, via Eventmaster. The Data Controller and not Eventmaster is responsible for sending these emails.
2. You can unsubscribe from communications sent on behalf of particular data controllers and/or Eventmaster at any time via the ‘unsubscribe’ option within the newsletter or in the GDPR preference settings within your account.

Protecting your information
1. The data that we collect from you may be transferred to a destination external to Eventmaster’s own secure network. We will not transfer your data outside of the European Economic Area. By submitting your personal data, you agree to this transfer, storing or processing. We will take all reasonable steps to ensure that your data is treated securely and in accordance with this privacy policy. The Internet is not generally a secure medium for communication and therefore we cannot guarantee the security of any information you send to us over the Internet. We use up-to-date industry procedures to protect your personal information.
2. Your data will be securely stored on a company owned server based in Dublin and on a secure data centre and all data is protected with SSL encryption, multi-level password protection and advanced firewall security.
3. Physical security is handled by our data centre provider. All data in the system is transmitted using SSL encryptions. The site is manned by security guards 24x7 and full CCTV and all available physical security and availability safeguards are in place
4. All data controllers or platform users with access to personal information are required to use two-factor authentication when logging in to their account as well as using encrypted passwords for any downloaded reports where applicable.
5. We are not responsible for the actions of data controllers, or their counterparts with respect to your Personal Data. It is important that you review the applicable policies of the Data Controller before providing Personal Data or other information in connection with the product or service they are providing.

Eventmaster Data Processing Agreement for Data Controllers:
This Data Processing Agreement (“Agreement“) forms part of the Contract for Services (“Principal Agreement“) between Data Controllers (the “Company”) and Eventmaster (the “Data Processor”) (together as the “Parties”).

WHEREAS
1. The Company acts as a Data Controller.
2. The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor (Eventmaster).
3. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  1. The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
2. For the purposes of this policy, “The Company” refers to any person(s)/organisation that is using the Eventmaster platform for provision of data processing, in the areas of ticketing, fundraising and/or membership.
3. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
4. “Agreement” means this Data Processing Agreement and all Schedules;
5. “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;
6. “Contracted Processor” means a Subprocessor;
7. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
8. “EEA” means the European Economic Area;
9. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
10. “GDPR” means EU General Data Protection Regulation 2016/679;
11. “Data Transfer” means:
  1. a transfer of Company Personal Data from the Company to a Contracted Processor; or
  2. an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
12. “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.
13. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

Processing of Company Personal Data
1. 13.1Processor shall:
  1. comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
  2. not Process Company Personal Data other than on the relevant Company’s documented instructions.
2. The Company instructs Processor to process Company Personal Data.

Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

Security
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
2. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

Sub processing
1. Processor shall not appoint (or disclose any Company Personal Data to) any Sub processor unless required or authorized by the Company.
2. Any sub-processors engaged by the processor are subject to the same data protection obligations as the processor and that the processor remains directly liable to the controller for the performance of a sub-processor’s data protection obligations;

Data Subject Rights
1. Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
2. Processor shall:
  1. Promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
  2. ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.

Personal Data Breach
1. Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
2. Processor shall co-operate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Data Protection Impact Assessment and Prior Consultation Processor shall provide
reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

Deletion or return of Company Personal Data
1. The Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.

Audit rights
1. Subject to this section 10, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.
2. Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

Data Transfer
1. The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

General Terms
1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
  1. disclosure is required by law;
  2. the relevant information is already in the public domain.
2. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

Governing Law and Jurisdiction
1. This Agreement is governed by the laws of the Republic of Ireland.

If you wish to contact us about your personal data or exercise any of the rights described above, please contact: support@eventmaster.ie