venuedirectory.com
Venue Directory
DATA PROCESSING ADDENDUM
Last Updated on: 12th Dec 2024
This Data Processing Addendum ("DPA") is entered into by and between Licensee and Licensor (collectively, "the Parties"), on behalf of itself and its wholly-owned subsidiaries, and forms part of the Licence Agreement entered into the Parties (the "Agreement") to reflect the Parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of Applicable Data Protection Laws. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
DATA PROCESSING TERMS
In providing the Services to Licensee pursuant to the Agreement, Licensor may process Licensee Personal Data on behalf of Licensee. Licensor will comply with the provisions in this DPA with respect to its processing of any Licensee Personal Data.
Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.
1.
Definitions
1.1
For the purposes of this DPA:
(a)
"Affiliate(s)" has the same meaning ascribed to it in the Agreement and, if not defined in the Agreement, the term means any legal entity directly or indirectly controlling, controlled by or under common control with a party, where control means the ownership of a majority share of the stock, equity or voting interests of such entity.
(b)
"Controller" means the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
(c)
"Licensee" shall have the meaning ascribed to it in the Licence Agreement.
(d)
“Data Privacy Framework” means collectively, the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and Swiss-U.S. Data Privacy Framework (once the Swiss Federal Administration recognizes adequacy), participating organizations of which provide adequate data protection for the transfer of personal data outside of the European Union under the GDPR, the UK under the UK Data Protection Act 2018 and UK GDPR, and Switzerland under the Swiss FADP.
(e)
"Data Subject" means the individual to whom Personal Data relates.
(f)
"Applicable Data Protection Laws" means all laws and regulations, including but not limited to laws and regulations of the State of California, the Commonwealth of Virginia the European Union, the European Economic Area and their member states, Switzerland, and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
(g)
"Licensor" means venuedirectory.com (formally Berry Marketing Services Ltd) (Company number 2783633) whose registered office is Enterprise House, 21 Oxford Road, Bournemouth, Dorset, BH8 8EY.
(h)
"Personal Data" means any personal data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(i)
"Licensee Personal Data" means any Personal Data either (i) transmitted by Licensee or Licensee’s agents through the Software pursuant to the provision of the Services provided by Licensor, or (ii) collected by Licensor on behalf of Customer and transmitted into Licensor’s SaaS Solution pursuant to the Services provided by Licensor.
(j)
"Processor" means an entity which processes Personal Data on behalf of the Controller.
(k)
"Sub-processor" means any person appointed by or on behalf of the Processor, or by or on behalf of an existing Sub-processor, to process Personal Data on behalf of Controller.
(l)
“Services" means the Software as a Service and associated professional services provided by Licensor to Licensee under the Agreement.
(m)
"Security Breach" means accidental or unlawful destruction, loss, alteration, unauthorised disclosure, access or use of Licensee Personal Data.
(n)
“EU Standard Contractual Clauses” means, as applicable, the agreement executed by and between Licensee and Licensor and attached hereto as Attachment 1 pursuant to the European Commission on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
(o)
“UK International Data Transfer Addendum” or “UK Addendum” means, as applicable, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses executed by and between Licensee and Licensor and attached hereto as Attachment 2 issued by the UK ICO for making Restricted Transfers as defined by the UK ICO.
(p)
“Switzerland Addendum” means, as applicable, the amending document titled “Switzerland – Addendum to the EU SCC’s” executed by and between Licensee and Licensor and attached hereto as Attachment 3, for the purposes of amending and adapting the EU SCCs for use under the Swiss Data Protection Act (“Swiss DPA”).
2.
Applicability of DPA
2.1
Applicability. This DPA shall apply only to the extent Licensee or Licensor are subject to the Applicable Data Protection Laws.
3.
Roles and Responsibilities
3.1
Parties' Roles. Licensee, as Controller, appoints Licensor as a Processor to process the Licensee Personal Data on Licensee's behalf. In some circumstances Licensee may be a Processor, in which case Licensee appoints Licensor as Licensee's Sub-processor, which shall not change the obligations of either Licensee or Licensor under this DPA, as Licensor will remain a Processor with respect to the Licensee in such event. However, the Licensee shall notify and keep Licensor updated on whether Licensor acts, in relation to specific processing activities, as a Processor or a Sub-processor, and if the latter is the case on the identity of the actual Controller.
3.2
Purpose Limitation. Licensor shall process Licensee Personal Data for the purposes set forth in the Agreement and only in accordance with the lawful, documented instructions of Licensee (including with regard to transfers of Licensee Personal Data to a third country), unless Licensor is required to process Licensee Personal Data by the Applicable Data Protection Laws to which Licensor is subject to (in such a case, Licensor shall inform the Licensee of that legal requirement before processing, unless applicable law prohibits such information). The Licensee's instructions may be specific or of a general nature as set out in this DPA or as otherwise notified by the Licensee to Licensor from time to time and not for Licensor's own purposes. Licensor may refrain from execution of the Licensee's instruction if it notifies the Licensee immediately that, in Licensor's opinion, an instruction for the processing of Licensee Personal Data given by the Licensee infringes Applicable Data Protection Laws. The purpose of this Section 3.2. is only to determine the scope and the purposes of processing of Licensee Personal Data by Licensor and nothing in this DPA will be deemed an obligation of Licensor to accept any instructions of the Licensee other than provided under the Agreement.
3.3
Training. Licensor shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Licensee Personal Data.
3.4
Compliance. Licensee, irrespective of the Licensee's role as a Controller or a Processor, shall be responsible for ensuring that, in connection with Licensee Personal Data and the Services:
(a)
it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Applicable Data Protection Laws; and
(b)
it has, and will continue to have, the right to transfer, or provide access to, the Licensee Personal Data to Licensor for processing in accordance with the terms of the Agreement and this DPA.
3.5
If Licensee uses the Services to process any categories of Personal Data not expressly covered by this DPA, Licensee acts at its own risk and Licensor shall not be responsible for any potential compliance deficits related to such use.
3.6
Licensor employees’/contractors’ Personal Data. Where Licensor discloses Licensor employees’/contractors’ Personal Data to the Licensee or a Licensor employee/contractor provides Personal Data directly to Licensee, which the Licensee processes to manage its use of the Services, Licensee shall process that Personal Data in accordance with its privacy policies and applicable privacy laws, in particular Applicable Data Protection Laws. Such disclosures shall be made by Licensor only where lawful for the purposes of contract management, service management or security purposes.
4.
Security
4.1
Security. Licensor shall implement appropriate technical and organisational measures designed to protect the Licensee Personal Data from a Security Breach and in accordance with Licensor's security standards as set forth in the Agreement as well as with Applicable Data Protection Laws (including Article 32 of the GDPR). Licensor will also, taking into account the nature of processing and the information available to Licensor, assist the Licensee in ensuring its compliance with the obligations pursuant to Article 32 of the GDPR. A summary of Licensor’s technical and organisational measures is located at: https://venuedirectory-help.freshdesk.com/support/solutions/articles/44002478405-infrastructure-security-and-application-management.
4.2
Confidentiality of Processing. Licensor shall ensure that any person that it authorizes to process the Licensee Personal Data (including its staff, agents and subcontractors) shall be subject to a duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.
4.3
Security Breaches. Upon becoming aware of a confirmed Security Breach, Licensor shall notify Licensee without undue delay and shall provide such timely information as Licensee may reasonably require to enable Licensee to fulfil any data breach reporting obligations under Applicable Data Protection Laws. Licensor will take steps to identify and remediate the cause of such Security Breach and to minimize its possible harm. For the avoidance of doubt, Security Breach will not include unsuccessful attempts to, or activities that do not, compromise the security of Licensee Personal Data including, without limitation, unsuccessful log in attempts, denial of service attacks and other attacks on firewalls or networked systems.
5.
Data Transfers; Sub-processing
5.1
Licensor makes available the transfer mechanisms listed below which shall apply to any transfers of Licensee Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to: Licensor’s Affiliates in the U.S. and third countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws of the foregoing territories, to the extent such transfers are subject to such Applicable Data Protection Laws:
5.1.1
Certification of Licensor’s U.S.-based Affiliates to the Data Privacy Framework
5.1.2
EU Standard Contractual Clauses.
5.1.3
UK Addendum.
5.1.4
Switzerland Addendum
5.2
In the event that EU authorities or courts, UK Information Commissioner’s Office, or Swiss Federal Data Protection and Information Commissioner (FDPIC) determine that any of the transfer mechanisms above is no longer an appropriate basis for transfers, Licensor shall promptly take all steps reasonably necessary to demonstrate adequate protection for the Licensee Personal Data, using another approved mechanism. Licensor understands and agrees that Licensee may terminate the transfers as needed to comply with the Applicable Data Protection Laws. In the event the EU Standard Contractual Clauses, UK Addendum, or Switzerland Addendum (or any other approved mechanism allowing for Personal Data transfers) are applicable, nothing in this DPA modifies or affects any commission or supervisory authority's or Data Subject's rights under the EU Standard Contractual Clauses, UK Addendum or Switzerland Addendum (or any such other approved mechanism).
5.3
Licensee agrees that Licensor may engage Licensor Affiliates and third parties as Sub-processors to process the Licensee Personal Data on Licensor's behalf. Licensor shall provide a mechanism for Licensee to subscribe to receive notifications at the following website, which shall include a list of Sub-Processors that are currently engaged by Licensor to carry out specific processing activities on behalf of the Licensee. Licensor will update the list at the following website: https://www.cvent.com/uk/gdpr/cvents-affiliates-and-subprocessors.shtml, which allows Licensee to subscribe to receive notifications of any changes and gives Licensee the opportunity to object to such relevant Sub-processors or changes concerning the addition or replacement thereof. Notwithstanding the other provisions in this section, Licensor may add or replace a Sub-Processor immediately if it is necessary to ensure continuity of service, data integrity, or recovery in case of emergency, except as prohibited by Applicable Data Protection Laws. Licensor shall impose on such Sub-processors data protection terms that protect the Licensee Personal Data to the same standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-processor. Where the Standard Contractual Clauses are applicable, Licensor shall ensure data transfers are protected through appropriate mechanisms, such as by entering into Standard Contractual Clauses with such Sub-processor or use/take advantage of any other approved mechanism, including Binding Corporate Rules or an alternative recognised compliance standard for the lawful transfer of personal data.
6.
Cooperation
6.1
Data Subjects' Rights. Licensor shall provide commercially reasonable assistance, including by appropriate technical and organizational measures as reasonably practicable, to enable Licensee to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under Applicable Data Protection Laws, including rights of access, correction, restriction, objection, erasure or data portability, as applicable. For the avoidance of doubt, Licensee is responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure or data portability of that Data Subject's Personal Data. Licensor will be responsible for responding to Data Subject’s request for access, correction, restriction, objection, erasure or data portability or any other request from a Data Subject seeking to exercise his or her rights under Applicable Data Protection Laws to the extent the Licensee itself does not have the ability, with the available standard functionalities of the Services, to respond to such request. Licensor reserves the right to reimbursement from Licensee for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance provided to Licensee.
6.2
Data Protection Impact Assessments and Prior Consultation. Licensor shall, to the extent required by Applicable Data Protection Laws, provide Licensee with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Licensee is required to carry out under Applicable Data Protection Laws.
7.
Security Reports and Audits
7.1
Any provision of security attestation reports (such as SOC 2, Type II or equivalent report) or audits shall take place in accordance with Licensee's rights under the Agreement. If the Agreement does not include a provision regarding security attestation reports, Licensor shall provide a copy of its most current security attestation report upon Licensee's written request no more than once annually.
7.2
Licensor will allow for and contribute to audits, including inspections, conducted by the Licensee in accordance with Licensee's rights under the Agreement. If the Agreement does not include audit rights, Licensor and Licensee will discuss and agree in advance on the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit; and Licensor reserves the right to charge a reasonable fee (based on Licensor’s reasonable costs) for any such audit. Licensor will provide further details of any applicable fee and the basis of its calculation to Licensee in advance of such audit. The purpose of an audit pursuant to this clause will be strictly limited to verifying whether Licensor is processing Licensee Personal Data in accordance with the obligations hereunder and Applicable Data Protection Laws.
7.3
Notwithstanding the above, Licensor will, subject to the confidentiality arrangements that will satisfy both Parties, make available to the Licensee all information held by Licensor necessary to demonstrate its compliance with the obligations laid down in the Applicable Data Protection Laws. If Licensee wishes to receive such further information to which it is entitled under Applicable Data Protection Laws, Licensee shall submit a request for additional information to Licensor in writing for that additional information. Where Licensor is in possession of such information, and subject to the aforementioned confidentiality arrangements, Licensor shall supply this information to Licensee as soon as reasonably practicable.
8.
Miscellaneous
8.1
In the event that Licensor, any of its Sub-processors, or the Licensee receives any regulatory request, order, or other binding decision or recommendation from the competent authority that requires amendments to the provisions hereof or any changes to the processing of Licensee Personal Data hereunder ("Regulatory Request"), Licensor and the Licensee as well as, to the extent necessary and/or reasonably practicable, representatives of a respective Sub-processor, shall, within a reasonable time after receiving and reviewing the Regulatory Request, discuss and work in good faith towards agreeing on a plan (“Compliance Review Plan”) to determine the details of how the Regulatory Request can be addressed. A timeframe for reviewing the Regulatory Request and preparing the Compliance Review Plan will be agreed between the Parties, taking into account the requirements of Applicable Data Protection Laws and the urgency of the matter as well as doing everything commercially reasonable given the circumstances and nature of the Services to meet specific time frames set by the relevant authority in connection with the Regulatory Request. If Licensor, any of its Sub-processors, or the Licensee believe that it is not possible to meet a specific time frame set by the relevant authority in connection with the Regulatory Request, Licensor and/or its Sub-processor will assist Licensee to explain this to the relevant authority, including by providing details of the reasons why the timeframes cannot be met.
8.2
Except as amended by this DPA, the Agreement will remain in full force and effect.
8.3
If there is a conflict between the Agreement and this DPA the terms of this DPA will control.
8.4
Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations, set forth in the Agreement.

Find Top Meeting Rooms & Conference Spaces

Meeting Rooms London
Venues in Birmingham
Venues Leicester
Meeting Rooms Derby
Venues in Aberdeen
Venues in Sheffield
Meeting Amsterdam
Meeting Manchester
Meetings in Liverpool
Meeting Rooms Hull
Meeting rooms in Leeds
Meetings in Newcastle
Meetings in Dublin
Venues in Brighton
Meetings in Canterbury
Venues in Glasgow
Meetings in Belfast
Venues in Bristol
Meetings in Oxford
Venues in Swindon
Venues Belfast
Venues Southampton
Meetings in Winchester
Meetings in Portsmouth
Meetings in Manchester
Meeting in York
Venues in Berlin
Meetings in Malaga
Venues in Bradford
Meetings in Edinburgh
Venues in Heathrow
Meeting rooms in Nottingham
Meetings in Madrid
Meetings in Barcelona
Meeting rooms Reading
Venues in Coventry
Meeting rooms Dorset
Meeting rooms Poole
Venues in Brussels
Venues in Amsterdam
Meeting rooms Bath
Meeting rooms Norwich
Meetings in Hong Kong
Meeting rooms in Paris
Meeting rooms in Rome
Meeting rooms in Malta
Venues in Geneva