Data Processing Agreement

Last revised: June 14, 2024

The entity identified as Venue in the applicable Order Form, and the Roller entity identified in Section 11.3 of the Master Term, enter into this data processing agreement (“DPA”). This DPA, including its attachments, are incorporated by reference into the Master Terms.

  1. Definitions
    For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Master Terms, all applicable Order Forms and Supplemental Terms (collectively, the “Agreement”).
    1. Applicable Data Protection Laws means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Venue Guest Data under the Agreement, including, without limitation, European Data Protection Laws and State Privacy Laws.
    2. Venue Guest Data means Personal Information provided or made available to Roller for Processing on Venue’s behalf to perform the Services. 
    3. EEA means the European Economic Area. 
    4. EEA SCCs or EEA Standard Contractual Clauses means MODULE TWO of the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
    5. EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time. 
    6. European Data Protection Laws means the GDPR and other data protection laws and regulations of the European Union, its Member States, Switzerland, Iceland, Liechtenstein, Norway, and the United Kingdom, in each case, to the extent applicable to the Processing of Venue Guest Data under the Agreement. 
    7. GDPR means the EU GDPR and the UK GDPR, as amended from time to time together with any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018). 
    8. Information Security Incident means a breach of Roller’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Venue Guest Data in Roller’s possession, custody, or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Venue Guest Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems. 
    9. Personal Information shall have the meaning assigned to the term “personal data,” “personal information,” or “personally identifiable information” in Applicable Data Protection Law, or information of a similar character regulated thereby. 
    10. Processing means any operation or set of operations which is performed on Venue Guest Data or on sets of Venue Guest Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
    11. Relevant Body:
      1. in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office and/or UK Government (as and where applicable); and/or
      2. in the context of the EEA and EU GDPR, means the European Commission.
    12. Restricted Country:
      1. in the context of the UK, means a country or territory outside the UK; and
      2. in the context of the EEA, means a country or territory outside the EEA (which shall, as and where applicable, be interpreted in line with Article FINPROV.10A(1) of the Trade and Cooperation Agreement between the EU and the UK), and
      3. that the Relevant Body has not deemed that a country or territory to provide an ‘adequate’ level of protection for Venue Guest Data pursuant to a decision made in accordance Article 45(1) of the GDPR. 
    13. Security Measures has the meaning given in Section 4(a) (Roller’s Security Measures). 
    14. Standard Contractual Clauses or SCCs means the EEA SCCs or UK SCCs, as appropriate.
    15. "State Privacy Laws" means, as applicable: the California Consumer Privacy Act of 2018, as amended, and any regulations promulgated thereunder; other applicable state privacy laws in the United States, such as (but not limited to): Virginia Consumer Data Protection Act, Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Utah Consumer Privacy Act, and the Colorado Privacy Act.
    16. Subprocessors means third parties that Roller engages to Process Venue Guest Data in relation to the Services.
    17. Supervisory Authority:  
      1. in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office; and
      2. in the context of the EEA and EU GDPR, shall have the meaning given to that term in Article 4(21) of the EU GDPR.
    18. Third Party Subprocessors has the meaning given in Section 5 (Subprocessors) of Annex 1.
    19. The terms controller, data subject and processor as used in this DPA have the meanings given in the GDPR. 
    20. UK means the United Kingdom of Great Britain and Northern Ireland.
    21. UK GDPR means the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019).
    22. UK SCCs or the UK Standard Contractual Clauses means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022, including their “part 2: mandatory clauses”), issued by the Commissioner under S119A(1) of the UK Data Protection Act 2018( https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).
  2. Duration, Scope, and Applicability of this DPA
    1. This DPA will remain in effect so long as Roller Processes Venue Guest Data, notwithstanding the expiration or termination of the Agreement. 
    2. This DPA applies only as follows:
      1. Sections ‎3 - ‎7 below apply generally to the Processing of Venue Guest Data by Roller.
      2. Annex 1 (Europe Annex) to this DPA applies solely to Processing of Venue Guest Data that is subject to European Data Protection Laws pursuant the territorial scope of the GDPR (including pursuant to Article 3 of the GDPR).
      3. Annex 2 (California Annex) to this DPA applies solely to Processing subject to State Privacy Laws, where Venue is a “business”, "processor", "contractor" or “service provider” (as defined in State Privacy Laws) with respect to such Processing.
      4. This DPA does not apply to Personal Information pertaining to Venue’s personnel or representatives who are business contacts of Roller, for which Roller acts as a controller.
  3. Nature of Processing Venue Guest Data
    1. Venue Instructions. Roller will Process Venue Guest Data only in accordance with Venue’s instructions to Roller. This DPA is a complete expression of such instructions. Venue instructs Roller to Process Venue Guest Data to provide the Services as contemplated by the Agreement. Venue’s additional instructions other than the foregoing must, (a) be consistent with the characteristics and nature of the Services; and (b) be made in writing pursuant to an amendment to this DPA signed by both parties.
    2. De-Identified Venue Guest Data. Venue acknowledges and agrees that Roller: (a) will Process Venue Guest Data in aggregated, anonymized and / or de-identified form, and (b) use such resulting data for quality assurance and for the development and enhancement of Roller’s products and services (including the Roller platform applications, websites, kiosks).
  4. Security
    1. Roller Security Measures. Roller will implement and maintain technical and organizational measures designed to protect Venue Guest Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Venue Guest Data, as described in https://www.roller.software/security/ (the “Security Measures”). Roller may update the Security Measures from time to time, so long as the updated measures do not decrease the overall protection of Venue Guest Data.
    2. Information Security Incidents. Roller will notify Venue without undue delay of any Information Security Incident of which Venue becomes aware. Such notifications will describe available details of the Information Security Incident, including information to allow Venue to meet any obligations under Applicable Data Protection Laws to report the Information Security Incident to affected data subjects; or the relevant Supervisory Authority(ies) or other relevant enforcement or investigative authorities. Roller’s notification of or response to an Information Security Incident will not be construed as Roller’s acknowledgement of any fault or liability with respect to the Information Security Incident.
    3. Venue’s Security Responsibilities and Assessment
      1. Venue’s Security Responsibilities. Venue agrees that, without limitation of Roller’s obligations under Section 4 (Security), Venue is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Venue Guest Data; (b) securing the account authentication credentials, systems and devices Venue uses to access the Services; (c) securing Venue’s systems and devices that Roller uses to provide the Services; and (d) backing up Venue Guest Data.
      2. Venue’s Security Assessment. Venue agrees that the Services, the Security Measures and Roller’s commitments under this DPA are adequate to meet Venue’s needs, including with respect to any security obligations of Venue under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Venue Guest Data.
  5. Data Subject Rights
    1. Roller’s Data Subject Request Assistance. Roller will (considering the nature of the Processing of Venue Guest Data) provide Venue with assistance reasonably necessary and technically possible in the circumstances for Venue to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Venue Guest Data in Roller’s possession or control. Venue shall compensate Roller for any such assistance at Roller’s then-current professional services rates, which shall be made available to Venue upon request.
    2. Venue’s Responsibility for Requests. If Roller receives a Data Subject Request, Roller will advise the data subject to submit the request to Venue and Venue will be responsible for responding to the request. 
  6. Venue Responsibilities
    1. Venue Compliance. Venue shall comply with its obligations under Applicable Data Protection Laws. Venue shall ensure (and is solely responsible for ensuring) that its instructions under Section 3 comply with Applicable Data Protection Laws.
    2. Prohibited Data. Venue represents and warrants to Roller that Venue Guest Data does not and will not, without Roller’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such laws.
  7. Data Deletion
    Roller shall delete all the Venue Guest Data on Roller’s systems on Venue’s request and after the end of the provision of Services, and shall delete existing copies unless continued storage of the Venue Guest Data is required by (i) applicable laws of the European Union, the member states of the European Union or EEA, or United Kingdom, with respect to Venue Guest Data subject to European Data Protection Laws or (ii) Applicable Data Protection Laws, with respect to all other Venue Guest Data. Roller will comply with such instruction as soon as reasonably practicable and no later than 180 days after such expiration or termination unless Applicable Data Protection Laws require storage. Venue may choose to request a copy of such Venue Guest Data from Roller for an additional charge by requesting it in writing at least 30 days prior to expiration or termination of the Agreement. Upon the parties’ agreement to such charge pursuant to a work order or other amendment to the Agreement, Roller will provide such copy of such Venue Guest Data before it is deleted in accordance with this clause

  8. Miscellaneous
    Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any Order Form entered in connection therewith to the contrary, the parties acknowledge and agree that Roller’s access to and processing of Venue Guest Data does not constitute part of the consideration provided to Roller in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Roller to Venue under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to Roller’s primary points of contact with Venue; or (c) to any email provided by Venue for the purpose of providing it with Services-related communications or alerts. Venue is solely responsible for ensuring that such email addresses are valid.

Annex 1 to DPA
Europe Annex

  1. Processing of Data

    1. Subject Matter and Details of Processing. The parties acknowledge and agree that the details of Roller’s Processing of Venue Guest Data are specified in Schedule A below. 

    2. Roles and Regulatory Compliance; Authorization. The parties acknowledge and agree that (i) Roller is a processor of the Venue Guest Data under European Data Protection Laws; (ii) Venue is a controller (or a processor acting on the instructions of a controller) of that Venue Guest Data under European Data Protection Laws; and (iii) each party will comply with the obligations applicable to it in such role under the European Data Protection Laws with respect to the Processing of the Venue Guest Data. If Venue is a processor, Venue represents and warrants to Roller that Venue’s instructions and actions with respect to Venue Guest Data, including its appointment of Roller as another processor, have been authorized by the relevant controller.

    3. Roller’s Compliance with Instructions. Roller will Process Venue Guest Data only in accordance with Venue’s instructions pursuant to this DPA unless applicable European Data Protection Laws require otherwise, in which case Roller will notify Venue (unless that law prohibits Roller from doing so on important grounds of public interest).

  2. Data Security

    1. Roller Security Measures, Controls and Assistance

       

      1.  Roller Security Assistance. Roller will (taking into account the nature of the Processing of Venue Guest Data and the information available to Roller) provide Venue with reasonable assistance necessary for Venue to comply with its obligations in respect of Venue Guest Data under European Data Protection Laws, including Articles 32 to 34 (inclusive) of the GDPR, by (a) implementing and maintaining the Security Measures; (b) complying with the terms of Section 4(b) (Information Security Incidents) of the DPA; and (c) complying with this Annex 1.

      2. Security Compliance by Roller Staff. Roller ensures that its personnel who are authorized to access Venue Guest Data are subject to appropriate confidentiality obligations. 

    2. Reviews and Audits of Compliance

      1. Frequency. Venue may audit Roller’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by European Data Protection Laws, including where mandated by Venue’s Supervisory Authority. 

      2. Provision of Information. Roller will contribute to such audits specified above by providing Venue or Venue’s Supervisory Authority with the information and assistance that Roller considers appropriate in the circumstances and reasonably necessary to conduct the audit. 

      3. Third Party Auditor. If a third party is to conduct the audits specified above, Roller may object to the auditor if the auditor is, in Roller’s reasonable opinion, not independent, a competitor of Roller, or otherwise manifestly unsuitable. Such objection by Roller will require Venue to appoint another auditor or conduct the audit itself. 

      4. Arrangements for On-Site Audits. In the event that Venue (acting reasonably) is able to provide documentary evidence that the information made available by Roller is not sufficient in the circumstances to demonstrate Roller’s compliance with this DPA, Roller shall allow for and contribute to audits, including on premise inspections, by Venue or a third party auditor mandated by Venue in relation to the Processing of the Venue Guest Data by Roller. To request an audit, Venue must submit a proposed audit plan to Roller at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Roller will review the proposed audit plan and provide Venue with any concerns or questions (for example, any request for information that could compromise Roller security, privacy, employment, or other relevant policies). Roller will work cooperatively with Venue to agree on a final audit plan.

      5. Conducting On-Site Audits. The on-site audits specified above must be conducted during regular business hours, subject to the agreed final audit plan and Roller’s safety, security, or other relevant policies, and may not unreasonably interfere with Roller business activities. Venue shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Roller in respect of, any damage, injury or disruption to Roller’s premises, equipment, its personnel, data, and business (including any interference with the confidentiality or security of the data of Roller’s other customers or the availability of Roller’s services to such other customers) while its personnel and/or its auditor’s personnel (if applicable) are on those premises in the course of any on premise inspection. 

      6. Confidentiality. Nothing in this Section 2(b) shall require Roller to breach any duties of confidentiality. 

      7. Audit Results. Venue will promptly notify Roller of any non-compliance discovered during the course of an audit and provide Roller any audit reports generated in connection with any audit under this Section 2(b), unless prohibited by European Data Protection Laws or otherwise instructed by a Supervisory Authority. Venue may use the audit reports only for the purposes of meeting Venue’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. 

      8. Costs. Any audits are at Venue’s sole expense. Venue shall reimburse Roller for any time expended by Roller and any third parties in connection with any audits or inspections under this Section 2(b) at Roller’s then-current professional services rates, which shall be made available to Venue upon request. Venue will be responsible for any fees charged by any auditor appointed by Venue to execute any such audit.

      9. Auditor Reports in Lieu of Inspections. If the controls or measures to be assessed in a requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Venue’s audit request and Roller has confirmed there have been no known material changes in the controls audited since the date of such report, Venue agrees to accept such report in lieu of requesting an audit of such controls or measures.

  1. Data Protection Impact Assessments and Consultations
    Taking into account the nature of the Processing and the information available to Roller, Roller will reasonably assist Venue, at Venue’s cost, in complying with its obligations under Articles 35 and 36 of the GDPR, in each case solely in relation to Processing of Venue Guest Data, by (a) making available documentation describing relevant aspects of Roller’s information security program and the security measures applied in connection therewith and (b) providing the other information contained in the Agreement, including this DPA.

  2. Data Transfers

    1. Data Processing Facilities. Subject to Section 4(b) (Transfers out of the EEA) and 4(c) (Transfers out of the UK), Roller may store and Process Venue Guest Data in the United States or anywhere Roller or its Subprocessors maintains facilities. However, if Venue is established in the European Union, the United Kingdom or the United Arab Emirates, Roller will store and Process Venue Guest Data in a data center located in the European Union (without prejudice to Processing locations of Roller’s other Subprocessors).
    2. Transfers out of the EEA. If the Roller entity contracting with the Venue under the Agreement and this DPA is ROLLER Australia or ROLLER USA, then parties hereby agree to the EEA Standard Contractual Clauses, the terms of which are hereby incorporated by reference into this DPA, in accordance with Schedule A and as follows:
      1. data importer will provide the copies of the subprocessor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the EEA Standard Contractual Clauses upon data exporter’s request, and that data importer may remove or redact all commercial information or clauses unrelated the EEA Standard Contractual Clauses or their equivalent beforehand;
      2. the audits described in Clause 5(f) and Clause 12(2) of the EEA Standard Contractual Clauses shall be performed in accordance with Section 2(b) of this Annex 1 (Reviews and Audits of Compliance); 
      3. Venue’s authorizations in Section 5 (Subprocessors) of this Annex 1 will constitute Venue’s prior written consent to the subcontracting by Roller of the Processing of Venue Guest Data if such consent is required under Clause 5(h) of the EEA Standard Contractual Clauses; and
      4. certification of deletion of Venue Guest Data as described in Clause 12(1) of the EEA Standard Contractual Clauses shall be provided upon data importer’s request.
    3. Transfers out of the UK. If the Roller entity contracting with the Venue under the Agreement and this DPA is ROLLER Australia or ROLLER USA, then the parties hereby agree to the UK Standard Contractual Clauses in accordance with Schedule B. 
    4. Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply to the extent an alternative recognized compliance standard for the transfer of Venue Guest Data outside the EEA or the UK in accordance with European Data Protection Laws applies to the transfer. In the event of any conflict or inconsistency between (a) this Annex 1 and any other provision of this DPA, this Annex 1 will govern or (b) the Standard Contractual Clauses and any other provision of this Agreement, the Standard Contractual Clauses will govern.
  3. Subprocessors
    1. Consent to Subprocessor Engagement. Venue specifically authorizes the engagement of Roller’s corporate group affiliates specified in Section 11.3 of the Master Terms as Subprocessors and generally authorizes the engagement of other third parties as Subprocessors (“Third Party Subprocessors”).
    2. Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at: https://www.roller.software/sub-processors (as may be updated by Roller from time to time) or such other website address as Roller may provide to Venue from time to time.
    3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, Roller will enter into a written contract with such Subprocessor containing data protection obligations which are the same in substance as those in this DPA with respect to Venue Guest Data to the extent applicable to the nature of the services provided by such Subprocessor. Roller shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto. 
    4. Opportunity to Object to Subprocessor Changes. When Roller engages any new Third Party Subprocessor after the effective date of the Agreement, Roller will notify Venue of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by written means (email permissible). If Venue objects to such engagement in a written notice to Roller within 15 days after being informed of the engagement on reasonable grounds relating to the protection of Venue Guest Data, Venue and Roller will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Venue may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Roller and pay Roller for all amounts due and owing under the Agreement as of the date of such termination.

Annex 2 to DPA
U.S. Privacy Laws Annex

  1. For purposes of this Annex 2, the terms “business,” “commercial purpose,” "consumer", “sell”, “share”, “collect”, "business purpose" and “service provider” shall have the respective meanings given thereto in State Privacy Laws, and “personal information” shall mean Venue Guest Data that constitutes personal information governed by State Privacy Laws.
  2. It is the parties’ intent that with respect to any personal information, Roller is a service provider. The Parties agree that the Venue is disclosing the personal information to Roller only for the following limited and specified business purpose: the provision of the Services to the Venue as contemplated by the Agreement. Roller shall not  sell or share any personal information. 
  3. Roller is: (a) prohibited from retaining, using, or disclosing the personal information for any commercial purpose other than the foregoing business purposes, unless expressly permitted by State Privacy Laws; and (b) prohibited from retaining, using, or disclosing the personal information that it collects outside the direct business relationship between the Venue and Roller, unless expressly permitted by the CCPA. Roller shall comply with all applicable sections of State Privacy Laws and shall provide, with respect to personal information it collects, the same level of privacy protection as required by State Privacy Laws.
  4. The parties acknowledge that Roller’s retention, use and disclosure of personal information authorized by Venue’s instructions documented in the DPA are integral to Roller’s provision of the Services and the business relationship between the parties.
  5. Roller grants the Venue the right to take reasonable and appropriate steps to ensure that Roller uses the personal information it collects in a manner consistent with Roller’s obligations under State Privacy Laws. Roller grants the Venue the right, upon notice, to take reasonable and appropriate steps to stop and remediate Roller’s unauthorized use of personal information.
  6. Roller must promptly notify the Venue when it makes a determination that it can no longer meet its obligations under this DPA or State Privacy Laws.
  7. Subprocessors
    1. Consent to Subprocessor Engagement. Venue specifically authorizes the engagement of Roller’s corporate group affiliates specified in Section 11.3 of the Master Terms as Subprocessors and generally authorizes the engagement of other third parties as Subprocessors (“Third Party Subprocessors”).
    2. Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at: https://www.roller.software/sub-processors (as may be updated by Roller from time to time) or such other website address as Roller may provide to Venue from time to time.
    3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, Roller will enter into a written contract with such Subprocessor containing data protection obligations which are the same in substance as those in this DPA with respect to Venue Guest Data to the extent applicable to the nature of the services provided by such Subprocessor. Roller shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto. 
    4. Opportunity to Object to Subprocessor Changes. When Roller engages any new Third Party Subprocessor after the effective date of the Agreement, Roller will notify Venue of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by written means (email permissible). If Venue objects to such engagement in a written notice to Roller within 15 days after being informed of the engagement on reasonable grounds relating to the protection of Venue Guest Data, Venue and Roller will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Venue may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Roller and pay Roller for all amounts due and owing under the Agreement as of the date of such termination.
SCHEDULE A 
PARTICULARS OF DATA PROCESSING AND PARTICULARS UNDER THE EEA STANDARD CONTRACTUAL CLAUSES


Item

Subject Matter

Description

Section II (Obligations of the Parties), Clause 9(a)

Subprocessor authorization 

The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

Section IV (Final Provisions), Clause 17

Governing law

Republic of Ireland

Section IV (Final Provisions), Clause 18(b)

Court jurisdiction and venue

Dublin, Ireland

Annex I, A – List of Parties | Data Exporter

Details of controller


The Venue, as detailed in the Order Form

Annex I, A – List of Parties | Data Importer

Details of processor


The Roller entity identified in Section 11.3 of the Master Term

Annex I, B – Description of Transfer

Categories of data subjects

Venue Guests

Annex I, B – Description of Transfer

Categories of personal data

  • Contact information: depending on the nature of the interaction with the data subject, this may include information such as name, email address, phone number and residential address.
  • Engagement information: data subject interact with the Venue by purchasing Venue tickets or gift cards, attending Venue events, signing participation waivers, making reservations, completing Venue surveys, consuming goods or services that the Venue offers, submitting an inquiry or posting on our page on social networks such as Facebook, LinkedIn or Twitter. Information is processed about the nature and substance of these interaction, such as tickets or gift cards purchased or used, Venue events attended, participation waivers signed, reservations made, Venue surveys completed, goods or services consumed, and the substance of the inquiry sent to the Venue.
  • Analytics information: information such as the IP address from which the data subject accesses the Roller Services, time and date of access, type of browser used, language used, links clicked, and actions the data subject has taken while using the Roller Services.

Annex I, B – Description of Transfer

Sensitive data

None, unless otherwise agreed in writing by the data exporter and data importer

Annex I, B – Description of Transfer

Frequency of transfer

Ongoing and continuous for the duration of the Agreement

Annex I, B – Description of Transfer

Nature of processing

Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, disclosure, combination, and erasure.

Annex I, B – Description of Transfer

Purpose(s) of the data transfer and further processing

Roller’s provision of the Services

Annex I, B – Description of Transfer

Retention period

From Roller’s receipt of Venue Guest Data until deletion of all Venue Guest Data by Roller in accordance with the Agreement

Annex I, B – Description of Transfer

Transfers of subprocessors

Annex I, C – Description of Transfer

Competent Supervisory Authority

  • Where the data exporter is established in an EU Member State, the supervisory authority is the one established in the EU Member State (or Bundesland or Stadtstaaten, in Germany) where the data exporter is established.
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) of the GDPR and has appointed a representative pursuant to Article 27(1) of the GDPR, the supervisory authority is that of the Member State (or Bundesland or Stadtstaaten, in Germany) in which that representative is established. 
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) of the GDPR without having appointed a representative pursuant to Article 27(1) of the GDPR, the supervisory authority is the one established in the EU Member State (or Bundesland or Stadtstaaten, in Germany) in which the data subjects whose personal data is transferred in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.

Annex II

Technical and Organizational Measures

The Security Measures specified at https://www.roller.software/security/

SCHEDULE B
PARTICULARS UNDER THE UK STANDARD CONTRACTUAL CLAUSES

Item

Subject Matter

Description

Table 1 – Parties 

Start date

The date indicated in the Order Form for the commencement of the Services

Table 2 – Parties 

Parties’ details and key contacts

  • The Venue, as detailed in the Order Form
  • The Roller entity identified in Section 11.3 of the Master Term

Table 2 

Selected SCCs, Modules and Selected Clauses

The version of the Approved EU SCCs which the International Data Transfer Addendum is appended to, is the Standard Contractual Clauses, as specified in Section 4(b) of Annex 1 (Europe Annex) to the DPA.

Table 4

Ending the Addendum when the Approved Addendum changes

Data exporter