Eventbrite & EU Data Protection
Last updated: September 1, 2021 Eventbrite takes data privacy and security very seriously. We take steps to make sure that we comply with our data privacy law obligations in the EU (primarily, the General Data Protection Regulation ("GDPR") and our goal is to make it easy for our Organisers to comply with their respective obligations. Here are a few highlights of Eventbrite’s GDPR compliance program.
1. Eventbrite's data processing obligations.
Eventbrite as a data controller. Where an Organiser creates an account with Eventbrite to organise and ticket their events, Eventbrite will be a data controller over the personal data that Organisers provide about themselves as part of their account creation process. Similarly, where a Consumer provides Eventbrite with personal data in the course of creating an account, Eventbrite will be a data controller over the personal data provided to Eventbrite directly by that Consumer. Eventbrite will also be a data controller of the personal data that Eventbrite obtains in the course of an Organiser or Consumer's use of Eventbrite Services, which Eventbrite may then use, for example, to conduct research and analysis, improve our products and features, and provide targeted recommendations.
Eventbrite as a data processor. Eventbrite will be a data processor over a Consumer's personal data that Eventbrite obtains as a result of providing its core ticketing services to our Organisers. For example, Eventbrite may process Consumers’ personal data on behalf of Organisers to allow Organisers to learn more about their attendees during the ticket purchase, facilitate the transmission of emails to Consumers at the request of the Organiser, process payments, or provide event reports and tools so Organisers can gain insights into the effectiveness of various sales channels.
Given that Eventbrite processes a Consumer's personal data both in providing Eventbrite Services to the Organiser, and in managing Eventbrite’s direct relationship with the Eventbrite account-holding Consumer directly in his or her own use of Eventbrite, Eventbrite may be both a controller and a processor in relationship to a Consumer’s personal data and will be held to different processing obligations as a result.
2. A Data Processing Addendum for Organisers and Sub-Processors.
As a data processor processing Personal Data on behalf of the Organiser, Eventbrite is subject to a Data Processing Addendum which is incorporated into our Terms of Service with our Organiser. The DPA for Organisers includes Eventbrite's legal obligations as a processor consistent with the requirements of the GDPR and incorporates Standard Contractual Clauses as the exclusive mechanism for international transfers from Europe to the United States.
Eventbrite also published a public facing list of Eventbrite's current Sub-Processors with additional information available in the DPA for Organisers.
3. Email Tools.
We offer the ability for Organisers to email Consumers directly through our platform. This functionality was built to send service related emails specific to an Organiser's event attended by the recipient of such email. If an Organiser wants to use this function for marketing its products or events, the Organiser needs to secure its own compliant opt-in consents or ensure that they have the right to send marketing emails to individuals. Eventbrite does not do this on an Organiser's behalf.
4. Individual Rights.
As a data controller of our account-holding Consumers, Eventbrite will honor Consumers’ requests with respect to the processing of their personal data, consistent with applicable law. For instance, Consumers can request access to their personal data that we process. They can also ask us to correct such personal data, provide such personal data in a portable format, or delete such personal data.
Access. Eventbrite will honor a Consumer’s request that Eventbrite confirm the existence of the processing of the Consumer’s personal data, if applicable, and grant the Consumer access to that data, consistent with applicable law. You can request your personal data in the Personal Data section of your Eventbrite account.
Correction. Eventbrite will honor a Consumer’s request that Eventbrite correct the Consumer’s incomplete, inaccurate, or outdated personal data that we process, consistent with applicable law. You can update your personal data in the Contact Info section of your Eventbrite account.
Portability. Eventbrite will honor a Consumer’s request that Eventbrite provide the Consumer’s personal data in a portable format, consistent with applicable law. You can request your personal data in the Personal Data section of your Eventbrite account.
Deletion. Eventbrite will honor a Consumer's request that Eventbrite delete that Consumer's personal data consistent with applicable law. You can request to delete your personal data in the Close Account section of your Eventbrite account.
As a result, there may be a time when your Organiser dashboard will show anonymized personal data for a particular attendee, however the financial data associated with that attendee should remain as part of the event. Similarly, if Eventbrite removes personal data on its own in accordance with our internal data retention policy, this same view within the dashboard will appear.
In the event that an Organiser's data retention needs require that Eventbrite no longer provide such Organiser with access to the personal data of its former attendees, the Organiser can accomplish this by removing the event from its dashboard. Should the Organiser still need access to the non-personal event data, it should first download the event to a .csv or text file and manipulate that file as it sees fit.
Should one of your attendees ask you directly to have Eventbrite remove that attendee's personal data from our system, please forward the request to us at firstname.lastname@example.org. Our support team may reach out to the Consumer directly to verify the request.
5. Data Incident Notifications.
In cases where we are a data controller (even if we are both a data processor and a data controller) over personal data that is impacted by a data security incident requiring notification to affected Consumers, we will notify the affected Consumers directly, rather than notifying the Organiser of each event associated with that Consumer. As a reminder, we are a data controller for all Organiser personal data, as well as for the personal data of Consumers who create an Eventbrite account in the course of a ticket purchase.
When we are solely a processor of data, meaning we process the personal data of a Consumer who purchased tickets on Eventbrite without creating an account with Eventbrite directly, then we will notify the Organiser(s) we determine to be most likely in contact with that Consumer whose personal data has been impacted a data security incident requiring notification and provide reasonable assistance, where required by applicable laws, to enable Organiser(s) to comply with its data breach obligations as a data controller.
6. Cross-border Data Transfers.
Eventbrite physically stores personal data in the United States. In order to ensure that personal data can be lawfully transferred from the EU to our US-based servers, Eventbrite agrees that it will be bound by the Standard Contractual Clauses (“SCCs”) issued pursuant to Commission Implementing Decision (EU) 2021/914 of June 4, 2021. Eventbrite has signed the SCCs and made a copy available online to facilitate Organiser(s) compliance records. Additional information on the implementation of Standard Contractual Clauses for UK or Swiss-based international data transfers can be found in the DPA for Organisers.
7. How does Eventbrite secure personal data?
Eventbrite is committed to protecting personal data and has implemented and continues to monitor a range of security measures. You can find out more about Eventbrite's security and privacy measures in the "Eventbrite Security and Safety Guide," available at www.eventbrite.ie/security.
8. What else is part of Eventbrite's GDPR compliance program?
Accountability and Training. We continually monitor our internal data privacy guidelines to make sure they're in line with the GDPR and EU Commission guidance, and make sure that employees are trained on them appropriately. This means that everyone at Eventbrite is expected to handle personal data in a legitimate and fair way.
Privacy by Design. We strive to design our systems and tools that collect and store personal data in a privacy-friendly way. By doing this, we aim to reduce privacy risks at the outset and offer our Organisers and Consumers more control over their information.
Data Privacy Impact Assessments. We regularly conduct assessments for new uses of data through a Privacy Impact Assessment, measuring compliance with the GDPR while also allowing for ease of record keeping.
Vendors. We review our vendor and sub-processor contracts from time to time to make sure that they meet the requirements of the GDPR and are compliant with evolving rules on international data transfers.
9. Additional data privacy information.
California (United States)
Still have questions?