Skip Main Navigation

Eventbrite & EU Data Protection

Eventbrite Logo

Updated by Antwonne D.

Eventbrite takes data privacy and security very seriously. We take steps to make sure that we comply with our data privacy law obligations in the EU (primarily, the General Data Protection Regulation ["GDPR"], which took effect in May 2018 and has subsequently been implemented by most EU Member States), and our goal is to make it easy for our Organisers to comply with their respective obligations. Eventbrite updated our data privacy program in light of the GDPR’s requirements. Here are a few highlights.

TIP: To learn more about Eventbrite's Legal Terms, take a look eblink{here=>https://www.eventbrite.ie/l/LegalTerms}.

PRO TIP: We may translate this information into other languages for your convenience. If there is a conflict between the English version and a translated version, the English version will control.

NOTE: Capitalized terms in this article are defined in our eblink{Terms of Service=>https://www.eventbrite.ie/support/articleredirect?anum=8477}.

1. Eventbrite's data processing obligations.

a. Eventbrite as a data controller. — Where an Organiser creates an account with Eventbrite to organise and ticket their events, Eventbrite will be a data controller over the personal data that Organisers provide about themselves as part of their account creation process. Similarly, where a Consumer provides Eventbrite with personal data in the course of creating an account, Eventbrite will be a data controller over the personal data provided to Eventbrite directly by that Consumer. Eventbrite will also be a data controller of the personal data that Eventbrite obtains in the course of an Organiser or Consumer's use of Eventbrite Services, which Eventbrite may then use, for example, to conduct research and analysis, improve our products and features, and provide targeted recommendations. b. Eventbrite as a data processor. Eventbrite will be a data processor over a Consumer's personal data that Eventbrite obtains as a result of providing its core ticketing services to our Organisers. For example, Eventbrite may process Consumers’ personal data on behalf of Organisers to allow Organisers to learn more about their attendees during the ticket purchase, facilitate the transmission of emails to Consumers at the request of the Organiser, process payments, or provide event reports and tools so Organisers can gain insights into the effectiveness of various sales channels. Given that Eventbrite processes a Consumer's personal data both in providing Eventbrite Services to the Organiser, and in managing Eventbrite’s direct relationship with the Eventbrite account-holding Consumer directly in his or her own use of Eventbrite, Eventbrite may be both a controller and a processor in relationship to a Consumer’s personal data and will be held to different processing obligations as a result.

2. A Data Processing Addendum for Organisers and Sub-Processors.

As a data processor processing Personal Data on behalf of the Organiser, Eventbrite will be subject to a Data Processing Addendum to our eblink{Terms of Service=>https://www.eventbrite.ie/support/articleredirect?anum=8477} with our Organiser. Our eblink{Data Processing Addendum (DPA) for Organisers=>https://www.eventbrite.ie/support/articleredirect?anum=41392}, incorporated in our eblink{Terms of Service=>https://www.eventbrite.ie/support/articleredirect?anum=8477}, includes Eventbrite's legal obligations as a processor consistent with the GDPR. Eventbrite also published a public facing list of Eventbrite's eblink{Sub-Processors=>https://www.eventbrite.ie/support/articleredirect?anum=41395} as referenced in the eblink{DPA for Organisers=>https://www.eventbrite.ie/support/articleredirect?anum=41392}.

3. Email Tools.

We offer the ability for Organisers to email Consumers directly through our platform. This functionality was built to send service related emails specific to an Organiser's event attended by the recipient of such email. If an Organiser wants to use this function for marketing its products or events, the Organiser needs to secure your own compliant opt-in consents or ensure that you have the right to send marketing emails to individuals. Eventbrite does not do this on an Organiser's behalf.

4. Individual Rights.

As a data controller of our account-holding Consumers, Eventbrite will honor Consumers’ requests with respect to the processing of their personal data, consistent with applicable law. For instance, Consumers can request access to their personal data that we process. They can also ask us to correct such personal data, provide such personal data in a portable format, or delete such personal data. a. Access. Eventbrite will honor a Consumer’s request that Eventbrite confirm the existence of the processing of the Consumer’s personal data, if applicable, and grant the Consumer access to that data, consistent with applicable law. Please forward requests to us at ebmail{privacy@eventbrite.com=>mailto:privacy@eventbrite.com}. b. Correction. Eventbrite will honor a Consumer’s request that Eventbrite correct the Consumer’s incomplete, inaccurate, or outdated personal data that we process, consistent with applicable law. Please forward requests to us at ebmail{privacy@eventbrite.com=>mailto:privacy@eventbrite.com}. c. Portability. Eventbrite will honor a Consumer’s request that Eventbrite provide the Consumer’s personal data in a portable format, consistent with applicable law. Please forward requests to us at ebmail{privacy@eventbrite.com=>mailto:privacy@eventbrite.com}. d. Deletion. Eventbrite will honor a Consumer's request that Eventbrite delete that Consumer's personal data consistent with applicable law. As a result, there may be a time when your Organiser dashboard will show anonymized personal data for a particular attendee, however the financial data associated with that attendee should remain as part of the event. Similarly, if Eventbrite removes personal data on its own in accordance with our internal data retention policy, this same view within the dashboard will appear. In the event an Organiser's data retention needs require that Eventbrite no longer provide such Organiser with access to the personal data of its former attendees, the Organiser can accomplish this by eblink{removing the event from its dashboard=>https://www.eventbrite.ie/support/articleredirect?anum=41493}. Should the Organiser still need access to the non-personal event data, it should first download the event to a .csv or text file and manipulate that file as it sees fit. Should one of your attendees ask you directly to have Eventbrite remove that attendee's personal data from our system, please forward the request to us at privacy@eventbrite.com. Our support team may reach out to the Consumer directly to confirm the request. For more information on how individuals can request to access, update, correct or delete their personal data, or object to our use of personal data please see Eventbrite's eblink{Privacy Policy=>https://www.eventbrite.ie/support/articleredirect?anum=8478}.

5. Data Incident Notifications.

In cases where we are a data controller (even if we are both a data processor and a data controller) over personal data that is impacted by a data security incident requiring notification to affected Consumers, we will notify the affected Consumers directly, rather than notifying the Organiser of each event associated with that Consumer. As a reminder, we are a data controller for all Organiser personal data, as well as for the personal data of Consumers who create an Eventbrite account in the course of a ticket purchase. When we are solely a processor of data, meaning we process the personal data of a Consumer who purchased tickets on Eventbrite without creating an account with Eventbrite directly, then we will notify the Organiser(s) we determine to be most likely in contact with that Consumer whose personal data has been impacted a data security incident requiring notification.

6. Cross-border Data Transfers.

Eventbrite physically stores personal data in the United States. In order to ensure that personal data can be lawfully transferred from the EU to our US-based servers, Eventbrite certifies to the EU-US Privacy Shield framework operated by the US Department of Commerce. Eventbrite's certification was effective 14th October 2016. You will find Eventbrite's eblink{Privacy Shield Notice=>https://www.eventbrite.ie/support/articleredirect?anum=31015} linked directly from Eventbrite's eblink{Privacy Policy=>https://www.eventbrite.ie/support/articleredirect?anum=8478}.

7. Do I (the Organiser) need model clauses with Eventbrite?

No. Eventbrite is Privacy Shield certified, which ensures the lawful transfer of personal data from the EU to our US-based servers. As a result, Organisers do not need to execute model clauses with Eventbrite.

8. How does Eventbrite secure personal data?

Eventbrite is committed to protecting personal data. In this effort, Eventbrite has implemented and continues to monitor a range of security measures. You can find out more about the security and privacy measures Eventbrite has implemented in the "Eventbrite Security and Safety Guide," available at eblink{www.eventbrite.ie/security=>https://www.eventbrite.ie/security}.

9. What else is Eventbrite doing as a result of GDPR?

a. Accountability and Training. We revamped our internal data privacy guidelines to make sure they're in line with the GDPR, and we're making sure that employees are trained on them appropriately. This means that everyone at Eventbrite is expected to handle personal data in a legitimate and fair way. b. Privacy by Design. We implemented enhanced guidelines to help design our systems and tools that collect and store personal data in a privacy-friendly way. By doing this, we aim to reduce privacy risks at the outset and offer our Organisers and Consumers more control over their information. c. Data Privacy Impact Assessments. We implemented new internal protocols to enable certain activities involving personal data to go through a Privacy Impact Assessment, measuring compliance with the GDPR while also allowing for ease of record keeping. d. Our Privacy Policy. We regularly update our eblink{privacy policy=>https://www.eventbrite.ie/support/articleredirect?anum=8478} as an additional step towards our commitment to transparency about what we do with personal data provided to Eventbrite. e. Vendors. We reviewed our vendor and sub-processor contracts to make sure that they meet the requirements of the GDPR and are compliant with rules on international data transfers.

Still have questions? Our team can help. Contact us.