Data Processing Agreement

Last updated: 18/04/2026

Section I

Clause 1 - Purpose and scope

The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

The Parties: the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter "entity/ies") transferring the personal data, as listed in Annex I.A. (hereinafter each "data exporter"), and the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each "data importer") have agreed to these standard contractual clauses (hereinafter: "Clauses").

Clause 2 - Effect and invariability of the Clauses

These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679.

Section II - Obligations of the Parties

Clause 8 - Data protection safeguards

The data importer shall process the personal data only on documented instructions from the data exporter. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

The data importer shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data.

Clause 9 - Use of sub-processors

The data importer has the data exporter's general authorisation for the engagement of sub-processors from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes.

Annex 1 - Details of Processing

Categories of data subjects whose personal data is transferred: Customers, guests, and users of the EventPixel service.

Categories of personal data transferred: Name, email address, IP address, photos, videos, and associated metadata uploaded to the service.

Nature of the processing: Storage, retrieval, and sharing of event media as requested by the data exporter.