Socialdance.net

Data Processing Addendum (DPA) for Processors and Sub-processors

This Data Processing Agreement ("DPA") governs the processing of personal data by Social Dance Tech Ltd, a company incorporated in England and Wales with company number 16618392 and registered office at Belmont Suite Paragon Business Park, Chorley New Road, Horwich, Bolton, United Kingdom, BL6 6HG (the "Processor"), on behalf of any organiser, promoter, teacher, community operator or other business user who uses the socialdance.net platform and related services (the "Controller").

Background

The Controller wishes to use the Processor’s socialdance.net platform and related services.
In providing those services, the Processor will process personal data on behalf of the Controller.
The parties enter into this Data Processing Agreement ("DPA") to govern that processing and to record their respective obligations under Applicable Data Protection Law.

1. Definitions

In this DPA, unless the context otherwise requires:

Applicable Data Protection Law means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any other applicable law relating to privacy or the processing of personal data, in each case as amended or replaced from time to time.

Controller Personal Data means the personal data processed by the Processor on behalf of the Controller under this DPA.

Services means the services provided by the Processor to the Controller through the socialdance.net platform and related tools, as described in this DPA.

2. Interpretation

2.1 In this DPA, the terms Data Subject, personal data, personal data breach, processing, processor, controller and sub-processor have the meanings given to them in Applicable Data Protection Law.

3. Scope and roles

3.1 This DPA applies only to the processing carried out by the Processor on behalf of the Controller. It does not apply to any processing carried out by the Processor as controller for its own purposes.

3.2 The Controller appoints the Processor to process Controller Personal Data on its behalf for the purposes set out in this DPA.

3.3 The parties acknowledge that, for the processing governed by this DPA:

the Controller is the controller; and
the Processor is the processor.

3.4 The details of the processing covered by this DPA are set out in Schedule 1.

4. Controller instructions

4.1 The Processor shall process Controller Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law.

4.2 The Controller’s instructions are set out in:

this DPA;
the Controller’s use and configuration of the Services; and
any other written instructions agreed between the parties from time to time.

4.3 If the Processor believes that an instruction from the Controller infringes Applicable Data Protection Law, the Processor shall inform the Controller without undue delay.

4.4 The Processor may refuse to follow any instruction that is unlawful, technically impracticable, or outside the scope of the agreed Services.

5. Processor obligations

5.1 The Processor shall:

process Controller Personal Data only to provide the Services and otherwise in accordance with the Controller’s documented instructions;
ensure that persons authorised to process Controller Personal Data are subject to appropriate duties of confidentiality;
implement appropriate technical and organisational measures to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, or other unlawful processing;
taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law;
assist the Controller in ensuring compliance with its obligations relating to security, personal data breaches, data protection impact assessments and prior consultation with any supervisory authority, taking into account the nature of the processing and the information available to the Processor;
at the choice of the Controller, delete or return all Controller Personal Data on termination of the Services, unless applicable law requires continued storage;
make available to the Controller such information as is reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law; and
allow for and contribute to reasonable audits or inspections by the Controller or its authorised auditor, subject to clause 11.

5.2 The Processor shall promptly notify the Controller if it receives a request, complaint or correspondence from a Data Subject or supervisory authority relating to Controller Personal Data, unless prohibited by law.

5.3 The Processor shall not respond directly to any such request except:

on the documented instructions of the Controller; or
where required by law.

6. Security

6.1 The Processor shall maintain appropriate technical and organisational measures having regard to the nature of the processing, the state of the art, the costs of implementation and the risks to the rights and freedoms of natural persons.

6.2 Such measures may include, where appropriate:

access controls;
authentication controls;
encryption in transit and at rest;
logging and monitoring;
backup and recovery measures;
staff confidentiality measures; and
incident response procedures.

6.3 The Processor may update its security measures from time to time, provided that the overall level of security is not materially diminished.

7. Sub-processors

7.1 The Controller authorises the Processor to appoint the sub-processors listed in Schedule 2.

7.2 The Controller gives general written authorisation for the appointment of additional sub-processors, provided that the Processor gives the Controller reasonable prior notice of any proposed new sub-processor.

7.3 If the Controller objects on reasonable data protection grounds to a proposed new sub-processor, the parties shall discuss the objection in good faith.

7.4 Where the Processor appoints a sub-processor, it shall ensure that the sub-processor is bound by written terms which provide materially equivalent protection for Controller Personal Data as those set out in this DPA.

7.5 The Processor shall remain responsible for the acts and omissions of its sub-processors to the extent required by Applicable Data Protection Law.

8. International transfers

8.1 The Processor may process or permit the processing of Controller Personal Data outside the UK only where it has ensured that the transfer is made in accordance with Applicable Data Protection Law.

8.2 This may include transfers or access:

by approved sub-processors;
through infrastructure or support arrangements; or
where the Controller or its users access the Services from outside the UK.

8.3 The Processor shall implement an appropriate transfer mechanism where required, including adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism.

9. Personal data breaches

9.1 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller Personal Data.

9.2 The Processor shall provide the Controller with such information as is reasonably available to enable the Controller to assess the breach and comply with its own reporting and notification obligations.

9.3 The Processor shall take reasonable steps to investigate, mitigate and remediate any such personal data breach.

10. Special category data

10.1 The parties do not intend that the Processor will process special category personal data under this DPA.

10.2 The Controller shall not instruct the Processor to process special category personal data or criminal offence data unless:

this has been expressly agreed in writing; and
the Controller has identified a lawful basis and any additional condition required by Applicable Data Protection Law.

10.3 For the avoidance of doubt, a preference such as "lead" or "follow" is not treated by the parties as special category personal data solely because it may in some circumstances correlate with gender or sex.

11. Audit and information rights

11.1 The Controller may, on reasonable written notice, request information reasonably necessary to demonstrate the Processor’s compliance with this DPA.

11.2 Where such information is not reasonably sufficient, the Controller may carry out an audit or inspection, itself or through an independent auditor, provided that:

reasonable prior written notice is given;
the audit takes place during normal business hours;
the audit does not unreasonably disrupt the Processor’s business;
appropriate confidentiality obligations are observed; and
the audit does not compromise the confidentiality or security of other customers’ data.

11.3 The Processor may satisfy audit obligations through provision of relevant security or compliance materials where appropriate.

12. Return or deletion of data

12.1 On termination or expiry of this DPA, the Controller may require the Processor either to:

return the Controller Personal Data to the Controller; or
delete the Controller Personal Data.

12.2 The Controller shall exercise that choice by written notice within a reasonable period after termination. If the Controller does not do so, the Processor may delete the Controller Personal Data after a reasonable period.

12.3 Nothing in this clause requires the Processor to delete Controller Personal Data to the extent it is required to retain it by applicable law or where retained securely in backup systems for a limited period in accordance with normal retention and deletion cycles.

13. Liability

13.1 Each party shall remain liable for its own acts and omissions under this DPA and Applicable Data Protection Law.

13.2 Nothing in this DPA excludes or limits either party’s liability to the extent that such exclusion or limitation is prohibited by Applicable Data Protection Law.

14. General

14.1 This DPA constitutes the entire agreement between the parties in relation to the processing of Controller Personal Data by the Processor on behalf of the Controller.

14.2 This DPA shall commence on the date it is signed by both parties and shall remain in force for so long as the Processor processes Controller Personal Data on behalf of the Controller.

14.3 No variation of this DPA shall be effective unless it is in writing and signed by or on behalf of both parties.

14.4 If any provision of this DPA is held to be invalid or unenforceable, that provision shall be deemed modified to the minimum extent necessary to make it valid and enforceable, and the remainder of this DPA shall remain in full force and effect.

14.5 This DPA may be executed in counterparts.

15. Governing law and jurisdiction

15.1 This DPA and any dispute or claim arising out of or in connection with it shall be governed by the law of England and Wales.

15.2 The courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA.

Schedule 1

Details of processing

Subject matter

The provision of platform services by Social Dance Tech Ltd to the Controller through socialdance.net and related tools.

Duration

For the duration of this DPA and such further period as the Processor processes Controller Personal Data on behalf of the Controller in connection with the Services.

Nature and purpose of the processing

Processing of personal data on behalf of the Controller for the purpose of providing organiser-directed services, including:

managing RSVP lists and attendee check-ins;
processing answers to event-specific registration questions;
sending transactional organizer communications, including confirmations, reminders and updates; and
sending marketing emails on behalf of the Controller to the Controller’s own marketing lists.

Types of personal data

The Controller Personal Data may include:

name;
email address;
phone number;
booking and ticket details;
RSVP status;
event-specific registration answers; and
message delivery data.

Categories of data subjects

The Controller Personal Data may relate to:

attendees;
ticket buyers;
subscribers;
commenters; and
organiser staff or moderators.

Schedule 2