Data Processing Agreement

Introduction

When you sell tickets through MijnEvent, we process your visitors' personal data on your behalf. You are the data controller; MijnEvent is the processor. This agreement sets out how we handle that data, in line with article 28 of the GDPR. It becomes effective automatically the moment you sign up as an organiser — there is nothing separate to arrange.

Parties and roles

The organiser determines the purpose and means of the processing (data controller). MijnEvent processes the data solely on the organiser's instructions (processor) and never uses it for its own purposes such as advertising or sale to third parties.

1. Subject and duration

This agreement governs the processing of personal data carried out in the context of the ticketing service. It applies for as long as the organiser uses MijnEvent and ends when the account is closed.

2. Processing only on instructions

MijnEvent processes personal data only on the documented instructions of the organiser, as laid down in this agreement and the operation of the platform, unless a legal obligation requires otherwise.

3. Nature, purpose, data and data subjects

The processing serves ticket sales, check-in and related communication. It concerns the following data and data subjects:

• Data subjects: visitors/buyers and any of the organiser's inspectors.
• Data: name, email address, order and ticket data and — limited and temporary — technical data such as IP address for security.
• No special categories of personal data; payment data is processed by Mollie and does not touch our servers.

4. Security measures

MijnEvent takes appropriate technical and organisational measures, including:

• Passwordless login (magic link) with verification of unknown devices and optional two-factor authentication.
• Encryption of sensitive data and encrypted connections (HTTPS).
• Masking of visitor email addresses in admin environments, with an auditable log on disclosure.
• Hosting within the EU and cookieless, privacy-friendly analytics.

5. Sub-processors

MijnEvent engages sub-processors for specific parts of the service (such as payment processing via Mollie and email delivery). Comparable obligations apply to each sub-processor. On request we provide an up-to-date list of engaged sub-processors.

6. Assistance with data subject rights

Visitors can view, download (data portability) and delete their data from their own account. MijnEvent facilitates these GDPR rights within the platform and assists the organiser with requests that cannot be handled directly.

7. Data breaches

In the event of a (suspected) data breach, MijnEvent informs the organiser without undue delay and provides the information the organiser needs to meet its own notification obligation (within 72 hours).

8. Retention, return and deletion

MijnEvent keeps personal data no longer than necessary. Data that is no longer needed is automatically anonymised after an event; only what the law (accounting obligation) requires is retained. On termination, personal data is deleted or anonymised, subject to legal retention obligations.

9. Audit and accountability

On request, MijnEvent makes available the information needed to demonstrate compliance with this agreement and cooperates with reasonable audits.

10. Liability and governing law

This agreement is governed by Dutch law. Liability is governed by MijnEvent's general terms, to the extent permitted under the GDPR.