Data Processing Agreement (DPA)

Last revised: April 01, 2026

 

This Data Processing Agreement and its possible annexes (hereinafter, the “DPA”) constitutes an addendum to the Terms and Conditions entered into between Meetmaps and the Customer for the licensing of software and associated services (the “Agreement”).

For the performance of the Agreement, Meetmaps may process personal data on behalf of the Customer. In this capacity, Meetmaps acts as the Data PROCESSOR and the Customer acts as the Data CONTROLLER.

This DPA governs the agreement between the parties regarding the processing of such data, in accordance with the recommendations of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council), hereinafter EU-GDPR, which provides that the processing of personal data by a processor shall be governed by a contract or other legal act.

The Parties agree to comply with the following provisions regarding personal data. In the event of any discrepancy between the Spanish and English versions, the Spanish text shall prevail. If you have signed a specific version of this agreement, the following clauses do not apply to your case, and said variant shall prevail over these clauses.

  1. SUBJECT MATTER OF THE PROCESSING

By means of these clauses, the PROCESSOR is authorized to process, on behalf of the CONTROLLER, the personal data necessary to provide the following service: Event management software license and services associated with its use.

The processing of personal data shall include the following operations:

✅ Collection

✅ Recording

⬜ Organization

⬜ Structuring

⬜ Storage

⬜ Adaptation or alteration

⬜ Retrieval

✅ Consultation

✅ Use

✅ Disclosure by transmission

✅ Dissemination

⬜ Alignment

⬜ Restriction

⬜ Erasure

⬜ Destruction

 

  1. IDENTIFICATION OF THE AFFECTED INFORMATION

For the performance of the obligations derived from the fulfillment of the subject matter of this appointment, the CONTROLLER authorizes the PROCESSOR to process the necessary information, which includes the following categories of personal data:

  • Identifying data: First name, last name, and email address.
  • Other data: As defined by the CONTROLLER during the term of the Agreement for the execution of its subject matter

  1. TERM

This agreement shall remain in effect for as long as the provision of services that motivates the formalization of the Agreement remains in force, plus any such further period as may be necessary to comply with legal obligations or to address potential liabilities, during which time the data shall remain restricted to any possible processing.

  1. RETURN OF DATA

Upon termination of the Agreement, the PROCESSOR shall, at the choice of the CONTROLLER, return to the CONTROLLER or destroy the personal data and, where applicable, the media on which they are stored, once the provision of services has ended.

To this end, the CONTROLLER shall communicate its decision by means of a notification to the address indicated in Clause 9 (Notifications). In any event, the return must entail the total erasure of the existing data in the PROCESSOR’s systems and documents.

However, the PROCESSOR may keep a copy, with the data duly blocked, for as long as liabilities may arise from the performance of the service.

  1. OBLIGATIONS OF THE PROCESSOR

5.1 Purpose

The PROCESSOR shall use the personal data subject to processing only for the purpose of this appointment. Under no circumstances may it use the data for its own purposes.

5.2 Instructions from the CONTROLLER

The PROCESSOR shall process the data in accordance with the CONTROLLER’s instructions.

If the PROCESSOR considers that any instruction infringes the EU-GDPR or any other European Union or Member State data protection provision, the PROCESSOR shall immediately inform the CONTROLLER.

5.3 Record of processing activities

The PROCESSOR shall maintain a record of all categories of processing activities carried out on behalf of the CONTROLLER, unless it may rely on any of the exceptions under Article 30.5 of the GDPR.

5.4 Non-disclosure:

The PROCESSOR shall not disclose the data to third parties, unless it has the express authorization of the CONTROLLER, in legally permissible cases.

The PROCESSOR may communicate the data to other processors of the same CONTROLLER, in accordance with the CONTROLLER’S instructions. In this case, the CONTROLLER shall identify, prior and in writing, the entity to which the data is to be communicated, the data to be communicated, and the security measures to be applied to proceed with the communication

5.5 Subcontracting

The PROCESSOR may subcontract part of its responsibilities exclusively for the fulfillment of the subject matter of the appointment, in order to offer the highest technical, security, and service guarantees.

The PROCESSOR guarantees that any subcontractor shall have the status of data processor and shall be equally bound to comply with the obligations set forth in this document.

5.6 Duty of Secrecy:

The PROCESSOR and all its personnel shall maintain a duty of secrecy with respect to the personal data to which they have had access by virtue of this appointment, even after its termination.

5.7 Confidentiality Commitments:

The PROCESSOR guarantees that persons authorized to process personal data have committed themselves to confidentiality and to comply with the corresponding security measures.

5.8 Training

The PROCESSOR shall guarantee the necessary training in personal data protection for the personnel authorized to process personal data.

5.9 Assistance in the exercise of rights:

The PROCESSOR shall assist the CONTROLLER in responding to the exercise of rights of:

  1. Access, rectification, erasure and objection;
  2. Restriction of processing;
  3. Data portability;
  4. Not to be subject to automated individual decision-making (including profiling).

When the data subjects exercise their rights of access, rectification, erasure and objection, restriction of processing, data portability, and the right not to be subject to automated individual decision-making before the PROCESSOR, the latter must communicate it by email to the CONTROLLER at the address indicated in Clause 9 (Notifications). This communication must be made immediately on the next business day following the receipt of the request, together with, where applicable, any other information that may be relevant to resolve the request.

5.10 Right to information:

It is the responsibility of the CONTROLLER to provide the right to information at the time of data collection.

5.11 Notification of security breaches:

The PROCESSOR shall notify the CONTROLLER within a maximum period of 12 hours of becoming aware of any personal data security breaches, together with all relevant information.

Aquí tienes la traducción profesional al inglés de esta sección, siguiendo la terminología legal del RGPD y manteniendo la coherencia con las cláusulas anteriores:

5.11.1 Notification of Security Breaches Communication to the Controller:

PROCESSOR shall notify the CONTROLLER within a maximum period of 12 hours from becoming aware of it, of any personal data security breaches under its responsibility, together with all relevant information. At a minimum, the following information shall be provided:

  1. Description of the nature of the personal data security breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
  2. The name and contact details of the data protection officer or another contact point of the PROCESSOR where further information can be obtained.
  3. Description of the possible consequences of the personal data security breach.
  4. Description of the measures adopted or proposed to remedy the personal data security breach, including, where appropriate, the measures adopted to mitigate possible negative effects.

If it is not possible to provide the information simultaneously, and to the extent that it is not, the information shall be provided gradually without undue delay.

The PROCESSOR shall make this communication via email marked as URGENT to the address indicated in Clause 9 (Notifications).

5.11.2 Communication to the Data Protection Authorities:

The CONTROLLER is responsible for communicating data security breaches to the Data Protection Authority.

5.11.3 Communication to the Data Subjects:

The CONTROLLER is responsible for communicating data security breaches to the data subjects, when necessary. The PROCESSOR shall provide the necessary support so that the CONTROLLER can carry out said communication in the shortest possible time.

5.12 Support in carrying out data protection impact assessments:

The PROCESSOR shall support the CONTROLLER in carrying out data protection impact assessments, where appropriate.

5.13 Support in conducting prior consultations with supervisory authorities:

The PROCESSOR shall support the CONTROLLER in conducting prior consultations with the supervisory authority, where appropriate.

5.14 Compliance with obligations:

The PROCESSOR shall make available to the CONTROLLER all information necessary to demonstrate compliance with its obligations, as well as to allow for audits or inspections conducted by the CONTROLLER or another auditor authorized by them.

5.15 Security measures:

The PROCESSOR shall periodically (and whenever there are significant changes to its software and hardware infrastructure) perform an information security risk assessment, which will result in the implementation of mechanisms appropriate to the detected risks, as described in Article 32 of the GDPR and, specifically: 

  1. Ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  2. Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  3. Regularly test, assess, and evaluate the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
  4. Pseudonymize and encrypt personal data, where appropriate.

5.16 Data Protection Officer:

The contact email address for the PROCESSOR’S Data Protection Officer is as follows: dpo@meetmaps.com

  1. OBLIGATIONS OF THE CONTROLLER

The CONTROLLER is responsible for:

  • Delivering to the PROCESSOR the data necessary for the provision of the services referred to in this agreement.
  • Conducting, when required by regulations, a data protection impact assessment of the processing operations to be carried out by the PROCESSOR.
  • Carrying out the appropriate prior consultations with the Data Protection Authorities.
  • Ensuring, both prior to and throughout the processing, compliance with the EU-GDPR by the PROCESSOR.
  • Supervising the data processing, including the performance of inspections and audits.

    1. LIABILITY

    Both the CONTROLLER and the PROCESSOR shall be liable for all damages caused to the other party in all cases of negligent or wrongful conduct in the fulfillment of their respective obligations, in accordance with the provisions of this agreement.

    Neither party shall assume any liability for the non-execution or delay in the execution of any of the obligations under this agreement if such failure or delay results from or is a consequence of a case of force majeure or unforeseeable circumstances, admitted as such by Jurisprudence, in particular: natural disasters, war, state of siege, public order disturbances, transport strikes, power supply cuts, or any other exceptional measure adopted by administrative or governmental authorities

    1. CONFIDENTIALITY

    The PROCESSOR guarantees that it will maintain the strictest confidentiality and express compliance with the duty of professional secrecy regarding the CONTROLLER’S affairs during the term of the service provision and indefinitely after its termination.

    During and after the term of the Agreement, the PROCESSOR shall treat all information owned by the CONTROLLER as strictly confidential, taking the necessary measures to ensure its content is not disclosed to third parties, and that third parties cannot access it without the CONTROLLER’S express authorization.

    Unless confidentiality is regulated in another express agreement, confidential information shall be considered all information capable of being disclosed between the CONTROLLER and the PROCESSOR orally, in writing, or by any other medium or support, tangible or intangible, currently known or invented in the future, whether exchanged as a consequence of this contractual relationship or designated as confidential by one party to the other.

    1. NOTIFICATIONS

    Any notification required for the purposes of this DPA shall be made in writing to the following attention and address:

    DATA PROCESSOR

    Name: Data Protection Officer
    Contact Email: dpo@meetmaps.com

    DATA CONTROLLER

    The addresses associated as signatories of the Agreement and those assigned as “Superadmin” in the Customer’s account within the Meetmaps platform.

    1. GENERAL PROVISIONS

      This contract contains the entire agreement between the parties regarding data processing and supersedes and replaces any prior agreement, whether verbal or written, reached by the parties. 

      Furthermore, in the event of a contradiction between the conditions stipulated in this agreement and any other previously signed between both parties, the provisions of this agreement shall prevail. 

      Any modification to the content of this agreement shall only be effective if made in writing and with the consent of both parties. 

      The failure of either party to enforce any of its rights under this agreement shall not be deemed to constitute a waiver of such rights in the future.

      1. GOVERNING LAW AND JURISDICTION

      This agreement shall be governed by and construed in accordance with Spanish law in all matters not expressly regulated herein. For any disputes that may arise in relation to this agreement, the parties submit to the jurisdiction of the Courts and Tribunals of the city of Barcelona, expressly waiving any other jurisdiction that may correspond to them.