Current as of January 2024 

This DATA PROTECTION ADDENDUM (the “Addendum”) is incorporated into and forms part of the Sponsorship Agreement between Emerald and Event Partner or Advertiser as applicable (each, an “Business Partner”) and sets forth certain obligations in connection with the parties’ disclosure or exchange of Personal Information. In the event of any ambiguity between the terms or conditions of this Addendum and those of the Agreement, the terms and conditions of this Addendum will control. Any terms used but not defined herein shall have the same meaning given to them in the Agreement. 

1) Definitions

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise processed. 

“Downstream Participant” means any third party that Processes Personal Information that is not Emerald, Business Partner, or a Service Provider or Processor of Business Partner. 

“Data Protection Laws” means any and all applicable data protection, security, or privacy-related laws, statutes, directives, or regulations in any relevant jurisdiction relating to Personal Information and privacy, and as each may be amended, extended or re-enacted from time to time.  

“Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, with a particular individual or household, or is otherwise defined as “personal data,” or “personally identifiable information” by applicable Data Protection Laws.  

The terms “Process,” “Processor,” “Sale,” “Service Provider,” and “Share” shall have the same meaning as in the Data Protection Laws, and their cognate terms shall be construed accordingly. 

2) Emerald Data

(a) Emerald Data. From time to time, Emerald may, at its sole discretion, provide or make available to Business Partner Personal Information of certain individuals who have registered to attend the Show and consented for their Personal Information to be shared with Business Partner (“Emerald Data”). Emerald will be shared Emerald Data with Business Partner in a secure manner agreed to by the parties.

3) Business Partner Duties

(a) Purpose and Use Restrictions. 

i. Business Partner may only use Emerald Data for the Purpose described in accordance with the terms of the Agreement and this Addendum. Business Partner shall not use Emerald Data for any other purpose whatsoever, except, where a Data Protection Law applies to particular Personal Information, where and only to the extent permitted or required by that Data Protection Law.  

ii. Business Partner shall not:  

A. Distribute, disclose, sell, share, sublicense, or otherwise transfer the Emerald Data to any Downstream Participant or any other third parties unless expressly permitted by the Agreement; 

B. Retain, use, disclose or process the Emerald Data for any purpose other than as set forth in this Addendum or the Agreement, and only in compliance with Data Protection Laws; or 

C. Engage in any activity that would give Emerald actual knowledge or reason to believe that Business Partner intends to use the Emerald Data in violation of any applicable Data Protection Laws. 

    (b) Cooperation. 

      i. Business Partner shall assist Emerald to comply with and fulfill the responsibilities of Emerald under applicable Data Protection Laws, including responding to any and all: 

        (A) requests from data subjects to exercise any applicable rights of access, correction, objection, erasure, and data portability;  

        (B) requests from Emerald for information and cooperation necessary to fulfill obligations to carry out a data protection assessment related to the disclosed Personal Information; and  

        (C) inquiries, correspondences, requests or complaints from regulators or other government or third-party entities relating to the processing of Emerald Data.  

        ii. In the event that Emerald notifies Business Partner that any individual has made a request to have their Personal Information deleted or to opt out of the Sale or Sharing of their Personal Information, Business Partner shall promptly delete such individual’s Personal Information and will cease any and all use of the Personal Information.  Upon request from Emerald, Business Partner will provide documentation that verifies it no longer retains or uses the Personal Information of any individual who has made requests to opt out of the Sale or Sharing of their Personal Information. Business Partner shall further comply with any individual’s request to unsubscribe from any communications from Business Partner.  

          iii. Business Partner shall promptly notify Emerald in the event that Business Partner makes a determination that it can no longer meet its obligations under this Agreement or any applicable Data Protection Law. 

          (c) Security and Audits. 

            i. Business Partner represents and warrants that it has implemented and will maintain reasonable and appropriate physical, administrative and technical procedures and safeguards to comply with the requirements of applicable Data Protection Laws and to protect Emerald Data from a Data Breach and any other unlawful forms of processing .  With respect to Business Partner’s technical and organizational security measures, Business Partner will consider the cost of implementation, current state of industry accepted technologies, and the risks, nature, scope, context and purposes of the processing.  Such measures shall include without limitation: (i) the ability to restore the availability and access to such Personal Information in a timely manner in the event of a physical or technical incident; (ii) the use of codes, intrusion detection systems, usernames, and passwords in order to access such Personal Information; (iii) only Business Partner personnel who are appropriately trained and specifically authorized to gain access to such Personal Information shall gain such access; (iv) the encryption of Personal Information; and (v) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. Business Partner shall limit access to Emerald Data to its employees who have a need to access the Emerald Data for the purpose set forth herein and who are subject to a strict duty of confidentiality (whether contractual or statutory). Without limiting the foregoing, Business Partner shall comply with the same level of privacy protection as required of a business pursuant to the CCPA with respect to the Personal Information. 

              ii. If Business Partner learns of an actual Data Breach relating to the Personal Information disclosed to it under the Agreement, Business Partner will at its cost and without undue delay notify Emerald of such matter (no later than 48 hours after learning of such matter); investigate and remediate the effects of the Data Breach; and cooperate to the extent reasonably necessary and take any other actions reasonably necessary in connection with any investigations by Emerald or a party designated by Emerald and with Emerald fulfilling any applicable data breach reporting obligations under applicable Data Protection Laws.  Following the resolution of such Data Breach, Business Partner will report its findings in writing, which will describe without limitation the scope of the Data Breach and the actions taken to mitigate the risk of a Data Breach in the future. 

                iii. Business Partner grants Emerald the right to take reasonable and appropriate steps to ensure that Business Partner uses the Emerald Data in a manner consistent with this Agreement and applicable Data Protection Laws. 

                iv. Business Partner grants Emerald the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate the unauthorized use of Emerald Personal Information. 

                  4) International Provisions. 

                  (a) Jurisdiction Specific Terms. 

                  i. To the extent that either party is processing any Personal Information originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed below, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms.  

                  A. The parties agree that where one party discloses Personal Information to the other party, and such disclosure involves a transfer of Personal Information from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to the other party located outside the EEA, UK or Switzerland (a “C2C Transfer”), unless the parties rely on an alternative transfer mechanism or basis under the Data Protection Laws, such C2C Transfer shall be subject to the standard contractual clauses approved by the European Commission’s Implementing Decision 2021/914 of 4 June 2021 (“EU SCCs”), as incorporated herein, and with respect to such C2C Transfer: 

                  • The party that transfers Personal Information to another party in accordance with the Agreement is the “Data Exporter,” and the party that receives such Personal Information is the “Data Importer”; 
                  • Module One will apply; 
                  • in Clause 7, the optional docking Clause will not apply; 
                  • in Clause 11, the optional language will not apply; 
                  • in Clause 17 (Option 1), the EU SCCs will be governed by Irish law; 
                  • in Clause 18(b), disputes shall be resolved before the courts of Ireland; and 
                  • the applicable annexes are completed respectively with the information set out in this Addendum. 

                  If there is any conflict between this Addendum and the EU SCCs applicable to the Data Exporter’s transfer of transferred Personal Information to a Data Importer, the EU SCCs will prevail. 

                  B. In relation to C2C Transfers of Personal Information that is protected by the UK GDPR, the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner under s.119A(1) of the DPA 2018 (“UK Addendum”) will apply between the transferring Data Exporter and that Data Importer in relation to that transferred Personal Information and completed as follows: 

                  • The EU SCCs, completed as set out above in Section A, shall apply and be deemed executed between the transferring Data Exporter and the Data Importer, and shall be modified by the UK Addendum (completed as set out below); and  
                  • tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out in Section A above, and the options “Exporter” and “Importer” shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the Effective Date of this Addendum.   

                  If there is any conflict between this Addendum and the UK Addendum applicable to the Data Exporter’s transfer of transferred Personal Information to a Data Importer, the UK Addendum will prevail. 

                  C. In relation to C2C Transfer of Personal Information from Switzerland, the Clauses as implemented under Section A above will apply subject to the following modifications: 

                  • references to “Regulation (EU) 2016/679”shall be interpreted as references to the Swiss Federal Act on Data Protection (“FADP”) 
                  • references to specific Articles of “Regulation (EU) 2016/679”shall be replaced with the equivalent article or section of the FADP; 
                  • references to “EU”, “Union”, “a Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”, as applicable; 
                  • the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of accessing their rights; 
                  • Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner; 
                  • the Clauses are governed by the law of Switzerland; and 
                  • any dispute arising from the Clauses will be resolved by the courts of Switzerland. 

                  (b) Cross-Border Transfers. 

                  To the extent that any Personal Information is transferred by the party to another country, each party will ensure that such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the Data Protection Laws.  

                  5) Indemnification

                  Business Partner shall indemnify, defend, and hold harmless Emerald and its officers, directors, employees, and agents from and against all claims, demands, suits, causes of action, awards, judgments and liabilities, including reasonable attorneys’ fees and costs (collectively “Claims”) arising out of or alleged to have arisen out of Business Partner’s breach of its obligations under this Addendum or Data Protection Laws, or any breach by Business Partner’s Service Providers, and any Downstream Participants. 

                  6) Modifications. 

                  Emerald may update the terms of this Addendum from time to time as a result of (a) changes in applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services.