Welcome to our Data Processing Agreement

This Data Processing Agreement (“DPA”) and its annexes, including links, governs the Processing of Personal Data by GESHDO Now AB, 559053-5208, as a Processor, on behalf of Customer or Customer Affiliates, as applicable and as defined in the Main Agreement, including our Terms, which can be found here.

Contact information to responsible GESHDO party: legal@geshdo.com


(A) This data processing agreement (“Agreement”) applies to all activities where the Processor processes personal data on behalf of the Controller, as required by Article 28 (3) of the GDPR, in connection with the Service, including any sub-agreements and similar concluded thereunder (“Main Agreement“).

(B) The Processor uses the personal data of the Controller solely in the interest and on behalf of the Controller.

(C) If the Processor is also providing services and/or products under the Agreement to the Controller’s Affiliates, or otherwise gains access to the Affiliate’s data relating to identified or identifiable natural person(s) for the purposes of fulfilling the Main Agreement, such data shall be regarded as Personal Data and this Agreement shall be applicable to the Processor’s processing of such Personal Data. Such Affiliates have the same rights and obligations as the Controller under this Agreement.

(D) This Agreement is an integral part of the Main Agreement. In the event of any conflict between the terms of the Main Agreement and the terms of this Agreement, this Agreement shall prevail with respect to the subject matter of this Agreement.

1. Definitions

1.1 Affiliate: Companies (a) directly or indirectly owning or controlling the Controller; or (b) under the same direct or indirect ownership or control as the Controller; or (c) directly or indirectly controlled by the Controller. Ownership or control shall be understood to exist through direct or indirect ownership of fifty percent (50%) or more of the nominal value of the issued equity share capital or of fifty percent (50%) or more of the shares entitling the holders to vote for the election of the members of the board of directors or persons performing similar functions or the minimum share entitling to control prescribed in applicable legislations in such jurisdictions where the ownership of fifty percent (50%) or more would not be possible.

1.2 Commissioned Processing of Personal Data: Commissioned Processing of Personal Data is the access to Personal Data by the Processor as well as collection, modification, transfer, blocking, deletion, storing, hosting or any other type of processing of Personal Data by the Processor on behalf of the Controller in connection with the Main Agreement and as further specified under this Agreement.

1.3 Data Subject: An individual whose Personal Data is being processed by the Processor under this Agreement and the Main Agreement.

1.4 Instruction: The Processor shall process Personal Data in accordance with the Controller’s written instructions. The initial instructions derive from Section 2 of this Agreement; the Controller can change, amend or replace these initial instructions by single instructions in writing at any time.

1.5 Personal Data: Personal Data means any information relating to an identified or identifiable natural person(s) as defined in the applicable data protection laws, and that is subject to Commissioned Processing of Personal Data.Personal Data means any information relating to an identified or identifiable natural person(s) as defined in the applicable data protection laws, and that is subject to Commissioned Processing of Personal Data.

1.6 Personal Data Breach: Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

2. Scope of the Commissioned Processing

2.1 The Processor shall process or otherwise use Personal Data solely on behalf of the Controller and according to the Controller’s instructions as set out in Section 2 and the requirements of the applicable data protection laws. The data is processed and stored in the EU at selected data centers (eg Netherlands). For the application with its metadata, we have redundancy between the US / EU depending on where the user is located to guarantee a fast system regardless of geography.

2.2 The scope, manner and purpose of the collection, processing and use of the Personal Data under this Agreement are defined as follows:

Categories of subject Type of personal data Scope of use & purpose Sensitive data
Customers and clients Name, email Booking of tickets

3. Obligations of the Processor

3.1 The Processor shall only collect, process or utilise Personal Data of the Controller in accordance with the Instructions of the Controller and applicable laws and not for other own purposes or purposes of third parties. The Controller shall confirm any oral instructions in writing or via email to legal@geshdo.com. Where the Processor believes that compliance with any Instructions by the Controller would result in a violation of applicable law on data protection, the Processor shall immediately notify the Controller thereof.

3.2 The Processor shall ensure within his area of responsibility the implementation and compliance with technical and organisational measures. In particular, the Processor shall take such technical and organisational measures to protect the Personal Data of the Controller against accidental, unlawful or unauthorised destruction, loss, alteration, disclosure and access as well as against other events that endanger the security, confidentiality or integrity of the Personal Data, appropriate to the risk of varying likelihood and severity for the rights and freedoms of natural persons. This including, inter alia as appropriate the following measures:

The Processor shall in particular ensure a strict separation between the Personal Data of the Controller, the Processor’s own data, and data of third parties.

3.3 The Processor shall inform the Controller in the event of (i) substantial disruptions of the service, (ii) possible infringements of applicable data protection laws or of this Agreement by itself, its employees or third parties, and (iii) any other irregularity in relation to the processing of the Controller’s Personal Data.

3.4 The Processor shall inform the Controller if the Personal Data of the Controller will be at risk on the site of the Processor by distrainment, seizures, insolvency or bankruptcy measures or by any other activities or measures of third parties. The Processor shall inform all people responsible in this context that the Personal Data are in sovereignty of the Controller..

3.5 All data storage media, if any, and all copies or reproductions thereof shall remain the property of the Controller. The Processor shall store them carefully without granting access to third parties. The Processor shall at any time give information to the Controller relating to its Personal Data and materials. According to the Controller’s individual orders, the Processor shall be responsible for the erasure of test or excess data and materials in compliance with data protection requirements, except in certain cases, to be defined by the Controller, where storage and/or disclosure of the test or excess data shall be performed.

4. Notification obligation

4.1 In case of a Personal Data Breach, the Processor shall, without undue delay and in any case within 48 hours, after having become aware of the Personal Data Breach, notify the Controller of the Personal Data Breach in writing. The notification must, to the extent such information is available to the Processor: (i) describe the nature of the Personal Data Breach including the categories and number of Data Subjects concerned and the categories and number of data records concerned; (ii) communicate the identity and contact details of the data protection officer of the Processor or other contact point where more information can be obtained; (iii) recommend measures to mitigate the possible adverse effects of the Personal Data Breach; (iv) describe the consequences and potential risk to the Data Subjects due to the Personal Data Breach; (v) describe the measures proposed or taken by the Processor to address the Personal Data Breach; and (v) any other information reasonably required in order for the Controller to comply with its own data protection requirements, including duties of notification and disclosure in relation to public authorities.

4.2 The Processor shall, without undue delay after becoming aware of any further details surrounding the Personal Data Breach, supplement the notification described above in Section 4.1 as well as provide the Controller with and any other information relating to the respective Data Breach as reasonably requested by the Controller and available to the Processor.

4.3 The Processor will document any Personal Data Breaches, comprising the facts surrounding the breach, its effects and the remedial actions taken. This Documentation must enable the supervisory authority to verify compliance with this Section 4. The Documentation will only include information necessary for such purpose, and shall be marked as confidential.

5. Confidentiality

5.1 Each Party shall keep confidential all material and information, including but not limited to Personal Data, marked as confidential or that should be under-stood to be confidential, regardless of whether personal, technical, financial or commercial and received in whatever form from the other Party (‘Confidential Information’). A Party shall have the right to:

5.2 Except for personal data, the confidentiality obligations set out in this Clause 5 shall not, however, be applied to any material or information (i) that was in the possession of the receiving Party prior to receipt of the same from the other Party without any obligation of confidentiality related thereto; or (ii) that is generally available or otherwise public, other than if it is public through a breach of this DPA or the Agreement on the part of the receiving Party; or (iii) that a Party has received from a third party without any obligation of confidentiality; or (iv) that a Par-ty has independently developed without using any material or information received from the other Party; or (v) that a Party is obliged to disclose pursuant to Law or other order issued by a Supervisory Authority.

5.3 Each Party shall cease using Confidential Information received from the other Party promptly upon the termination of this DPA or the Agreement or when the respective Party no longer needs the Confidential Information in question for the purposes of this DPA and/or the Agreement and shall return the material in question (including all copies thereof). Each Party shall, however, be entitled to retain copies as and to the extent required by the applicable law.

5.4 Each Party guarantees the observance and proper performance of this DPA by its personnel and advisors to whom Confidential Information may be disclosed pursuant to this Clause 5. The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.5 The confidentiality obligations set out in this Clause 5 shall survive any termination or cancellation of this DPA or the Agreement.

6. Obligations of the Controller

6.1 The Controller shall collect, process, and utilise Personal Data in accordance with applicable laws.

7. Obligation to Assist

7.1 The Processor shall duly assist and cooperate with Controller to allow Controller to comply with its obligations under (i) applicable law, inter alia pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor, (ii) the rights of data subjects and (iii) with requests or notices served by public authorities on Company in relation to the Services, the Personal Data or the Processing activities performed under this Data Processing Agreement. The Controller shall reimburse any reasonable incurring costs by the Processor in connection with the fulfilment of the duties. In case the inquiries relate to the duties of the Processor, the Processor shall assist the Controller free of charge.

8. Control Rights and Certificates

8.1 The Controller may itself – or with a third party being subject to statutory professional confidentiality obligations – carry out an audit at the Processor’s establishment, during the usual business hours and without disturbing the Processor’s business processes, to convince itself of the Processor’s compliance with the technical and organisational measures, this Agreement and data protection laws. The Processor shall tolerate such audit and shall comprehensively support the Controller in such audit. Furthermore, the Processor shall provide to the Controller, upon written request, within a reasonable period all information which is necessary to carry out a comprehensive review of the Commissioned Processing of Personal Data and release those persons from their confidentiality obligations vis-à-vis the Controller for the purpose of the audit. However, the Processor is not obliged to disclose business and trade secrets, operational know-how and other data being protected by law, such as data of other controllers, within such an audit. Controls and audits shall be announced at least four (4) weeks in advance and shall be coordinated with the Processor. Any costs of such controls and audits, including possible costs of the Processor, shall be borne by the Controller.

8.2 In the event of an audit or an information request from a regulatory authority supervising the Controller’s business, the Processor shall assist the Controller in answering the request and organising the audit. The Processor shall always allow any such regulatory authority to conduct audits of the Processor’s operations. Each Party shall bear its own costs in connection with audits initiated by such regulatory authority.

9. International transfers

9.1 Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the Controller or in order to fulfil a specific requirement under Union or Member State law to which the Processor is subject and shall take place in compliance with Chapter V of the GDPR.

9.2 The Controller agrees that where the Processor engages a sub processor in accordance with Clause 10 for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, the Processor and the sub processor can ensure compliance by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) GDPR, provided the conditions for the use of those standard contractual clauses are met.

9.3 At the request of the Controller, the Processor shall provide a copy of the agreement or other legal act concerning processing of Personal Data on behalf of the Controller, entered into between the Processor and the sub processor (for Commissioned Processing of Personal Data).

10. Subprocessors

10.1 The Controller specifically authorizes the engagement of sub processors as listed below:(Name, Location of processing, Processing(s) performed by subprocessor, Transfer mechanism when applicable)

10.2 The Processor is authorized to engage or replace Sub processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of any Subprocessor. The Controller is entitled to, within five (5) days of receiving notification, lodge reasonable objections to such changes. The Processor shall notify the Controller of the following:

10.3 In all cases, such approval shall be granted only provided that the contractual agreement between the Processor and the subcontractor protects the Personal Data of the Controller essentially as this Agreement does (especially as regards confidentiality, data protection and data security) and in no regards contains data protection obligations less stringent than those contained in this Agreement. The Processor shall be responsible for the subcontractors’ obligations as for its own. The Controller shall have control rights vis-à-vis the Processor and the subprocessor as agreed in Section 7 of this Agreement. Furthermore, the Controller shall receive, upon request, information on the subprocessor as well as on the implementation of technical and organisational measures.

10.4 The Controller is entitled to prohibit the use of a specific subcontractor engaged in the Commissioned Processing of Personal Data for justified reason. Such justified reason should concern adequate guarantees to carry out appropriate technical and organisational measures to ensure that the Processing fulfils the requirements of GDPR and any further requirement(s) as regulated under this DPA.In order to avoid any adverse effects to the provision of the services and/or products under the Main Agreement, the Controller shall give the Processor a reasonable time to find a replacing subcontractor or respond to the objection. The Controller is, in any case, after thirty (30) days of lodging an objection, pursuant to item 10.2, due to such an objection and the Processor failing to show that such objection is not justified, entitled to cancel the Main Agreement and this DPA.

10.5 The Processor shall make available to the Controller an accurate and up-to-date list indicating the sub processors engaged, as well as the geographical location where their processing activities in respect of the personal data for which you are the data controller of are performed.

11. Liability

11.1 The Parties agree that the general principle of division of responsibility between the Parties under this Agreement relating to fines and/or damages to the Data Subjects imposed by any relevant supervisory authority and/or competent court authorised to impose such fines or damages is based on the respective Parties need to fulfil its obligations under the applicable data protection laws and that any fines and/or damages to the Data Subjects imposed by a supervisory authority and/or competent court shall be paid by the party that has failed in its performance of its legal obligations under the applicable data protection laws.

11.2 The Parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations by any Party or subcontractor is entitled to receive compensation from the Controller for the damage suffered. Neither Party shall be liable to the other Party under the agreement for any indirect damages. The Parties aggregate liability under this Agreement shall be limited to not exceed the amount that the Controller has paid for the use of the services (limited to the last 12 months prior to the claim) and service content regardless of the claim. The Controller shall defend, indemnify and hold the Processor harmless against all reasonable cost and damages finally awarded to the Processor by a competent supervisory authority and/or a court of competent jurisdiction (i.e. by an award not capable of appeal) and resulting from claims and actions alleging that the Processor is in breach of the applicable data protection laws provided that (i) such breach results directly from the Controller’s written instructions or requirements that are in breach of applicable data protection laws; and (ii) the Processor has notified the Controller beforehand that such requirements or instructions constitute a violation of the data protection laws applicable to the Processor but the Controller has not amended such requirements or instructions in accordance with Processor’s advice in order to avoid such violation by the Processor; and (iii) the Processor notifies the Controller without any delay of such claims and actions; and (iv) the Processor gives the Controller all necessary information, assistance and authorisations as requested by the Controller from time to time and shall authorise the Controller to settle the matter at its discretion. The indemnification obligation of the Controller shall be the sole and exclusive remedy of the Processor regarding any breach of applicable data protection regulation by the Controller.

12. Term and Termination

12.1 This DPA applies to the identical term as the Main Agreement. For the sake of clarity, termination of the Main Agreement by either Party, for whatever reason, is a termination of this DPA. Either Party’s right to terminate this Agreement for cause shall remain unaffected.

12.2 If the Processor materially breaches its obligations under this Agreement and fails to remedy such breach within thirty (30) days from the Controller’s notification of the breach to the Processor, or within thirty (30) days from the date when the Processor should have noticed the breach, the Controller shall have the right to terminate with immediate effect any and all services and other agreements which the breach affects or relates to.

12.3 Upon termination of this Agreement for whatsoever reason, the Processor shall return all data storage media and copies thereof as well as all Personal Data in its possession to the Controller and shall thereafter delete any Personal Data stored at the Processor. Upon request of the Controller, the Processor shall confirm compliance with such obligations in writing within one (1) week from such request.

13. General Provisions

13.1 Amendments and additions to this Agreement must be in writing. This also applies to a waiver of the requirement for this form.

13.2 Should one or more clauses of this Agreement be or become invalid and/or unenforceable, the validity of the other clauses of this Agreement shall remain unaffected thereby. In such a case, the Parties shall amend this agreement and amicably replace the invalid clauses.

13.3 Swedish law shall govern the Agreement.

13.4 Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or validity thereof, shall be finally settled by arbitration in accordance with the Rules of the Arbitration Institute of the Swedish Chamber of Commerce. The arbitral tribunal shall be composed of a sole arbitrator who shall be appointed by the Board of Arbitration of the Central Chamber of Commerce. The place of arbitration shall be Sweden. The language used in the arbitral proceedings shall be Swedish.